High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 6, 2026
Gogs: Release tag option injection in release deletion
CVE-2026-26194
Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.14.2 | 0.14.2 |
Affected products
1Patches
1a000f0c7a632database: use safe git-module API for tag deletion (#8175)
1 file changed · +7 −6
internal/database/release.go+7 −6 modified@@ -13,7 +13,6 @@ import ( "github.com/gogs/git-module" "gogs.io/gogs/internal/errutil" - "gogs.io/gogs/internal/process" apiv1types "gogs.io/gogs/internal/route/api/v1/types" ) @@ -359,11 +358,13 @@ func DeleteReleaseOfRepoByID(repoID, id int64) error { return errors.Newf("GetRepositoryByID: %v", err) } - _, stderr, err := process.ExecDir(-1, repo.RepoPath(), - fmt.Sprintf("DeleteReleaseByID (git tag -d): %d", rel.ID), - "git", "tag", "-d", rel.TagName) - if err != nil && !strings.Contains(stderr, "not found") { - return errors.Newf("git tag -d: %v - %s", err, stderr) + gitRepo, err := git.Open(repo.RepoPath()) + if err != nil { + return errors.Newf("open repository: %v", err) + } + err = gitRepo.DeleteTag(rel.TagName) + if err != nil && !strings.Contains(err.Error(), "not found") { + return errors.Newf("delete tag: %v", err) } if _, err = x.Id(rel.ID).Delete(new(Release)); err != nil {
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
6- github.com/advisories/GHSA-v9vm-r24h-6rqmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26194ghsaADVISORY
- github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2dghsax_refsource_MISCWEB
- github.com/gogs/gogs/pull/8175ghsax_refsource_MISCWEB
- github.com/gogs/gogs/releases/tag/v0.14.2ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.