CVE-2026-49987
Description
Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, src/core/git/gitCommand.ts execGitShallowClone passes the --remote-branch value directly to git fetch and git checkout without validation or --end-of-options, allowing --upload-pack or other Git option injection that bypasses validateGitUrl() dangerous parameter checks and can execute commands through local or SSH-style transports. This issue is fixed in version 1.14.1.
Is your site exposed to CVE-2026-49987?
Run a free security scan — no signup, results in seconds.
Weakness Type (CWE)
References
Other References
Frequently Asked Questions
What is CVE-2026-49987? +
How do I check if I'm vulnerable to CVE-2026-49987? +
Related Vulnerabilities
A hidden console command is vulnerable to command injection flaw when control characters are passed to its second argument. A …
Atheos is a self-hosted browser-based cloud integrated development environment. Prior to version 6.0.4, improper use of `escapeshellcmd()` in `/components/codegit/traits/execute.php` allows …
Git is a fast, scalable, distributed revision control system with an unusually rich command set that provides both high-level operations …
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') vulnerability in CRESTRON TOUCHSCREENS x70 allows Argument Injection.This issue affects …
XZ Utils provide a general-purpose data-compression library plus command-line tools. When built for native Windows (MinGW-w64 or MSVC), the command …
Easywall 0.3.1 allows authenticated remote command execution via a command injection vulnerability in the /ports-save endpoint that suffers from a …