PT-2026-44412 · Gitbutler · Gitbutler
Grumpinout1
·
Published
2026-05-28
·
Updated
2026-06-01
·
CVE-2026-45261
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X |
Name of the Vulnerable Software and Affected Versions
GitButler versions prior to 0.19.7
Description
A remote code execution issue exists in the Tauri-based desktop application. An attacker can inject a malicious link into a pull request body; if a user clicks this link, it allows for arbitrary script execution within the Tauri webview. This issue only affects users who have enabled forge integration.
Recommendations
Update to version 0.19.7.
Disable forge integration to mitigate the risk of exploitation.
Exploit
Fix
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Gitbutler