CVE-2026-45571

5.4 MEDIUM

go-git is an extensible git implementation library written in pure Go

Published: 2026-05-27 · Last updated: 2026-06-04

Severity and scoring

CVSS: 5.4 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
CWE: CWE-22

Affected products

Vendor	Product
go-git_project	go-git

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45571
[Vendor advisory]https://github.com/go-git/go-git/security/advisories/GHSA-crhj-59gh-8x96

Related CVEs

Same vendor

CVE-2026-45570 — go-git is an extensible git implementation library written in pure Go (9.6 CRITICAL)
CVE-2026-45022 — go-git is an extensible git implementation library written in pure Go (7.5 HIGH)

Same CWE

CVE-2026-52726 — Dulwich is a pure-Python implementation of the Git file formats and protocols (7.5 HIGH)
CVE-2026-49219 — ImageMagick is free and open-source software used for editing and manipulating digital images (5.5 MEDIUM)
CVE-2026-47712 — Dulwich is a pure-Python implementation of the Git file formats and protocols (3.3 LOW)
CVE-2026-46703 — Boxlite is a sandbox service that allows users to create lightweight virtual machines (Boxes) and launch OCI containers within them to ru... (9.6 CRITICAL)
CVE-2026-42305 — Dulwich is a pure-Python implementation of the Git file formats and protocols (8.8 HIGH)