CVE-2026-5366 Git Argument Injection in prefecthq/prefect

Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the GitRepository storage class. The commitsha parameter, which is passed to git commands, lacks validation and does not include a -- separator to distinguish user input from git...

Prefect Git Argument Injection in GitRepository Pull Steps

A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commitsha/directories results in argument injection. It is...

CVE-2026-40938 Tekton Pipelines: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE

Tekton Pipelines project provides k8s-style resources for declaring CI/CD-style pipelines. Starting in version 1.0.0 and prior to versions 1.0.2, 1.3.4, 1.6.2, 1.9.3, and 1.11.1, the git resolver's revision parameter is passed directly as a positional argument to git fetch without any validation...

EUVD-2026-24491

Tekton Pipeline: Git Resolver Unsanitized Revision Parameter Enables git Argument Injection Leading to RCE...

Git Argument Injection via Reference Field in GitHubRepository Block

This report is not public...

EUVD-2022-1613

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2024-47516

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure...

DEBIAN-CVE-2024-47516

A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance...

UBUNTU-CVE-2024-47516

A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance...

Amazon Linux 2 : amazon-ssm-agent (ALAS-2025-2739)

The version of amazon-ssm-agent installed on the remote host is prior to 3.3.1611.0-1. It is, therefore, affected by multiple vulnerabilities as referenced in the ALAS2-2025-2739 advisory. go-git is a highly extensible git implementation library written in pure Go. An argument injection...

Security update for amazon-ssm-agent

This update for amazon-ssm-agent fixes the following issues: Update to version 3.3.1611.0: CVE-2025-21613: Fixed argument injection via the URL field in github.com/go-git/go-git/v5 bsc1235575 Full changelog: https://github.com/aws/amazon-ssm-agent/compare/3.1.1260.0...3.3.1611.0 Patch Instruction...

SUSE CVE-2024-47516

A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance...

CVE-2022-25865

The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranchremote: string, remoteBranch: string, cwd: string function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that...

CVE-2022-25865 Command Injection

The package workspace-tools before 0.18.4 are vulnerable to Command Injection via git argument injection. When calling the fetchRemoteBranchremote: string, remoteBranch: string, cwd: string function, both the remote and remoteBranch parameters are passed to the git fetch subcommand in a way that...

GHSA-7627-MP87-JF6Q Command injection in cocoapods-downloader

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocessoptions function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a...

CVE-2022-24440

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocessoptions function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a...

PT-2022-16698

Name of the Vulnerable Software and Affected Versions cocoapods-downloader versions prior to 1.6.0 cocoapods-downloader versions 1.6.2 through 1.6.3 Description The issue concerns Command Injection via git argument injection. When the Pod::Downloader.preprocess options function is called and git ...

CVE-2019-15000

The commit diff rest endpoint in Bitbucket Server and Data Center before 5.16.10 the fixed version for 5.16.x , from 6.0.0 before 6.0.10 the fixed version for 6.0.x, from 6.1.0 before 6.1.8 the fixed version for 6.1.x, from 6.2.0 before 6.2.6 the fixed version for 6.2.x, from 6.3.0 before 6.3.5 t...