From bb68c0a0423a9a9990edd51fd5a194fc65f604d3 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E1=B4=8A=E1=B4=8F=E1=B4=87=20=E1=B4=84=CA=9C=E1=B4=87?=
 =?UTF-8?q?=C9=B4?= <jc@unknwon.io>
Date: Sat, 31 Jan 2026 12:28:30 -0500
Subject: [PATCH] security: fix cross-repository label modification
 vulnerability (#8123)

https://github.com/gogs/gogs/security/advisories/GHSA-cv22-72px-f4gh

Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
---
 internal/route/repo/issue.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/internal/route/repo/issue.go b/internal/route/repo/issue.go
index 1c4ba7b5d..b3949e06d 100644
--- a/internal/route/repo/issue.go
+++ b/internal/route/repo/issue.go
@@ -1056,9 +1056,9 @@ func NewLabel(c *context.Context, f form.CreateLabel) {
 }
 
 func UpdateLabel(c *context.Context, f form.CreateLabel) {
-	l, err := database.GetLabelByID(f.ID)
+	l, err := database.GetLabelOfRepoByID(c.Repo.Repository.ID, f.ID)
 	if err != nil {
-		c.NotFoundOrError(err, "get label by ID")
+		c.NotFoundOrError(err, "get label of repository by ID")
 		return
 	}