CVE-2026-45570

9.6 CRITICAL

go-git is an extensible git implementation library written in pure Go

Published: 2026-05-27 · Last updated: 2026-06-04

Severity and scoring

CVSS: 9.6 CRITICAL
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
CWE: CWE-116

Affected products

Vendor	Product
go-git_project	go-git

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45570
[Vendor advisory]https://github.com/go-git/go-git/security/advisories/GHSA-m7cr-m3pv-hgrp

Related CVEs

Same vendor

CVE-2026-45571 — go-git is an extensible git implementation library written in pure Go (5.4 MEDIUM)
CVE-2026-45022 — go-git is an extensible git implementation library written in pure Go (7.5 HIGH)

Same CWE

CVE-2026-42558 — Xibo is an open source digital signage platform with a web content management system and Windows display player software (7.6 HIGH)
CVE-2026-53693 — A stored cross-site scripting vulnerability existed in MISP BSimVis tag rendering code
CVE-2026-49472 — FreeSWITCH is a Software Defined Telecom Stack enabling the digital transformation from proprietary telecom switches to a software implem... (5.3 MEDIUM)
CVE-2026-8795 — A YAML injection vulnerability exists in the Windows.Collectors.Remapping artifact of Rapid7 Velociraptor before version 0.76.6 (7.8 HIGH)
CVE-2026-46496 — HAX CMS helps manage microsite universe with PHP or NodeJs backends