GitButler: Link injection via forge integration enables arbitrary script execution

9.3 / 10

CRITICAL

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Description

GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a remote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.

AI Analysis

Remote code execution vulnerability in GitButler desktop application via malicious link injection in pull request body

Basic Information

ID CVE-2026-45261

Source GitHub_M

Published May 28, 2026 at 16:20

Affected Product

Vendor gitbutlerapp

Product gitbutler

Version < 0.19.7

Affected Versions gitbutlerapp gitbutler < 0.19.7

CWE Classification

CWE-94

AI Assessment

AI Score 9.3 / 10

AI Severity Critical

Vendor gitbutlerapp

Product GitButler

Version < 0.19.7

References

github.com /gitbutlerapp/gitbutler/security/advisories/GHSA-xpmj-536r-9fc6

{
    "lastseen": "",
    "description": "GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a remote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.",
    "published": "2026-05-28T16:20:52.462Z",
    "modified": "2026-05-28T16:20:52.462Z",
    "type": "cve",
    "title": "GitButler: Link injection via forge integration enables arbitrary script execution",
    "source": "GitHub_M",
    "references": "https://github.com/gitbutlerapp/gitbutler/security/advisories/GHSA-xpmj-536r-9fc6",
    "id": "CVE-2026-45261",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94"
    ],
    "cvelist": null,
    "sourceData": "gitbutlerapp gitbutler < 0.19.7",
    "sourceHref": "",
    "cvss": {
        "score": 9.3,
        "severity": "CRITICAL",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "gitbutler",
    "version": "< 0.19.7",
    "vendor": "gitbutlerapp",
    "ai_description": "Remote code execution vulnerability in GitButler desktop application via malicious link injection in pull request body",
    "ai_severity": "Critical",
    "ai_vendor": "gitbutlerapp",
    "ai_product": "GitButler",
    "ai_version": "< 0.19.7",
    "ai_score": 9.3
}

GitButler: Link injection via forge integration enables arbitrary script execution_CVE-2026-45261