CVE-2026-50014

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected...

CVE-2026-50014

Affected software : pnpm (package manager). Vulnerability context : Prior to versions 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a separator or commit-format validation. In shallow-fetch paths, a malicious lockfile can replace the expe...

CVE-2026-50014 pnpm: Git Fetch Argument Injection via Lockfile resolution.commit

pnpm is a package manager. Prior to 10.34.0 and 11.4.0, pnpm passes the lockfile-controlled git resolution.commit value to git fetch without a -- separator or commit-format validation. For git dependencies fetched through the shallow-fetch path, a malicious lockfile can replace the expected...

CVE-2026-52810 Gogs: Write to readonly repositories using receive-pack + service=git-upload-pack confusion

Gogs is an open source self-hosted Git service. Prior to 0.14.3, Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string so ?service=git-upload-pack is evaluated as read access while routing still runs git receive-pack, allowing push where only read should...

Gogs allows users to write to readonly repositories using receive-pack + service=git-upload-pack confusion

Summary Git smart HTTP authorizes POST …/git-receive-pack using the client-supplied service query string so ?service=git-upload-pack is evaluated as read access while routing still runs git receive-pack, allowing push where only read should be allowed. Details Gogs' Git Smart HTTP handler for...

PT-2026-51628

Name of the Vulnerable Software and Affected Versions Gogs affected versions not specified Description Gogs contains an authorization bypass in its Git Smart HTTP handler for repository RPCs. The system determines the authorization policy based on the client-supplied service query parameter rathe...

CVE-2026-48827

A flaw was found in Apache MINA SSHD bundle sshd-git. This path traversal vulnerability allows authenticated users to access Git repositories located outside the intended server root directory. The lack of proper path validation during Git operations, such as git-upload-pack and git-receive-pack,...

OESA-2026-2306 python-GitPython security update

GitPython is a python library used to interact with git repositories, high-level like git-porcelain, or low-level like git-plumbing. Security Fixes: Summary GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and...

CVE-2026-42215

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...

Command Injection

Overview GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Command Injection via the uploadpack or receivepack kwargs in the Repo.clonefrom, Remote.fetch, Remote.pull, or Remote.push functions. An attacker can execute arbitrar...

CVE-2026-28291

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for...

CVE-2026-28291

simple-git enables running native Git commands from JavaScript. Versions up to and including 3.31.1 allow execution of arbitrary commands through Git option manipulation, bypassing safety checks meant to block dangerous options like -u and --upload-pack. The flaw stems from an incomplete fix for...

simple-git Affected by Command Execution via Option-Parsing Bypass

Summary simple-git enables running native Git commands from JavaScript. Some commands accept options that allow executing another command; because this is very dangerous, execution is denied unless the user explicitly allows it. This vulnerability allows a malicious actor who can control the...

USN-8088-1 golang-github-go-git-go-git vulnerabilities

Ionut Lalu discovered that go-git incorrectly handled certain specially crafted Git server responses. An attacker could possibly use this issue to cause a denial of service. CVE-2023-49568, CVE-2025-21614 Ionut Lalu discovered that go-git incorrectly handled file system paths when using the...

EUVD-2022-6293

Malicious code in bioql PyPI...

EUVD-2025-0045

Malicious code in bioql PyPI...

Security Bulletin: IBM Watson Speech Services Cartridge is vulnerable to an argument injection vulnerability in go-git [CVE-2025-21613]

Summary IBM Watson Speech Services Cartridge is vulnerable to an argument injection vulnerability in go-git, allowing the setting of arbitrary values to git-upload-pack flags when file transport protocol is used CVE-2025-21613. Go-git is used in our watson-speech-catalog images. This vulnerabilit...

go-git: argument injection via the URL field

An argument injection vulnerability was found in go-git. This flaw allows an attacker to set arbitrary values to git-upload-pack flags, leading to command or code execution, exposure of sensitive data, or other unintended behavior. This is only possible in configurations where the file transport...

go-git: argument injection via the URL field

An argument injection vulnerability was found in go-git. This flaw allows an attacker to set arbitrary values to git-upload-pack flags, leading to command or code execution, exposure of sensitive data, or other unintended behavior. This is only possible in configurations where the file transport...

The vulnerability of the git-upload-pack method of the go-git library allows a perpetrator to influence the confidentiality, integrity, and accessibility of the protected information.

The vulnerability of the git-upload-pack method in the go-git library is related to the implementation or modification of arguments. Exploiting this vulnerability could allow a malicious actor to influence the confidentiality, integrity, and accessibility of the protected information...