diff --git a/actions/release-version/action.yml b/actions/release-version/action.yml
index 96ded8f..88d2dca 100644
--- a/actions/release-version/action.yml
+++ b/actions/release-version/action.yml
@@ -44,12 +44,25 @@ runs:
               return newVersion;
           }
 
+          // validate tag is a plain semver (not a monorepo service-prefixed tag like "sast/8.11.3")
+          if (!/^v?\d+\.\d+\.\d+$/.test(tagName)) {
+              console.log(`latest release tag "${tagName}" is not a plain semver tag, treating as no release`);
+              console.log(`next version: ${newVersion}`);
+              return newVersion;
+          }
+
           console.log('latestPublishedTime', latestRelease.data.published_at)
           const latestPublishedTime = new Date(latestRelease.data.published_at);
 
           // extract major, minor and patch numbers from the latest release tag
           const [major, minor, patch] = tagName.replace(/^v/, "").split(".").map((x) => parseInt(x));
 
+          if (isNaN(major) || isNaN(minor) || isNaN(patch)) {
+              console.log(`Failed to parse version from tag "${tagName}", treating as no release`);
+              console.log(`next version: ${newVersion}`);
+              return newVersion;
+          }
+
           console.log('latestTag', tagName)
 
           // get all pull requests merged since the latest tag was created
@@ -81,6 +94,10 @@ runs:
                       ? `${major}.${minor}.${patch + 1}`
                       : undefined;
 
+          if (newVersion && !/^\d+\.\d+\.\d+$/.test(newVersion)) {
+              throw new Error(`Computed invalid version "${newVersion}" - aborting to prevent corrupt release`);
+          }
+
           if (newVersion) {
               console.log(`next version: ${newVersion}`);
           } else {
diff --git a/actions/release-version/release-version.js b/actions/release-version/release-version.js
index e23a13c..88f2763 100644
--- a/actions/release-version/release-version.js
+++ b/actions/release-version/release-version.js
@@ -18,12 +18,25 @@ module.exports = async (github, context) => {
         return newVersion;
     }
 
+    // validate tag is a plain semver (not a monorepo service-prefixed tag like "sast/8.11.3")
+    if (!/^v?\d+\.\d+\.\d+$/.test(tagName)) {
+        console.log(`latest release tag "${tagName}" is not a plain semver tag, treating as no release`);
+        console.log(`next version: ${newVersion}`);
+        return newVersion;
+    }
+
     console.log('latestPublishedTime', latestRelease.data.published_at)
     const latestPublishedTime = new Date(latestRelease.data.published_at);
 
     // extract major, minor and patch numbers from the latest release tag
     const [major, minor, patch] = tagName.replace(/^v/, "").split(".").map((x) => parseInt(x));
 
+    if (isNaN(major) || isNaN(minor) || isNaN(patch)) {
+        console.log(`Failed to parse version from tag "${tagName}", treating as no release`);
+        console.log(`next version: ${newVersion}`);
+        return newVersion;
+    }
+
     console.log('latestTag', tagName)
 
     // get all pull requests merged since the latest tag was created
@@ -55,6 +68,10 @@ module.exports = async (github, context) => {
                 ? `${major}.${minor}.${patch + 1}`
                 : undefined;
 
+    if (newVersion && !/^\d+\.\d+\.\d+$/.test(newVersion)) {
+        throw new Error(`Computed invalid version "${newVersion}" - aborting to prevent corrupt release`);
+    }
+
     if (newVersion) {
         console.log(`next version: ${newVersion}`);
     } else {