CVE-2026-45570
go-git: Improper single-quote escaping in go-git SSH transport
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
3th
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.
| CWE | CWE-116 |
| Vendor | go-git |
| Product | go-git |
| Published | May 27, 2026 |
| Last Updated | May 28, 2026 |
Stay Ahead of the Next One
Get instant alerts for go-git go-git
Be the first to know when new unknown vulnerabilities affecting go-git go-git are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
go-git / go-git
< 5.19.1 >= 6.0.0-alpha.1, < 6.0.0-alpha.4