Zurück zur CVE-Übersicht
CVE-2026-49987
NONERisk Signal Score10/100 — NIEDRIG
- Weniger als 24 Stunden alt
Beschreibung
Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection that bypasses validateGitUrl() dangerous parameter checks and can execute commands through local or SSH-style transports. This issue is fixed in version 1.14.1.
GitHub Advisories
GHSA-9mm9-rqhj-j5mxHIGH
repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection
npm/repomix→ 1.14.1
GitHub Advisory