SecBoard
Zurück zur CVE-Übersicht

CVE-2026-49987

NONE
Risk Signal Score10/100 — NIEDRIG
  • Weniger als 24 Stunden alt

Beschreibung

Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection that bypasses validateGitUrl() dangerous parameter checks and can execute commands through local or SSH-style transports. This issue is fixed in version 1.14.1.

GitHub Advisories

GHSA-9mm9-rqhj-j5mxHIGH

repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection

npm/repomix1.14.1
GitHub Advisory

Referenzen