CVE-2026-26194: CVE-2026-26194: Command Option Injection in Gogs Release Deletion

CVE-2026-26194: Command Option Injection in Gogs Release Deletion Vulnerability ID: CVE-2026-26194 CVSS Score: 8.8 Published: 2026-03-05 A high-severity command option injection vulnerability exists in the Gogs self-hosted Git service prior to version 0.14.2. The flaw resides in the DeleteReleaseOfRepoByID function, where user-supplied Git tag names are passed directly to a system shell command without adequate sanitization or argument separation. This allows an attacker to inject arbitrary flags into the underlying git binary execution, potentially leading to Denial of Service (DoS) or unauthorized information disclosure. TL;DR Gogs failed to properly sanitize Git tag names during release deletion, allowing attackers to inject command-line flags into the git tag -d execution. This can cause service crashes or information leaks. Fixed in version 0.14.2. Technical Details CWE ID : CWE-88 Vulnerability Type : Command Option Injection CVSS v4.0 : 8.8 (High) Attack Vector : Network Exploit