CVE-2026-45570
published 2026-05-27CVE-2026-45570: go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec…
PriorityP349critical9.6CVSS 3.1
AVNACLPRNUIRSCCHIHAH
EPSS
0.36%
28.4th percentile
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.
Affected
7 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | go-git_go-git | 0 – 4.7.0 | — |
| github.com | go-git_go-git_v5 | >= 0 < 5.19.1 | 5.19.1 |
| github.com | go-git_go-git_v6 | >= 0 < 6.0.0-alpha.4 | 6.0.0-alpha.4 |
| go-git | go-git | < 5.19.1 | 5.19.1 |
| go-git | go-git | — | — |
| go-git_project | go-git | < 5.19.1 | 5.19.1 |
| go-git_project | go-git | — | — |
CVSS provenance
nvdv3.19.6CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
nvdv4.02.3LOWCVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
go-git up to 5.19.0/6.0.0-alpha.3 escape output (GHSA-m7cr-m3pv-hgrp)
vuldb·2026-06-07·CVSS 9.6
CVE-2026-45570 [CRITICAL] go-git up to 5.19.0/6.0.0-alpha.3 escape output (GHSA-m7cr-m3pv-hgrp)
A vulnerability, which was classified as critical, was found in go-git up to 5.19.0/6.0.0-alpha.3. This affects an unknown part. Such manipulation leads to escaping of output.
This vulnerability is listed as CVE-2026-45570. The attack may be performed from remote. There is no available exploit.
You should upgrade the affected component.
GHSA
go-git: Improper single-quote escaping in go-git SSH transport
ghsa·2026-05-19
CVE-2026-45570 [LOW] CWE-116 go-git: Improper single-quote escaping in go-git SSH transport
go-git: Improper single-quote escaping in go-git SSH transport
### Impact
`go-git`'s SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through `sq_quote_buf` so that an embedded `'` becomes the `'\''` close-escape-reopen sequence and the whole path round-trips as a single quoted argument.
A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. On SSH servers that evaluate the exec command through a shell (for example a user account whose login shell is `/bin/sh` or `/bin/bash`, or a `ForceCommand` wrapper that re-evaluates `$SS
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-27
Published