CVE-2026-26194

Name of the Vulnerable Software and Affected Versions Gogs versions prior to 0.14.2

Description A security issue exists in Gogs, an open source self-hosted Git service, where deleting a release can fail if a user-controlled tag name is passed to Git without the proper separator. This allows for Git option injection, which can interfere with the process, lead to operational denial of service in release cleanup workflows, and cause release metadata inconsistency. The issue occurs because the rel.TagName variable is used as a CLI argument in the git tag -d command within the process.ExecDir() function without using -- or --end-of-options. If a tag name begins with a dash, Git parses it as a flag. This can be exploited if an attacker adds a tag name starting with a dash to the repository and a user with appropriate permissions triggers the deletion via the web UI or API.

Recommendations Update to version 0.14.2. As a temporary mitigation, avoid deleting releases that have tag names starting with a dash until the update is applied.