Gitea 1.26.2 allows unauthorized users to access labels of private organizations.
Gitea versions up to and including 1.26.1 do not apply public-only token filtering consistently to the user organization API, leaving an incomplete fix for CVE-2025-68941.
Gitea versions up to and including 1.26.1 do not enforce repository-unit authorization on issue-template API endpoints.
Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface. A user with read access to pull requests may be able to cancel auto-merges scheduled by other users.
Missing Authorization in GitHub repository gogs/gogs prior to 0.12.5.