Home / Vulnerability Intelligence / CVE-2026-26194

CVE-2026-26194 - Vulnerability Analysis

HighCVSS: 7.3

Last Updated: March 6, 2026

Gogs - Command Injection

Published: March 5, 2026Updated: March 6, 2026PoC AvailableRemote Exploitable

Overview

Gogs < 0.14.2 contains a command injection caused by improper handling of user-controlled tag names passed to git, letting attackers inject git options and interfere with the process, exploit requires crafted tag name input.

Severity & Score

Severity: High

CVSS Score: 7.3

Impact

Attackers can inject git options, potentially disrupting processes or executing arbitrary commands.

Mitigation

Update to version 0.14.2 or later.

References

https://github.com/gogs/gogs/commit/a000f0c7a632ada40e6829abdeea525db4c0fc2d
https://github.com/gogs/gogs/pull/8175
https://github.com/gogs/gogs/releases/tag/v0.14.2
https://github.com/gogs/gogs/security/advisories/GHSA-v9vm-r24h-6rqm

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-26194
Severity: High
CVSS Score: 7.3
Type: command_injection
Status: confirmed

CWE

CWE-88

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:H