CVE-2026-26194

HIGH EPSS 34.7%
Published Mar 5, 20263mo ago · Modified Jun 17, 20261w ago
8.8 CVSS 4.0
High
Find Similar
Published Mar 5, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.

CVSS Details

Base Score
8.8
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
34.7% percentile
Exploit & Patch Status
Public Exploit Known
Patch Available

Weaknesses 1

CWE-88

Affected Products 1

VendorProductVersionRange
gogsgogs* <0.14.2

References 4

  • github.com https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d
    Patch
  • github.com https://github.com/gogs/gogs/pull/8175
    Issue Tracking
  • github.com https://github.com/gogs/gogs/releases/tag/v0.14.2
    Release Notes
  • github.com https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm
    ExploitMitigationVendor Advisory

Remediation

  • github.com https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d
    Patch