216.73.217.64

CVE-2026-45570

· Published 27/05/2026 15:16 · Modified 27/05/2026 15:16

Labels: CVE-2026-45570 2026-05-27CVE-2026-45570CWE-116[email protected]

Essential information

Published
27/05/2026 15:16
Modified
27/05/2026 15:16
Author
Creator
CVSS
2.3 LOW (v3) 2.3 LOW (v4.0)
CISA KEV
No
CWE
CVSS vector

CVSS metrics

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

NVD status

Status
Received — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
github / go-git cpe:2.3:a:github:go-git:<5.19.1:*:*:*:*:*:*:*
github / go-git cpe:2.3:a:github:go-git:6.0.0-alpha.4:*:*:*:*:*:*:*

References