CVE-2026-26194: Gogs: Release tag option injection in release deletion

March 5, 2026

There is a security issue in Gogs where deleting a release can fail if a user-controlled tag name is passed to Git without the right separator, allowing Git option injection and therefore interfering with the process.

References

github.com/advisories/GHSA-v9vm-r24h-6rqm
github.com/gogs/gogs
github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d
github.com/gogs/gogs/pull/8175
github.com/gogs/gogs/releases/tag/v0.14.2
github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm
nvd.nist.gov/vuln/detail/CVE-2026-26194

Code Behaviors & Features

Detect and mitigate CVE-2026-26194 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →