Skip to main content

TortoiseGit EUVDEUVD-2026-38733

| CVE-2026-11968 MEDIUM
Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') (CWE-88)
2026-06-24 GitLab GHSA-2h5c-f427-3wjr
5.5
CVSS 3.1 · Vendor: GitLab
Share

Severity by source

Vendor (GitLab) PRIMARY
5.5 MEDIUM
AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
vuln.today AI
5.5 MEDIUM

AV:L because the malicious repo must be local; UI:R because TortoiseGitBlame must be actively invoked; PR:N as no privileges required on victim system; I:H for arbitrary file write; C and A both N.

3.1 AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
4.0 AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitLab).

CVSS VectorVendor: GitLab

CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
Attack Vector
Local
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 11:01 EUVD
Analysis Generated
Jun 24, 2026 - 10:31 vuln.today

DescriptionCVE.org

Argument Injection in TortoiseGitBlame via Malicious Git History Filenames Leads to Arbitrary File Write in TortoiseGit

AnalysisAI

Arbitrary file write in TortoiseGit's TortoiseGitBlame component is triggered when a user opens a malicious git repository and invokes blame history on a file whose historical filenames contain argument injection payloads. The injected arguments are passed unsanitized to underlying git subprocess calls, allowing an attacker-controlled repository to write files to arbitrary paths on the victim's Windows filesystem. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Attacker crafts git repo with injected filename in commit history
Delivery
Victim receives and clones malicious repository
Exploit
Victim invokes TortoiseGitBlame on affected file
Execution
Filename passes unsanitized to git subprocess
Persist
Injected arguments redirect git output
Impact
Arbitrary file written to victim filesystem

Vulnerability AssessmentAI

Exploitation Exploitation requires two specific preconditions: first, the victim must have cloned or otherwise obtained a local copy of a git repository containing specially crafted filenames in the commit history of at least one file; second, the victim must actively invoke TortoiseGitBlame on that specific file, triggering the argument injection. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 score of 5.5 Medium with vector AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N captures the key risk characteristics: local attack vector requiring user interaction but no special privileges, with high integrity impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker crafts a git repository in which a tracked file's historical name contains argument injection payloads - for example, a filename embedding a git output flag and a target path. The victim receives this repository through a pull request, a code-sharing platform, or a phishing link, clones it, and uses TortoiseGitBlame to inspect annotation history on the malicious file. …
Remediation An upstream fix is available as commit 7052e3ef61cd104f8a90fb3dcdfb403cbc8c1773 in the TortoiseGit GitLab repository (https://gitlab.com/tortoisegit/tortoisegit/-/commit/7052e3ef61cd104f8a90fb3dcdfb403cbc8c1773); a specific patched release version is not independently confirmed from available input data - users should monitor https://tortoisegit.org/issue/4269 for an official release announcement. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38733 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy