High severityNVD Advisory· Published Mar 5, 2026· Updated Mar 6, 2026
Gogs: Release tag option injection in release deletion
CVE-2026-26194
Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
gogs.io/gogsGo | < 0.14.2 | 0.14.2 |
Affected products
3- ghsa-coords2 versions
< 0.14.2+ 1 more
- (no CPE)range: < 0.14.2
- (no CPE)range: < 0.0.20260317T205859-150000.1.152.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-v9vm-r24h-6rqmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-26194ghsaADVISORY
- github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2dghsax_refsource_MISCWEB
- github.com/gogs/gogs/pull/8175ghsax_refsource_MISCWEB
- github.com/gogs/gogs/releases/tag/v0.14.2ghsax_refsource_MISCWEB
- github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqmghsax_refsource_CONFIRMWEB
News mentions
3- Gogs patches critical zero-day enabling remote code executionBleepingComputer · Jun 8, 2026
- New Gogs zero-day flaw lets hackers get remote code executionBleepingComputer · May 28, 2026
- CVE-2026-52806: Authenticated RCE via Argument Injection in Gogs (FIXED as of June 7, 2026)Rapid7 Blog · May 28, 2026