CVE-2026-45570— go-git: Improper single-quote escaping in go-git SSH transport
Possible ATT&CK Techniques 1AI
T1059 · Command and Scripting InterpreterGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45570
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
go-git: Improper single-quote escaping in go-git SSH transport
Source: NVD (National Vulnerability Database)
Vulnerability Description
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. A repository path containing a single quote can therefore break out of the quoted region in the exec command and be appended as additional shell tokens. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.
Source: NVD (National Vulnerability Database)
CVSS Information
N/A
Source: NVD (National Vulnerability Database)
Vulnerability Type
对输出编码和转义不恰当
Source: NVD (National Vulnerability Database)
Vulnerability Title
go-git 安全漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
go-git是go-git开源的一个用纯 Go 编写的高度可扩展的 git 实现库。 go-git 5.19.1之前版本和6.0.0-alpha.4之前版本存在安全漏洞,该漏洞源于SSH传输构造远程执行命令时将仓库路径用单引号包裹而未转义路径中的单引号,可能导致包含单引号的仓库路径突破引号区域附加为额外shell令牌。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45570
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45570
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-45570 (1)
Same Patch Batch · go-git · 2026-05-27 · 3 CVEs total
| CVE-2026-45571 | 5.4 MEDIUM | go-git: Crafted repositories may modify main and submodule .git directories |
| CVE-2026-45022 | go-git: Improper parsing of specially crafted objects may lead to inconsistent interpretat |
IV. Related Vulnerabilities
Same product: go-git
- CVE-2026-45571
go-git: Crafted repositories may modify main and submodule . - CVE-2026-45022
go-git: Improper parsing of specially crafted objects may le - CVE-2026-41506
go-git Credential leak via cross-host redirect in smart HTTP - CVE-2026-33762
go-git: Missing validation decoding Index v4 files leads to - CVE-2026-34165
go-git: Maliciously crafted idx file can cause asymmetric me
Same vendor: go-git
- CVE-2026-44740
go-billy: Lack of depth and cycle detection in symlink resol - CVE-2026-44973
Billy: Path traversal vulnerabilities - CVE-2026-45571
go-git: Crafted repositories may modify main and submodule . - CVE-2026-45022
go-git: Improper parsing of specially crafted objects may le - CVE-2026-41506
go-git Credential leak via cross-host redirect in smart HTTP
Same weakness: CWE-116
- CVE-2026-48485
Quest Bot: Stored warn reasons can still trigger bot-powered - CVE-2026-47188
Quest Bot: Unban and unwarn reason fields still allow bot-po - CVE-2026-47175
Quest Bot: Moderation reason fields allow bot-powered `@ever - CVE-2026-47173
Quest Bot: Ticket reason allows mass-mention injection - CVE-2026-47171
Quest Bot: Reminder messages allow stored mass mentions thro
V. Comments for CVE-2026-45570
No comments yet