## Git update fixing CVE-2025-48385

Git vulnerabilities were [disclosed 8 July 2025](https://groups.google.com/g/git-packagers/c/cYJ6peBtyxk/m/xVukiATcBQAJ) and require an update of the Git version used by Forgejo to Git [v2.43.7, v2.44.4, v2.45.4, v2.46.4, v2.47.3, v2.48.2, v2.49.1, or v2.50.1](https://nvd.nist.gov/vuln/detail/CVE-2025-48385). The [containers of this release](https://codeberg.org/forgejo/-/packages/container/forgejo/11.0.3) include a Git binary that is not vulnerable. If Forgejo was installed using a container, it is enough to upgrade  the container to get the latest Git binary.

Security bug fixes are only for Git, there are no security fixes for Forgejo itself in this release.

## Wiki permissions manual steps

If collaborators with write access can't edit the wiki, an administrator can now go to the Units settings (`<user>/<repo>/settings/units#wiki`) and Save the wiki settings (no change is needed) to fix the problem. This is a manual step that will trigger a database update that is currently not possible to automate for Forgejo stable releases.

<!--start release-notes-assistant-->

## Release notes
<!--URL:https://codeberg.org/forgejo/forgejo-->
- User Interface bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8246) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8283)): <!--number 8283 --><!--line 0 --><!--description Zml4KHVpKTogYWRkIG1pc3NpbmcgbGF6eSBsb2FkIGF0dHJpYnV0ZSB0byBpbWFnZXMgKCM4MjQ2KQ==-->fix(ui): add missing lazy load attribute to images (#8246)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8170) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8262)): <!--number 8262 --><!--line 0 --><!--description Zml4KHVpKTogZXJyb25lb3VzIGxpc3QgY29udGludWF0aW9uIG9uIENtZCtFbnRlciBvbiBtYWNPUw==-->fix(ui): erroneous list continuation on Cmd+Enter on macOS<!--description-->
- Localization
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8300): <!--number 8300 --><!--line 0 --><!--description aTE4bjogYmFja3BvcnQgb2YgdHJhbnNsYXRpb24gdXBkYXRlcw==-->i18n: backport of translation updates<!--description-->
- Bug fixes
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8189) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8456)): <!--number 8456 --><!--line 0 --><!--description Zml4OiBkbyBub3QgaWdub3JlIGF1dG9tZXJnZSB3aGlsZSBhIFBSIGlzIGNoZWNraW5nIGZvciBjb25mbGljdHM=-->fix: do not ignore automerge while a PR is checking for conflicts<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8367) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8385)): <!--number 8385 --><!--line 0 --><!--description Zml4OiB1c2VyIGFjdGl2YXRpb24gd2l0aCB1cHBlcmNhc2UgZW1haWwgYWRkcmVzcw==-->fix: user activation with uppercase email address<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8234) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8237)): <!--number 8237 --><!--line 0 --><!--description Zml4OiBjb2xsYWJvcmF0b3IgY2FuIGVkaXQgd2lraSB3aXRoIHdyaXRlIGFjY2Vzcw==-->fix: collaborator can edit wiki with write access<!--description-->
- Included for completeness but not worth a release note
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8460) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8465)): <!--number 8465 --><!--line 0 --><!--description Y2hvcmU6IGRpc2FibGUgbWlzbWF0Y2hlZCByb290IFVSTCBlMmUgdGVzdCBmb3Igc2FmYXJp-->chore: disable mismatched root URL e2e test for safari<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8461) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8462)): <!--number 8462 --><!--line 0 --><!--description Y2hvcmU6IGRvIG5vdCBuYXZpZ2F0ZSB0byBzYW1lIFVSTCBpbiBFMkUgdGVzdA==-->chore: do not navigate to same URL in E2E test<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8258) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8445)): <!--number 8445 --><!--line 0 --><!--description Zml4OiBjb3JydXB0ZWQgd2lraSB1bml0IGRlZmF1bHQgcGVybWlzc2lvbiAoIzgyMzQgZm9sbG93LXVwKSAoIzgyNTgp-->fix: corrupted wiki unit default permission (#8234 follow-up) (#8258)<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8261) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8412)): <!--number 8412 --><!--line 0 --><!--description Zml4OiBza2lwIGVtcHR5IHRva2VucyBpbiBTZWFyY2hPcHRpb25zLlRva2Vucygp-->fix: skip empty tokens in SearchOptions.Tokens()<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8400) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8401)): <!--number 8401 --><!--line 0 --><!--description Y2hvcmU6IGltcHJvdmUgcmVsaWFiaWxpdHkgb2Ygd2ViYXV0aG4gZTJlIHRlc3Q=-->chore: improve reliability of webauthn e2e test<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8326) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8333)): <!--number 8333 --><!--line 0 --><!--description Zml4OiBtYWtlIEFQSSAvcmVwb3Mve293bmVyfS97cmVwb30vY29tcGFyZS97YmFzZWhlYWR9IHdvcmsgd2l0aCBmb3Jrcw==-->fix: make API /repos/{owner}/{repo}/compare/{basehead} work with forks<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8226) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8292)): <!--number 8292 --><!--line 0 --><!--description Y2hvcmU6IHNvcnQgbWFpbGVyIG1lc3NhZ2VzIGluIHRlc3QgYXNzZXJ0aW9u-->chore: sort mailer messages in test assertion<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8002) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8289)): <!--number 8289 --><!--line 0 --><!--description Zml4KHVpKTogcmVsZWFzZTogbmFtZSBpcyBvdmVycmlkZGVuIHdpdGggdGFnIG5hbWUgb24gZWRpdA==-->fix(ui): release: name is overridden with tag name on edit<!--description-->
  - [PR](https://codeberg.org/forgejo/forgejo/pulls/8286) ([backported](https://codeberg.org/forgejo/forgejo/pulls/8287)): <!--number 8287 --><!--line 0 --><!--description UmV2ZXJ0ICJmaXgoYXBpKTogZG9jdW1lbnQgYGlzX3N5c3RlbV93ZWJob29rYCBmaWVsZCAoIzc3ODQpIg==-->Revert "fix(api): document `is_system_webhook` field (#7784)"<!--description-->
<!--end release-notes-assistant-->