CVE-2026-11572

8.7HIGH

Key Information:

Status: Degit
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-11572?

Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.

Affected Version(s)

degit 0 < 2.8.6

degit 3.0.0 < 3.3.1

References

https://security.snyk.io/vuln/SNYK-JS-DEGIT-17116207

https://gist.github.com/badp3te/cf22a939eedbd3d8ade912382...

https://github.com/Rich-Harris/degit/commit/d55bfd7cea79c...

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 8, 2026

Credit

Amar Khatri

Mokksh Parekh

CVE-2026-11572 Data

JSON