๐Ÿ” CVE Alert

CVE-2026-59703

HIGH 7.5

repomix - Local File Inclusion via file:// URL Scheme in Git Clone Endpoint

CVSS Score
7.5
EPSS Score
0.0%
EPSS Percentile
0th

repomix contains a local file inclusion vulnerability in the git clone endpoint that allows unauthenticated attackers to read arbitrary local git repositories. The isValidRemoteValue function in src/core/git/gitRemoteParse.ts fails to block file:// URLs, permitting attackers to supply file:// scheme URLs that bypass validation and are passed directly to git clone, enabling unauthorized access to all tracked file contents on the server filesystem.

CWE CWE-552
Vendor repomix
Product repomix
Published Jul 8, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for repomix repomix

Be the first to know when new high vulnerabilities affecting repomix repomix are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

repomix / repomix
0 < 1.14.1 0 โ‰ค c748b52

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/yamadashy/repomix/issues/1704 github.com: https://github.com/yamadashy/repomix github.com: https://github.com/CrazyForks/repomix/commit/c748b524f41225e7fc6f89ad0084520901a453cf vulncheck.com: https://www.vulncheck.com/advisories/repomix-local-file-inclusion-via-file-url-scheme-in-git-clone-endpoint

Credits

๐Ÿ” George Chen