Shell Command Injection in go-git for SSH Transport
CVE-2026-45570

2.3LOW

Key Information:

Vendor: Go-git
Status: Go-git
Vendor: CVE Published:; 27 May 2026

What is CVE-2026-45570?

The go-git library, which enables extensible git implementations in pure Go, contains a vulnerability that impacts its SSH transport mechanism. This issue arises when forming remote exec commands; the repository path is enclosed in single quotes but fails to escape any single quotes within the path itself. As a result, attackers could exploit this flaw to inject additional shell tokens and potentially execute arbitrary commands. Users are advised to upgrade to versions 5.19.1 or 6.0.0-alpha.4, where this vulnerability has been addressed.

Affected Version(s)

go-git < 5.19.1 < 5.19.1

go-git >= 6.0.0-alpha.1, < 6.0.0-alpha.4 < 6.0.0-alpha.1, 6.0.0-alpha.4

References

https://github.com/go-git/go-git/security/advisories/GHSA...

x_refsource_CONFIRM

CVSS V4

Score:

2.3

Severity:

LOW

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 27, 2026
Vulnerability Reserved
May 12, 2026

CVE-2026-45570 Data

JSON

Go-git

What is CVE-2026-45570?

Affected Version(s)

References

CVSS V4

Timeline