CVE-2026-45570 LOW

CVE-2026-45570: go-git: Improper single-quote escaping in go-git SSH transport

Vendor Go-Git
Product go-git
Weakness CWE-116
Published May 27, 2026
Last update May 28, 2026

CVSS base score

2.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:L

What the vulnerability does

01Description

go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.

Key dates

02Disclosure timeline

May 27, 2026 CVE published
May 28, 2026 Record updated