VYPR
Critical severity9.6GHSA Advisory· Published May 27, 2026· Updated Jun 4, 2026

CVE-2026-45570

CVE-2026-45570

Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
github.com/go-git/go-git/v5Go
< 5.19.15.19.1
github.com/go-git/go-git/v6Go
< 6.0.0-alpha.46.0.0-alpha.4
github.com/go-git/go-gitGo
<= 4.7.0

Affected products

295

Patches

Vulnerability mechanics

References

3

News mentions

0

No linked articles in our index yet.