CVE-2026-26194

HIGH

Gogs <0.14.2 - Command Injection

Title source: llm

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.

References (4)

[Vendor Advisory] https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm

[Issue Tracking] https://github.com/gogs/gogs/pull/8175

[Patch] https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d

View Patch ZIP pw:eip

[Release Notes] https://github.com/gogs/gogs/releases/tag/v0.14.2

Scores

CVSS v3 7.3

EPSS 0.0004

EPSS Percentile 13.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact partial

Details

CWE

CWE-88

Status published

Products (1)

gogs/gogs < 0.14.2

Published Mar 05, 2026

Tracked Since Mar 06, 2026