CVE-2026-45571— go-git: Crafted repositories may modify main and submodule .git directories
Possible ATT&CK Techniques 3AI
T1059 · Command and Scripting Interpreter T1564 · Hide Artifacts T1406Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45571
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
go-git: Crafted repositories may modify main and submodule .git directories
Source: NVD (National Vulnerability Database)
Vulnerability Description
go-git is an extensible git implementation library written in pure Go. Prior to 5.19.1 and 6.0.0-alpha.4, a path validation issue in go-git could allow crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. These validations were introduced in upstream Git years ago, so the vulnerability arose from go-git drifting from those checks. This vulnerability is fixed in 5.19.1 and 6.0.0-alpha.4.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
go-git 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
go-git是go-git开源的一个用纯 Go 编写的高度可扩展的 git 实现库。 go-git 5.19.1之前版本和6.0.0-alpha.4之前版本存在路径遍历漏洞,该漏洞源于路径验证问题,可能导致特制仓库数据影响预期检出目标之外的文件。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45571
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45571
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-45571 (1)
Same Patch Batch · go-git · 2026-05-27 · 3 CVEs total
| CVE-2026-45022 | go-git: Improper parsing of specially crafted objects may lead to inconsistent interpretat | |
| CVE-2026-45570 | go-git: Improper single-quote escaping in go-git SSH transport |
IV. Related Vulnerabilities
Same product: go-git
- CVE-2026-45570
go-git: Improper single-quote escaping in go-git SSH transpo - CVE-2026-45022
go-git: Improper parsing of specially crafted objects may le - CVE-2026-41506
go-git Credential leak via cross-host redirect in smart HTTP - CVE-2026-33762
go-git: Missing validation decoding Index v4 files leads to - CVE-2026-34165
go-git: Maliciously crafted idx file can cause asymmetric me
Same vendor: go-git
- CVE-2026-44740
go-billy: Lack of depth and cycle detection in symlink resol - CVE-2026-44973
Billy: Path traversal vulnerabilities - CVE-2026-45570
go-git: Improper single-quote escaping in go-git SSH transpo - CVE-2026-45022
go-git: Improper parsing of specially crafted objects may le - CVE-2026-41506
go-git Credential leak via cross-host redirect in smart HTTP
Same weakness: CWE-22
- CVE-2026-41412
alf.io vulnerable to Arbitrary File Read and Exfil via simpl - CVE-2026-49144
BrowserStack Runner 0.9.5 Path Traversal via _default HTTP H - CVE-2026-32685
Path Traversal in gleam docs build via documentation.pages A - CVE-2026-43965
Path Traversal in build/packages/packages.toml Allows Arbitr - CVE-2026-49136
Banana Slides 0.4.0 Path Traversal via generate_image() in a
V. Comments for CVE-2026-45571
No comments yet