CVE-2026-41506

HIGH EPSS 17.2%
Published May 8, 20261mo ago · Modified Jun 17, 20261w ago
7.4 CVSS 3.1
High
Find Similar
Published May 8, 2026 1mo ago
Last Modified Jun 17, 2026 1w ago

Description

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha.2.

CVSS Details

Base Score
7.4
Exploitability
2.8
Impact
4.0
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Changed
Confidentiality High
Integrity None
Availability None

Threat Intelligence

EPSS Exploit Probability
17.2% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-522

Affected Products 2

VendorProductVersionRange
go-git_projectgo-git* <5.18.0
go-git_projectgo-git6.0.0any

References 3

  • github.com https://github.com/go-git/go-git/releases/tag/v5.18.0
    ProductRelease Notes
  • github.com https://github.com/go-git/go-git/releases/tag/v6.0.0-alpha.2
    ProductRelease Notes
  • github.com https://github.com/go-git/go-git/security/advisories/GHSA-3xc5-wrhm-f963
    Vendor Advisory

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.