HomeCVE Intelligence › CVE-2026-49987
CVSS 8.8 HIGH Vulnerability

CVE-2026-49987: repomix Vulnerable to Command Injection (RCE) via `--remote-branch` Argument Injection

Vulnerability Metadata | Field | Detail | | --| --| | Affected Component | src/core/git/gitCommand.ts (execGitShallowClone) | | Impact | Arbitrary Command Execution / Security Control Bypass | Summary The --remote-branc…

8.8CVSS Score
HIGHSeverity
NOCISA KEV
VulnerabilityImpact Type

📋 Vulnerability Details

CVE IDCVE-2026-49987
Vendornpm
Affected Productrepomix
Vulnerability TypeVulnerability
CVSS Score8.8 (HIGH)
Actively Exploited❌ No known exploitation
Patch StatusSee Vendor Advisory →
Reported ByCYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories)

🔬 Technical Analysis

#

Vulnerability Metadata | Field | Detail |

| --- | --- | | Affected Component | src/core/git/gitCommand.ts (execGitShallowClone) | | Impact | Arbitrary Command Execution / Security Control Bypass |

Summary The --remote-branch CLI option in repomix is vulnerable to argument injection. User-supplied input is passed directly to git fetch and git checkout subprocesses via child_process.execFileAsync without sanitization, -- delimiters, or validation. An attacker can inject arbitrary git command-line options. By injecting the --upload-pack option and specifying an SSH (git@...) or local (file://) remote URL, an attacker achieves arbitrary command execution with the privileges of the user running repomix. This bypasses the existing dangerousParams blockli

📚 Advisory References

⚡ DETECTION RULES AVAILABLE

Get CVE-2026-49987 Detection Pack

Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.

✓ Sigma Rules ✓ YARA Pack ✓ IOC Table ✓ SIEM Queries
🛡️ Get Detection Pack → 🔌 Access via API →

🔗 Related Intelligence