CVE-2026-45570

Name of the Vulnerable Software and Affected Versions go-git versions prior to v5

Description The SSH transport in go-git constructs the remote exec command by wrapping the repository path in single quotes but fails to escape single quotes embedded within that path. This allows a repository path containing a single quote to break out of the quoted region and append additional shell tokens. On SSH servers that evaluate the exec command through a shell, such as those using /bin/sh, /bin/bash, or a ForceCommand wrapper that re-evaluates $SSH ORIGINAL COMMAND, these tokens execute within the account's command-execution context. This issue occurs on the SSH server side, but go-git can act as a vehicle for reaching such servers through attacker-influenced repository paths.

Recommendations Upgrade to a supported version of go-git (v5 or later).