๐Ÿ” CVE Alert

CVE-2026-49987

UNKNOWN 0.0

Repomix: Command Injection (RCE) via `--remote-branch` Argument Injection

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection that bypasses validateGitUrl() dangerous parameter checks and can execute commands through local or SSH-style transports. This issue is fixed in version 1.14.1.

CWE CWE-88
Vendor yamadashy
Product repomix
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for yamadashy repomix

Be the first to know when new unknown vulnerabilities affecting yamadashy repomix are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

yamadashy / repomix
< 1.14.1

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/yamadashy/repomix/security/advisories/GHSA-9mm9-rqhj-j5mx github.com: https://github.com/yamadashy/repomix/commit/92bfa3193b5233a0d21beff929444153c088de82 github.com: https://github.com/yamadashy/repomix/releases/tag/v1.14.1