Security Flaw in Gogs Git Service Affects Open Source Users
CVE-2026-26194

8.8HIGH

Key Information:

Vendor

Gogs

Status
Gogs
Vendor
CVE Published:
5 March 2026

What is CVE-2026-26194?

Gogs is an open-source self-hosted Git service that has a vulnerability allowing for potential injection when deleting a release. Specifically, the vulnerability arises when a user-controlled tag name is improperly formatted and passed to git, leading to a failure in the deletion process. This issue permits the injection of git options, potentially disrupting the execution of the operation. The vulnerability has been resolved in version 0.14.2, ensuring users can safely manage their releases without risk of exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

Affected Version(s)

gogs < 0.14.2

References

https://github.com/gogs/gogs/security/advisories/GHSA-v9v...
x_refsource_CONFIRM
https://github.com/gogs/gogs/pull/8175
x_refsource_MISC
https://github.com/gogs/gogs/commit/a000f0c7a632ada40e682...
x_refsource_MISC

CVSS V4

Score:
8.8
Severity:
HIGH
Confidentiality:
Low
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

JSON
.