313 matches found
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...
go-git: Improper single-quote escaping in go-git SSH transport
Impact go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through sqquotebuf so that an embedded ' becomes the '''...
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...
Improper Encoding or Escaping of Output
Overview Affected versions of this package are vulnerable to Improper Encoding or Escaping of Output due to improper escaping of single quotes in the SSH transport command construction process. An attacker can inject arbitrary shell tokens by including single quotes in the repository path,...
GHSA-M7CR-M3PV-HGRP go-git: Improper single-quote escaping in go-git SSH transport
Impact go-git's SSH transport constructs the remote exec command by wrapping the repository path in single quotes without escaping single quotes embedded inside the path. This diverges from canonical Git, which shell-quotes the path through sqquotebuf so that an embedded ' becomes the '''...
OPENSUSE-SU-2026:20770-1 Security update for git-bug
This update for git-bug fixes the following issues: Changes in git-bug: - CVE-2026-1229: CIRCL had an incorrect calculation in secp384r1 CombinedMult bsc1265416, GO-2026-4550: updated github.com/cloudflare/circl to v1.6.3 - CVE-2026-41506: HTTP authentication credential leak when following...
PT-2026-41958
Name of the Vulnerable Software and Affected Versions go-git versions prior to v5 Description The SSH transport in go-git constructs the remote exec command by wrapping the repository path in single quotes but fails to escape single quotes embedded within that path. This allows a repository path...
PT-2026-41959
Name of the Vulnerable Software and Affected Versions go-git versions prior to v5 Description A path validation issue allows crafted repository data to affect files outside the intended checkout target, including the repository's .git directory. This occurs because the software drifted from...
OPENSUSE-SU-2026:20809-1 Security update for trivy
This update for trivy fixes the following issues - CVE-2025-64702: github.com/quic-go/quic-go/http3: quic-go HTTP/3 QPACK Header Expansion DoS bsc1255366. - CVE-2025-69725: github.com/go-chi/chi/v5: incorrect input validation in the RedirectSlashes function can lead to an open redirect bsc1258513...
Linux Distros Unpatched Vulnerability : CVE-2026-44309
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-enco...
openSUSE 16 Security Update : trivy (openSUSE-SU-2026:20720-1)
The remote openSUSE 16 host has a package installed that is affected by a vulnerability as referenced in the openSUSE- SU-2026:20720-1 advisory. Changes in trivy: - update go-git to 5.18.0 bsc1264873, CVE-2026-41506 Tenable has extracted the preceding description block directly from the SUSE...
CVE-2026-44309
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git...
UBUNTU-CVE-2026-44309
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git...
CVE-2026-44309 gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git...
CVE-2026-44309
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git...
CVE-2026-44309 gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits
Gitsign is a keyless Sigstore to signing tool for Git commits with your a GitHub / OIDC identity. Prior to 0.16.0, gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git...
CVE-2026-44309
Summary: CVE-2026-44309 affects gitsign up to version 0.15.x, fixed in 0.16.0. The issue arises because gitsign verify and verify-tag re-encode commits/tags using go-git’s EncodeWithoutSignature instead of verifying raw bytes. Go-git performs loose parsing and discards the first of two identical ...
CVE-2026-41506
A flaw was found in go-git, an extensible Git implementation library for Go. This vulnerability allows an attacker to potentially obtain sensitive HTTP authentication credentials. This can occur when go-git follows redirects during smart-HTTP clone and fetch operations, leading to the unintended...
Security update for trivy (moderate)
openSUSE security update: security update for trivy ------------------------------------------------------------- Announcement ID: openSUSE-SU-2026:20720-1 Rating: moderate References: bsc1264873 Cross-References: CVE-2026-41506 CVSS scores: CVE-2026-41506 SUSE : 6.5...
OPENSUSE-SU-2026:20720-1 Security update for trivy
This update for trivy fixes the following issues: Changes in trivy: - update go-git to 5.18.0 bsc1264873, CVE-2026-41506...