Unrated severityNVD Advisory· Published Jun 24, 2026· Updated Jun 24, 2026

Warp branch selector command injection via Git branch names

CVE-2026-48719

Description

Warp is an agentic development environment. From 0.2025.08.06.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by the victim's shell if the victim selects that branch from the UI. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Affected products

Warpdotdev/Warpllm-fuzzy
Range: >= 0.2025.08.06.08.12.stable_00, < 0.2026.05.06.15.42.stable_01

Patches

Vulnerability mechanics

References

github.com/warpdotdev/warp/commit/4295ec08d01912fe355351547e541277f29288cdmitrex_refsource_MISC
github.com/warpdotdev/warp/security/advisories/GHSA-hgvx-4xvm-39pwmitrex_refsource_CONFIRM

News mentions

No linked articles in our index yet.

cvss	0.000
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000