CVE Catalog

CVE-2026-11572

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.07%

21th percentile - higher than 21% of all known CVEs

Summary

Versions of the package degit before 2.8.6 and from 3.0.0 to 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.

Risk Assessment

This vulnerability could lead to serious security breaches, allowing attackers to execute arbitrary system commands on the server. This may result in data loss, unauthorized access, or system takeover.

Recommendation

It is recommended to update the degit package to version 2.8.6 or later to mitigate this vulnerability. Additionally, conducting an audit of existing scripts and applications using this package is advisable to minimize risk.

Original NVD description (English source)

Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS