Git Command Injection Vulnerability in Repomix Tool
CVE-2026-49987

7.5HIGH

Key Information:

Vendor

Yamadashy

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-49987?

The Repomix tool, which aggregates repositories into formats suitable for AI processing, exposes a security risk due to improper handling of Git commands in versions prior to 1.14.1. Specifically, the execGitShallowClone function passes the --remote-branch parameter directly to the git fetch and git checkout commands without validating it. This flaw allows an attacker to inject additional Git options, such as --upload-pack, potentially leading to unauthorized command execution over local or SSH-style transports. The issue was resolved in version 1.14.1.

Affected Version(s)

repomix < 1.14.1

References

CVSS V4

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.