CVE-2026-45570

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a...

critical 9.6 CVSS 3.1

Published: May 27, 2026

Modified: Jun 4, 2026

Product: Go-Git

Versions: 6.0.0

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

References

https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp

Related CVEs

CVSS Breakdown

Version	3.1
Score	9.6 / 10
Severity	critical

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Weakness (CWE)

CWE-116

Affected Product

Vendor	Go-Git Project
Product	Go-Git
Versions	6.0.0