CVE-2026-48719
HighCVSS 8.0Exploitation Probability (EPSS)
Elevated risk57th percentile - higher than 57% of all known CVEs
Summary
Warp, an agentic development environment, contains a command injection vulnerability in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by the victim's shell if the victim selects that branch from the UI.
Risk Assessment
This vulnerability may lead to unauthorized command execution on the victim's system, posing a serious threat to the security of the organization's data and systems.
Recommendation
It is recommended to update Warp to version 0.2026.05.06.15.42.stable_01 to mitigate this vulnerability and to monitor branch usage in Git repositories.
Original NVD description (English source)
Warp is an agentic development environment. From 0.2025.08.06.08.12.stable_00 until 0.2026.05.06.15.42.stable_01, Warp contains a command injection in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by the victim's shell if the victim selects that branch from the UI. This vulnerability is fixed in 0.2026.05.06.15.42.stable_01.

