Skip to main content

GitButler EUVDEUVD-2026-32944

| CVE-2026-45261 CRITICAL
Code Injection (CWE-94)
2026-05-28 GitHub_M
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
A
Scope
X

Lifecycle Timeline

3
Patch available
May 28, 2026 - 18:02 EUVD
Analysis Generated
May 28, 2026 - 17:25 vuln.today
CVSS changed
May 28, 2026 - 17:22 NVD
9.3 (CRITICAL)

DescriptionGitHub Advisory

GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.

AnalysisAI

Remote code execution in GitButler desktop application versions prior to 0.19.7 allows attackers to execute arbitrary scripts within the Tauri webview by injecting malicious links into pull request bodies. The flaw activates when a user with forge integration enabled clicks the crafted link, leading to full compromise of the desktop client context. No public exploit identified at time of analysis, though the GitHub Security Advisory GHSA-xpmj-536r-9fc6 publicly documents the issue.

Technical ContextAI

GitButler is a Git-based version control GUI built on the Tauri framework, which uses a system webview (WebKit on macOS, WebView2 on Windows, WebKitGTK on Linux) bridged to a Rust backend. CWE-94 (Improper Control of Generation of Code, i.e. Code Injection) here manifests because pull request body content rendered by GitButler's forge integration is not properly sanitized before being injected into the Tauri webview, allowing crafted hyperlinks to escape into executable script context. The CPE cpe:2.3:a:gitbutlerapp:gitbutler:*:*:*:*:*:*:*:* covers all GitButler versions prior to the 0.19.7 fix.

RemediationAI

Upgrade to GitButler 0.19.7 or later, which is the vendor-released patch containing the fix as documented in GHSA-xpmj-536r-9fc6 (https://github.com/gitbutlerapp/gitbutler/security/advisories/GHSA-xpmj-536r-9fc6). If immediate patching is not feasible, disable forge integration in GitButler as a compensating control - the vendor confirms users without forge integration enabled are not vulnerable; the trade-off is loss of pull request and remote repository UI features within the client. Until patched, instruct users to avoid clicking links in pull request bodies from untrusted contributors and to review PR content through a browser or other tooling instead.

Share

EUVD-2026-32944 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy