Linux Git Server - Ampersand (&) in tag is not properly handled when closing a branch

I attempted to close a feature branch. I added the tag that included an ampersand (CNT-421&CNTUI-123). The tag that was applied to the branch was CNT-421 as the ampersand was not escaped when running the command in Git. The ampersand was treated the same as an ampersand in Bash, which allows the command to run in the background. There is a possible security hole here as well as it may be possible to inject bash scripting after the ampersand since the shell being used to run the command may return to a usable shell after the ampersand is processed. The ampersand (and probably other characters) needs to be properly escaped when included in the tag of a branch closure.