CVE-2026-26194 — Argument Injection in Gogs

CWE-88 — Argument Injection21 documents4 sources

Severity

8.8HIGHNVD

EPSS

0.0%

top 86.65%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Gogs.io Gogs Gogs

Timeline

PublishedMar 5

Latest updateMar 10

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N

Affected Packages2 packages

▶NVDgogs/gogs< 0.14.2

▶Gogogs.io/gogs< 0.14.2

Patches

Patch: github.com ↗

🔴Vulnerability Details

OSV

Gogs: Release tag option injection in release deletion in gogs.io/gogs↗2026-03-10

▶

GHSA

Gogs: Release tag option injection in release deletion↗2026-03-05

▶

OSV

Gogs: Release tag option injection in release deletion↗2026-03-05

▶

🕵️Threat Intelligence

Wiz

CVE-2026-26196 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-24135 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-25921 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-22592 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

Wiz

CVE-2026-26022 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶