CVE-2026-45261
GitButler: Link injection via forge integration enables arbitrary script execution
CVSS Score
0.0
EPSS Score
0.1%
EPSS Percentile
22th
GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.
| CWE | CWE-94 |
| Vendor | gitbutlerapp |
| Product | gitbutler |
| Published | May 28, 2026 |
| Last Updated | May 30, 2026 |
Stay Ahead of the Next One
Get instant alerts for gitbutlerapp gitbutler
Be the first to know when new unknown vulnerabilities affecting gitbutlerapp gitbutler are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
gitbutlerapp / gitbutler
< 0.19.7