CVE-2026-45571

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-45571
Import Source
https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45571.json
JSON Data
https://api.test.osv.dev/v1/vulns/CVE-2026-45571
Aliases
Downstream
Related
Published
2026-05-27T14:57:32.843Z
Modified
2026-05-31T03:56:31.221469075Z
Severity
  • 5.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L CVSS Calculator
Summary
go-git: Crafted repositories may modify main and submodule .git directories
Details

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

Database specific 
{
    "cwe_ids": [
        "CWE-22"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45571.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/go-git/go-git

Affected ranges

Type
GIT
Repo
https://github.com/go-git/go-git
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
3c3be601aa6c0fd0d536c0d1e4f898b4c60e65fe
Introduced
5c776e15a11be5d2dfc6df27692bf867a69c37d8
Fixed
d9a69831082341eab799c062e10ad28b3204c08a
Database specific 
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.19.1"
        },
        {
            "introduced": "6.0.0-alpha.1"
        },
        {
            "fixed": "6.0.0-alpha.4"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

v1.*
v1.0.0
v2.*
v2.0.0
v2.1.0
v2.1.1
v2.1.2
v2.1.3
v2.2.0
v3.*
v3.0.0
v3.0.1
v3.0.2
v3.0.3
v3.0.4
v3.1.0
v3.1.1
v4.*
v4.0.0
v4.0.0-rc1
v4.0.0-rc10
v4.0.0-rc11
v4.0.0-rc12
v4.0.0-rc13
v4.0.0-rc14
v4.0.0-rc15
v4.0.0-rc2
v4.0.0-rc3
v4.0.0-rc4
v4.0.0-rc5
v4.0.0-rc6
v4.0.0-rc7
v4.0.0-rc8
v4.0.0-rc9
v4.1.0
v4.1.1
v4.10.0
v4.11.0
v4.12.0
v4.13.0
v4.13.1
v4.2.0
v4.2.1
v4.3.0
v4.3.1
v4.4.0
v4.4.1
v4.5.0
v4.6.0
v4.7.0
v4.7.1
v4.8.0
v4.8.1
v4.9.0
v4.9.1
v5.*
v5.0.0
v5.1.0
v5.10.0
v5.10.1
v5.11.0
v5.12.0
v5.13.0
v5.13.1
v5.13.2
v5.14.0
v5.15.0
v5.16.0
v5.16.1
v5.16.2
v5.16.3
v5.16.4
v5.16.5
v5.17.0
v5.17.1
v5.17.2
v5.18.0
v5.19.0
v5.2.0
v5.3.0
v5.4.0
v5.4.1
v5.4.2
v5.5.0
v5.5.1
v5.5.2
v5.6.0
v5.6.1
v5.7.0
v5.8.0
v5.8.1
v5.9.0
v6.*
v6.0.0-alpha.1
v6.0.0-alpha.2
v6.0.0-alpha.3

Database specific

source 
"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-45571.json"