Gitea before 1.23.0 allows attackers to add attachments with forbidden file extensions by editing an attachment name via an attachment API.
The product does not sufficiently protect all possible paths that a user can take to access restricted functionality or resources.