An issue exsits in Gitea through 1.15.7, which could let a malicious user gain privileges due to client side cookies not being deleted and the session remains valid on the server side for reuse.
{ "severity": "Critical", "cpes": [ "cpe:2.3:a:gitea:gitea:*:*:*:*:*:*:*:*" ] }