Gitea 1.25.4 is released
We're excited to announce the release of Gitea 1.25.4! We strongly recommend all users upgrade to this version, as it includes important security fixes, numerous bug fixes, and overall stability improvements.
Permission & Protection Checks
- CVE-2026-20736: Release attachments must belong to the intended repo (#36347) (#36375)
- CVE-2026-20750: Fix permission check on org project operations (#36318) (#36373)
- CVE-2026-20883: Add more check for stopwatch read or list (#36340) (#36368)
- CVE-2026-20904: Fix openid setting check (#36346) (#36361)
- CVE-2026-20888: Fix cancel auto merge bug (#36341) (#36356)
- CVE-2026-20912: Fix delete attachment check (#36320) (#36355)
- CVE-2026-20897: LFS locks must belong to the intended repo (#36344) (#36349)
Information Leakage Prevention
- CVE-2026-0798: Clean watches when make a repository private and check permission when send release emails (#36319) (#36370)
- CVE-2026-20800: Fix bug on notification read (#36339) (#36387)
Dependency Update
Go upgrades to 1.25.6 which includes security fixes to the go command, and the archive/zip, crypto/tls, and net/url packages, as well as bug fixes.
Thanks for spingARbor to report these security vulnerabilities.
This release includes 27 merged pull requests, thanks to the amazing contributions from our community.
How to install or update
Download our pre-built binaries from the Gitea downloads page — make sure to select the version compatible with your platform. For a step-by-step guide on installation or upgrades, check out our installation documentation
Special Thanks
We would also like to thank all of our supporters on Open Collective who are helping to sustain us financially.
Looking for a seamless, hassle-free solution to manage your Git repositories? Discover Gitea Cloud — A fully-managed, scalable platform designed to streamline your development workflow.
Changelog
- SECURITY
- Release attachments must belong to the intended repo (#36347) (#36375)
- Fix permission check on org project operations (#36318) (#36373)
- Clean watches when make a repository private and check permission when send release emails (#36319) (#36370)
- Add more check for stopwatch read or list (#36340) (#36368)
- Fix openid setting check (#36346) (#36361)
- Fix cancel auto merge bug (#36341) (#36356)
- Fix delete attachment check (#36320) (#36355)
- LFS locks must belong to the intended repo (#36344) (#36349)
- Fix bug on notification read (#36339) #36387
- ENHANCEMENTS
- BUGFIXES
- Fix markdown newline handling during IME composition (#36421) #36424
- Fix missing repository id when migrating release attachments (#36389)
- Fix bug when compare in the pull request (#36363) (#36372)
- Fix incorrect text content detection (#36364) (#36369)
- Fill missing
has_codein repository api (#36338) (#36359) - Fix notifications pagination query parameters (#36351) (#36358)
- Fix some trivial problems (#36336) (#36337)
- Prevent panic when GitLab release has more links than sources (#36295) (#36305)
- Fix stats bug when syncing release (#36285) (#36294)
- Always honor user's choice for "delete branch after merge" (#36281) (#36286)
- Use the requested host for LFS links (#36242) (#36258)
- Fix panic when get editor config file (#36241) (#36247)
- Fix regression in writing authorized principals (#36213) (#36218)
- Fix WebAuthn error checking (#36219) (#36235)