105 matches found
CVE-2026-49959
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in...
CVE-2026-49959 Hermes WebUI < 0.51.311 RCE via Git Configuration Injection
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in...
CVE-2026-49959
Hermes WebUI prior to 0.51.311 is affected by a remote code execution vulnerability. Authenticated attackers can trigger arbitrary commands by placing a malicious executable Git configuration in a workspace repo’s .git/config. The issue arises from Git subprocess invocations in api/workspace_git....
CVE-2026-49959 Hermes WebUI < 0.51.311 RCE via Git Configuration Injection
Hermes WebUI before version 0.51.311 contains a remote code execution vulnerability that allows authenticated attackers to execute arbitrary commands by placing malicious executable Git configuration in a workspace repository's .git/config file. Attackers can exploit Git subprocess invocations in...
SUSE CVE-2026-11332
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field...
CVE-2026-33435
Weblate is a web based localization tool. In versions prior to 5.17, the project backup didn't filter Git and Mercurial configuration files which could lead to remote code execution under certain circumstances. This issue has been fixed in version 5.17. If developers are unable to update...
Arbitrary Argument Injection
Overview ansible-core is an a radically simple IT automation system. It handles configuration management, application deployment, cloud provisioning, ad-hoc task execution, network automation, and multi-node orchestration. Ansible makes complex changes like zero-downtime rolling updates with load...
CVE-2026-11332
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field...
CVE-2026-11332
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field...
EUVD-2026-34791
A flaw was found in ansible-core. The ansible-galaxy role install command processes dependency specifications from a role's meta/requirements.yml file. Due to improper neutralization of argument delimiters, a malicious role author can inject arbitrary git configuration flags through the src field...
PT-2026-46910
Name of the Vulnerable Software and Affected Versions ansible-core affected versions not specified Red Hat Ansible Automation Platform affected versions not specified Description An argument injection flaw exists in the ansible-galaxy role install command. The issue occurs because dependency...
Linux Distros Unpatched Vulnerability : CVE-2026-44465
The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonit...
CVE-2026-44465
Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution RCE when a victim open a folder in untrusted mode...
CVE-2026-44465
Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution RCE when a victim open a folder in untrusted mode...
EUVD-2026-32937
Zed is a code editor. Prior to 0.227.1, Zed IDE executes arbitrary commands when opening a folder with a malicious .git/config file that abuses the core.fsmonitor Git configuration option. This allows an attacker to achieve Remote Code Execution RCE when a victim open a folder in untrusted mode...
USN-8303-1: GitPython vulnerabilities
Santos Gallegos discovered that GitPython did not properly validate paths when resolving certain Git references. An attacker could possibly use this issue to cause files outside the .git directory to be accessed, leading to a denial of service. This issue only affected Ubuntu 14.04 LTS, Ubuntu...
PT-2026-39901
Name of the Vulnerable Software and Affected Versions GitHub Copilot CLI versions prior to 1.0.43 Description An issue exists where a malicious bare git repository nested inside a project directory can lead to arbitrary code execution when the agent performs git operations. By exploiting git's...
Malicious code in briantreehttp (npm)
briantreehttp is a typosquatting package impersonating braintreehttp, the HTTP client library published by Braintree/PayPal. The package bundles the legitimate library source to appear functional while hiding a credential-theft payload in index1.js, which is executed at install time via the...
GHSA-V87R-6Q3F-2J67 GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
GitConfigParser.setvalue passes values to Python's configparser without validating for newlines. GitPython's own write converts embedded newlines into indented continuation lines e.g. \n becomes \n\t, but Git still accepts an indented core stanza as a section header — so the injected core.hooksPa...
GHSA-558G-H753-6M33 Weblate: Remote code execution during backup restoration
Impact The project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances. Patches https://github.com/WeblateOrg/weblate/pull/18549 Workarounds The project backup is only accessible to users who can create projects...