CVE-2026-45570 | THREATINT

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

PUBLISHED Reserved 2026-05-12 | Published 2026-05-27 | Updated 2026-05-28 | Assigner GitHub_M

LOW: 2.3CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

Problem types

CWE-116: Improper Encoding or Escaping of Output

Product status

< 5.19.1

affected

>= 6.0.0-alpha.1, < 6.0.0-alpha.4

affected

References

github.com/...go-git/security/advisories/GHSA-m7cr-m3pv-hgrp

cve.org (CVE-2026-45570)

nvd.nist.gov (CVE-2026-45570)

Download JSON