Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.
Published: 2026-03-05
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: Command Injection via Release Tag Option Injection
Action: Immediate Patch
AI Analysis

Impact

Deleting a release in Gogs prior to version 0.14.2 can fail when a user‑controlled tag name is passed to git without the correct separator. This flaw allows git options to be injected, which can alter the Git command execution flow. The result may enable an attacker to introduce unintended git options, potentially leading to execution of arbitrary commands within the host environment or disruption of the repository management workflow. The weakness is classified as CWE‑88, indicating a lack of proper input sanitization for command execution.

Affected Systems

The affected product is Gogs, the open‑source self‑hosted Git server. All installations of Gogs running any version earlier than 0.14.2 are vulnerable.

Risk and Exploitability

The CVSS score is 8.8, reflecting a high severity that could allow modification of repository data or execution of arbitrary code. The EPSS score is less than 1%, suggesting that, as of this analysis, the likelihood of exploitation is low. The vulnerability is not listed in the CISA KEV catalog, so no known widespread active exploitation has been reported. The most likely attack vector is a malicious user who can initiate a release deletion operation, potentially with elevated privileges, to inject invalid git options.

Generated by OpenCVE AI on April 17, 2026 at 12:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gogs to version 0.14.2 or later to apply the vendor patch that fixes the tag handling bug.
  • Restrict the ability to delete releases to trusted users only, ensuring that command‑line injection is not possible through ordinary user actions.
  • Configure audit logging or real‑time alerts for unexpected git command execution patterns to detect any accidental or malicious misuse of the release deletion flow.

Generated by OpenCVE AI on April 17, 2026 at 12:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-v9vm-r24h-6rqm Gogs: Release tag option injection in release deletion
History

Fri, 06 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 06 Mar 2026 14:00:00 +0000

Type Values Removed Values Added
First Time appeared Gogs
Gogs gogs
CPEs cpe:2.3:a:gogs:gogs:*:*:*:*:*:*:*:*
Vendors & Products Gogs
Gogs gogs
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H'}

Thu, 05 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.
Title Gogs: Release tag option injection in release deletion
Weaknesses CWE-88
References
Metrics cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Gogs Gogs
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-06T18:09:38.115Z

Reserved: 2026-02-11T19:56:24.813Z

Link: CVE-2026-26194

cve-icon Vulnrichment

Updated: 2026-03-06T18:09:33.747Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-05T19:16:03.720

Modified: 2026-03-06T13:55:02.197

Link: CVE-2026-26194

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T12:45:16Z

Weaknesses