关键漏洞信息 Permission & Protection Checks CVE-2026-20736: Release attachments must belong to the intended repo (#36347) (#36375) CVE-2026-20750: Fix permission check on org project operations (#36318) (#36373) CVE-2026-20883: Add more check for stopwatch read or list (#36340) (#36368) CVE-2026-20904: Fix openid setting check (#36346) (#36361) CVE-2026-20888: Fix cancel auto merge bug (#36341) (#36356) CVE-2026-20912: Fix delete attachment check (#36320) (#36355) CVE-2026-20897: LFS locks must belong to the intended repo (#36344) (#36349) Information Leakage Prevention CVE-2026-0798: Clean watches when making a repository private and check permission when sending release emails (#36319) (#36370) CVE-2026-20800: Fix bug on notification read (#36339) (#36387) Dependency Update Upgrade to Go version 1.25.6, which includes security fixes for security issues in command and , , and packages. Credits Thanks for for reporting these security vulnerabilities.