CVE-2026-11572
HighCVSS 8.8Exploitation Probability (EPSS)
Low risk21th percentile - higher than 21% of all known CVEs
Summary
Versions of the package degit before 2.8.6 and from 3.0.0 to 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.
Risk Assessment
This vulnerability could lead to serious security breaches, allowing attackers to execute arbitrary system commands on the server. This may result in data loss, unauthorized access, or system takeover.
Recommendation
It is recommended to update the degit package to version 2.8.6 or later to mitigate this vulnerability. Additionally, conducting an audit of existing scripts and applications using this package is advisable to minimize risk.
Original NVD description (English source)
Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.

