CVE-2026-49987
Repomix: Command Injection (RCE) via `--remote-branch` Argument Injection
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection that bypasses validateGitUrl() dangerous parameter checks and can execute commands through local or SSH-style transports. This issue is fixed in version 1.14.1.
| CWE | CWE-88 |
| Vendor | yamadashy |
| Product | repomix |
| Published | Jul 15, 2026 |
| Last Updated | Jul 15, 2026 |
Stay Ahead of the Next One
Get instant alerts for yamadashy repomix
Be the first to know when new unknown vulnerabilities affecting yamadashy repomix are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
yamadashy / repomix
< 1.14.1