Improper Encoding or Escaping of Output in go-git - CVE-2026-45570
Published: May 19, 2026
Vulnerability identifier: #VU131781
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-45570
CWE-ID: CWE-116
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: go-git
Affected software:
go-git
go-git
Detailed vulnerability description
The vulnerability allows a remote attacker to execute commands in the SSH server account context.
The vulnerability exists due to improper encoding or escaping of output in the SSH transport remote exec command construction when processing a repository path containing a single quote. A remote attacker can supply a crafted repository path to execute commands in the SSH server account context.
Exploitation requires an SSH server configuration that evaluates the exec command through a shell; canonical git-shell setups that tokenize the exec command without shell evaluation are not affected.
How to mitigate CVE-2026-45570
Install security update from vendor's website.