CVE-2026-11572

Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec method by cloneWithGit and fetchRefs functions. An attacker can execute arbitrary operating syst...

11ty-starter-json (=1.0.0), @0xshariq/package-installer (>=2.1.0 <=3.1.1) +1352 more potentially affected by CVE-2026-11572 via degit (>=2.1.3 <=2.8.5)

degit NPM version =2.1.3, =2.1.0, =0.0.1, =1.0.8, =1.0.0, =1.0.4, =1.0.7, =1.0.0, =1.0.0, =1.0.0, =2.0.0, =1.0.0, =1.0.5, =0.1.0-alpha.0, =0.2.0-alpha.0 and more Source cves: CVE-2026-11572 Source advisory: SNYK:JS-DEGIT-17116207...