EUVD-2026-32944CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionNVD
GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.
AnalysisAI
Remote code execution in GitButler desktop application versions prior to 0.19.7 allows attackers to execute arbitrary scripts within the Tauri webview by injecting malicious links into pull request bodies. The flaw activates when a user with forge integration enabled clicks the crafted link, leading to full compromise of the desktop client context. …
Sign in for full analysis, threat intelligence, and remediation guidance.
RemediationAI
24 hours: Identify all GitButler users in your organization; issue alert recommending immediate cessation of clicking links in pull request bodies from untrusted sources and disabling forge integration if not actively required. 7 days: Disable forge integration organization-wide until patched version is available; evaluate switching to alternative forge clients or web-based interfaces as interim. …
Sign in for detailed remediation steps.
Share
External POC / Exploit Code
Leaving vuln.today