Skip to main content

Tortoisegit

1 CVEs product

Monthly

CVE-2026-11968 MEDIUM PATCH This Month

Arbitrary file write in TortoiseGit's TortoiseGitBlame component is triggered when a user opens a malicious git repository and invokes blame history on a file whose historical filenames contain argument injection payloads. The injected arguments are passed unsanitized to underlying git subprocess calls, allowing an attacker-controlled repository to write files to arbitrary paths on the victim's Windows filesystem. No public exploit has been identified at time of analysis, and no KEV listing exists; however, a fix commit is available upstream.

Code Injection Tortoisegit
NVD VulDB
CVSS 3.1
5.5
EPSS
0.2%
EPSS 0% CVSS 5.5
MEDIUM PATCH This Month

Arbitrary file write in TortoiseGit's TortoiseGitBlame component is triggered when a user opens a malicious git repository and invokes blame history on a file whose historical filenames contain argument injection payloads. The injected arguments are passed unsanitized to underlying git subprocess calls, allowing an attacker-controlled repository to write files to arbitrary paths on the victim's Windows filesystem. No public exploit has been identified at time of analysis, and no KEV listing exists; however, a fix commit is available upstream.

Code Injection Tortoisegit
NVD VulDB

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy