CVE-2026-45570
- Source
- https://cve.org/CVERecord?id=CVE-2026-45570
- Import Source
- https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45570.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/CVE-2026-45570
- Aliases
- Downstream
- Related
- Published
- 2026-05-27T14:59:17.441Z
- Modified
- 2026-06-06T04:01:10.933762492Z
- Severity
-
- 2.3 (Low) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L CVSS Calculator
- Summary
- go-git: Improper single-quote escaping in go-git SSH transport
- Details
-
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.
- Database specific
{ "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45570.json", "cwe_ids": [ "CWE-116" ], "cna_assigner": "GitHub_M" }- References