Prefect Git Argument Injection in GitRepository Pull Steps

A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commitsha/directories results in argument injection. It is...

CVE-2026-40938 Tekton Pipelines: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation...

EUVD-2026-24491

Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE...

Git Argument Injection via Reference Field in GitHubRepository Block

This report is not public...

EUVD-2022-1613

Malicious code in bioql PyPI...

EUVD-2022-2532

Malicious code in bioql PyPI...

EUVD-2022-1661

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2024-47516

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure...

DEBIAN-CVE-2024-47516

A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance...

UBUNTU-CVE-2024-47516

A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance...

Amazon Linux 2 : amazon-ssm-agent (ALAS-2025-2739)

The version of amazon-ssm-agent installed on the remote host is prior to 3.3.1611.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2739 advisory. go-git is a highly extensible git implementation library written in pure Go. An argument injection...

Security update for amazon-ssm-agent

This update for amazon-ssm-agent fixes the following issues: Update to version 3.3.1611.0: CVE-2025-21613: Fixed argument injection via the URL field in github.com/go-git/go-git/v5 bsc1235575 Full changelog: https://github.com/aws/amazon-ssm-agent/compare/3.1.1260.0...3.3.1611.0 Patch Instruction...

SUSE CVE-2024-47516

A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance...

Command injection in workspace-tools

The package workspace-tools before 0.18.4 is vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranchremote: string, remoteBranch: string, cwd: string function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that...

CVE-2022-25865

The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranchremote: string, remoteBranch: string, cwd: string function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that...

CVE-2022-25865 Command Injection

The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranchremote: string, remoteBranch: string, cwd: string function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that...

CVE-2022-25648

A flaw was found in ruby-git, where the package is vulnerable to command injection via the git argument. This flaw allows an attacker to set additional flags, which leads to performing command injections...

GHSA-7627-MP87-JF6Q Command injection in cocoapods-downloader

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocessoptions function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a...

CVE-2022-24440

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocessoptions function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a...

PT-2022-16698

Name of the Vulnerable Software and Affected Versions cocoapods-downloader versions prior to 1.6.0 cocoapods-downloader versions 1.6.2 through 1.6.3 Description The issue concerns Command Injection via git argument injection. When the Pod::Downloader.preprocess options function is called and git ...