Severity by source
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
AV:L because the malicious repo must be local; UI:R because TortoiseGitBlame must be actively invoked; PR:N as no privileges required on victim system; I:H for arbitrary file write; C and A both N.
Primary rating from Vendor (GitLab).
CVSS VectorVendor: GitLab
CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
Argument Injection in TortoiseGitBlame via Malicious Git History Filenames Leads to Arbitrary File Write in TortoiseGit
AnalysisAI
Arbitrary file write in TortoiseGit's TortoiseGitBlame component is triggered when a user opens a malicious git repository and invokes blame history on a file whose historical filenames contain argument injection payloads. The injected arguments are passed unsanitized to underlying git subprocess calls, allowing an attacker-controlled repository to write files to arbitrary paths on the victim's Windows filesystem. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires two specific preconditions: first, the victim must have cloned or otherwise obtained a local copy of a git repository containing specially crafted filenames in the commit history of at least one file; second, the victim must actively invoke TortoiseGitBlame on that specific file, triggering the argument injection. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 3.1 score of 5.5 Medium with vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N captures the key risk characteristics: local attack vector requiring user interaction but no special privileges, with high integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker crafts a git repository in which a tracked file's historical name contains argument injection payloads - for example, a filename embedding a git output flag and a target path. The victim receives this repository through a pull request, a code-sharing platform, or a phishing link, clones it, and uses TortoiseGitBlame to inspect annotation history on the malicious file. … |
| Remediation | An upstream fix is available as commit 7052e3ef61cd104f8a90fb3dcdfb403cbc8c1773 in the TortoiseGit GitLab repository (https://gitlab.com/tortoisegit/tortoisegit/-/commit/7052e3ef61cd104f8a90fb3dcdfb403cbc8c1773); a specific patched release version is not independently confirmed from available input data - users should monitor https://tortoisegit.org/issue/4269 for an official release announcement. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38733
GHSA-2h5c-f427-3wjr