PT-2026-44412 · Gitbutler · Gitbutler

Grumpinout1

·

Published

2026-05-28

·

Updated

2026-06-01

·

CVE-2026-45261

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions GitButler versions prior to 0.19.7
Description A remote code execution issue exists in the Tauri-based desktop application. An attacker can inject a malicious link into a pull request body; if a user clicks this link, it allows for arbitrary script execution within the Tauri webview. This issue only affects users who have enabled forge integration.
Recommendations Update to version 0.19.7. Disable forge integration to mitigate the risk of exploitation.

Exploit

Fix

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-45261
GHSA-XPMJ-536R-9FC6

Affected Products

Gitbutler