HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-11572Published Modified CNA snyk

CVE-2026-11572: Versions of the package degit before 2

Versions of the package degit before 2.8.6, from 3.0.0 and before 3.3.1 are vulnerable to Command Injection due to improper sanitisation of user input for git shell commands directly invoked with exec() method by _cloneWithGit() and fetchRefs() functions. An attacker can execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
2.8.6
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Command injection vulnerability in the degit package (versions before 2.8.6 and 3.0.0 through before 3.3.1) allows a remote attacker to execute arbitrary operating system commands on the host running degit. The vulnerability is reachable over the network and requires no authentication, but does require the victim to interact with a specially crafted git repository name passed to the tool. Successful exploitation gives the attacker full command execution as the process user, enabling data theft, file modification, or service disruption. Patched-image rebuilds at versions 2.8.6 and 3.3.1 are available on HarborGuard for affected environments.

HarborGuard Coverage

Detection

Detection of CVE-2026-11572 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of upstream feed ingestion, including custom-built images that bundle degit as a build or tooling dependency.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v4.0 severity of 8.7 (HIGH) and weighting the finding against each environment's compliance policy, then routing the alert to the appropriate team inbox within the customer organization.

Available
Patch

A patched-image rebuild pinned to degit 2.8.6 or 3.3.1 (depending on the version range in use) becomes available on HarborGuard once an affected image is identified. For customers who opt into auto-remediation, the platform performs the rebuild, runs a regression test suite, and opens a pull request against affected workloads automatically.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the service or trigger degit over the network, supplying a crafted repository name to the invoked git shell command.

  • AuthenticationNot required

    No credentials or account are needed; the attacker can supply the malicious input without authenticating to any service.

  • Victim interactionRequired

    A user must interact with the attacker-controlled input, for example by running degit against a specially crafted repository name provided or referenced by the attacker.

  • Attack complexityDetail

    Exploit reliability is high and no special environmental conditions, race conditions, or memory layout assumptions are required to trigger the injection.

Blast Radius

  • Attacker executes arbitrary OS commands as the process user running degit, gaining a foothold on the build host or CI runner.
  • Attacker reads sensitive files accessible to the process user, including source code, credentials, and environment variables stored on disk or in the environment.
  • Attacker modifies or deletes files on the host, tampering with build artifacts, configuration files, or dependency caches.
  • Attacker disrupts the affected build or tooling service, causing pipeline failures or corrupting outputs delivered downstream.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images within minutes of publication, covering both registry-stored images and images built in CI pipelines that include degit as a dependency. Where a scan identifies an affected version (degit below 2.8.6, or 3.0.0 through below 3.3.1), a rebuilt image pinned to the appropriate fix version is made available. For customers who opt into auto-remediation, HarborGuard performs the rebuild, runs a regression test run against the updated image, and opens a pull request against affected workloads automatically; for HIGH-severity issues, median time from CVE publication to a merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy or workflow constraints prevent automatic remediation, the finding is surfaced in the customer dashboard with the recommended fix version clearly noted for manual action.

See how HarborGuard automates this

Fix available

2.8.63.3.1
Affected packages
  • n/a / degit
    < 2.8.6 (from 0) · < 3.3.1 (from 3.0.0)
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P
References