Gitea before 1.5.4 allows remote code execution because it does not properly validate session IDs. This is related to session ID handling in the go-macaron/session code for Macaron.
{ "severity": "CRITICAL", "cwe_ids": [ "CWE-94" ], "github_reviewed_at": "2021-05-12T18:25:03Z", "nvd_published_at": null, "github_reviewed": true }