CVE-2026-26194

High CVSS: 8.8

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, there's a security issue in gogs where deleting a release can fail if a user controlled tag name is passed to git without the right separator, this lets git options get injected and mess with the process. This issue has been patched in version 0.14.2.

Vendor

Gogs

Product

Gogs

CWE

CWE-88

Yayın Tarihi

2026-03-05 19:16:03

Güncelleme

2026-03-06 13:55:02

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-88 Gogs HIGH Gogs 2026

Referanslar

https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d https://github.com/gogs/gogs/pull/8175 https://github.com/gogs/gogs/releases/tag/v0.14.2 https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm

Benzer Kayıtlar

Medium

CVE-2026-26196

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, gogs api still accepts tokens in url params lik…

High

CVE-2026-26276

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, an attacker can store an HTML/JavaScript payloa…

Critical

CVE-2026-25921

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, overwritable LFS object across different repos…

High

CVE-2026-26022

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerabili…

Medium

CVE-2026-26195

Gogs is an open source self-hosted Git service. Prior to version 0.14.2, stored xss is still possible through unsafe tem…

Medium

CVE-2026-25120

Gogs is an open source self-hosted Git service. In versions 0.13.4 and below, the DeleteComment API does not verify that…