Critical Zero-Day Vulnerabilities in Gitea and libssh2
A significant disclosure by researcher 'bikini' has introduced a wave of critical zero-day vulnerabilities impacting the DevOps supply chain, primarily targeting Gitea and the libssh2 library. The exposure includes a cluster of nine CVEs within Gitea/Forgejo, alongside specific flaws such as CVE-2026-27771 and CVE-2026-41896. These vulnerabilities facilitate Remote Code Execution (RCE), unauthorized access via container registries, and broader infrastructure compromise. The threat landscape is exacerbated by the release of functional Proof of Concepts (PoCs) for over 15 software products. Immediate remediation requires upgrading Gitea/Forgejo instances to version 1.26.3 and addressing libssh2 implementation flaws to prevent large-scale supply chain exploitation.