Critical severityNVD Advisory· Published May 28, 2026

CVE-2026-45261

Description

GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A link injection vulnerability in GitButler prior to 0.19.7 allows remote code execution via a malicious pull request link when forge integration is enabled.

Vulnerability

A remote code execution vulnerability exists in the Tauri-based GitButler desktop application prior to version 0.19.7. The flaw resides in the forge integration feature, where an attacker can inject a malicious link into a pull request body. If a user with forge integration enabled clicks the link, arbitrary script execution occurs within the Tauri webview [1].

Exploitation

An attacker must craft a pull request containing a specially crafted link and submit it to a repository accessible to the victim. The attacker does not require authentication on the victim's system but must have the ability to create pull requests (e.g., via a fork). Successful exploitation depends on the victim having forge integration enabled in GitButler and clicking the malicious link. No additional user interaction beyond the click is needed [1].

Impact

Successful exploitation grants the attacker arbitrary script execution in the context of the Tauri webview. This can escalate to full remote code execution on the victim's machine, depending on the webview's sandbox restrictions and the application's permissions. The attacker gains the ability to execute arbitrary commands, potentially compromising the integrity and confidentiality of the user's data [1].

Mitigation

The vulnerability is fixed in GitButler version 0.19.7. Users should upgrade to this version or later. As a workaround, users who do not require forge integration can disable it to eliminate the attack surface. No other mitigations are disclosed in the available reference [1].

References

Link injection via forge integration enables arbitrary script execution

AI Insight generated on May 28, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

Gitbutlerapp/Gitbutlerinferred2 versions
<0.19.7+ 1 more
- (no CPE)range: <0.19.7
- (no CPE)range: <0.19.7

Patches

No patches discovered yet.

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

github.com/gitbutlerapp/gitbutler/security/advisories/GHSA-xpmj-536r-9fc6nvd

News mentions

No linked articles in our index yet.

cvss	0.585
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000