CVE-2026-11968 PUBLISHED

Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in TortoiseGit

Assigner: GitLab
Reserved: 11.06.2026 Published: 24.06.2026 Updated: 24.06.2026

Argument Injection in TortoiseGitBlame via Malicious Git History Filenames Leads to Arbitrary File Write in TortoiseGit

Metrics

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N
CVSS Score: 5.5

Product Status

Vendor TortoiseGit team
Product TortoiseGit
Versions Default: unaffected
  • affected from 1.8.10.0 to 2.19.0 (excl.)

Solutions

Upgrade to version 2.19.0

Credits

  • Gabriele Paris of NATO Cyber Security Centre finder

References

Problem Types

  • CWE-88: Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') CWE