CVE-2026-12398 Galaxy_ng: shell injection in legacy role import via unsanitized git ref names

A command injection vulnerability was found in galaxyng. The dogitcheckout function in the legacy role import API v1 interpolates unsanitized git ref names branch/tag names into shell commands executed via subprocess.run with shell=True. An authenticated user who controls a git repository can...

galaxy-ng (>=4.2.0 <=4.4.5), pulp-ansible (>=0.2.0 <=0.6.2) potentially affected by CVE-2023-5189 via galaxy-importer (>=0.1.1 <=0.4.0)

galaxy-importer PYPI version =0.1.1, =4.2.0, =0.2.0, =0.6.2 Source cves: CVE-2023-5189 Source advisory: OSV:GHSA-55G2-VM3Q-7W52...

galaxy-ng (>=4.4.0 <=4.5.5) potentially affected by CVE-2022-3644 via pulp-ansible (>=0.10.5 <=0.13.6)

pulp-ansible PYPI version =0.10.5, =4.4.0, =4.5.5 Source cves: CVE-2022-3644 Source advisory: OSV:GHSA-QV37-MFJF-42H8...