Gitea versions up to and including 1.26.2 have incomplete SSRF protection in webhook and migration allow-list filtering.