CVE-2026-45570
go-git: Improper single-quote escaping in go-git SSH transport
9.6
CRITICAL
CVSS 3.1
EPSS 0.02%
Description
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.
How to fix CVE-2026-45570
To remediate CVE-2026-45570, upgrade the affected package to a fixed version below.
- —no fix listed
- —no fix listed
- —no fix listed
- —upgrade to 5.19.1 or later
- —upgrade to 6.0.0-alpha.4 or later
Is CVE-2026-45570 being exploited?
Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.
Affected packages (5)
- from 0
- from 0
- from 0, <= 4.7.0
- from 0, < 5.19.1
- from 0, < 6.0.0-alpha.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L |
| osv | CVSS 3.1 | CRITICAL9.6 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |