Description
Argument Injection in TortoiseGitBlame via Malicious Git History Filenames Leads to Arbitrary File Write in TortoiseGit
Published: 2026-06-24
Score: 5.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command argument injection flaw in TortoiseGit’s blame routine allows an attacker to craft a malicious Git history file name that is not properly neutralized, resulting in an arbitrary file write on the local system. The vulnerability, identified as CWE‑88, permits overwriting or creating arbitrary files, which could lead to unauthorized data modification or potentially execution of malicious code if the written files are later processed by the system.

Affected Systems

All versions of TortoiseGit prior to 2.19.0 are affected; the vulnerable component resides in the Blame feature of the client. No specific vendor products beyond TortoiseGit itself are listed.

Risk and Exploitability

The CVSS score of 5.5 indicates a medium severity. No EPSS score is available, and the flaw is not listed in CISA’s KEV catalog. Based on the description, the likely attack vector is a local or remote repository containing a malicious history file name that a user opens or pulls using TortoiseGit. While the flaw requires the victim to process the repository, it does not demand privileged access.

Generated by OpenCVE AI on June 24, 2026 at 13:34 UTC.

Remediation

Vendor Solution

Upgrade to version 2.19.0


OpenCVE Recommended Actions

  • Upgrade TortoiseGit to version 2.19.0 or later.
  • If an upgrade is not immediately possible, disable the Blame feature or remove it from the toolbar to prevent processing of malicious history files.
  • Scan local Git repositories for unusually named history files and delete any files that could trigger injection before opening the repository with TortoiseGit.

Generated by OpenCVE AI on June 24, 2026 at 13:34 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Tortoisegit
Tortoisegit tortoisegit
Vendors & Products Tortoisegit
Tortoisegit tortoisegit

Wed, 24 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Description Argument Injection in TortoiseGitBlame via Malicious Git History Filenames Leads to Arbitrary File Write in TortoiseGit
Title Improper Neutralization of Argument Delimiters in a Command ('Argument Injection') in TortoiseGit
Weaknesses CWE-88
References
Metrics cvssV3_1

{'score': 5.5, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N'}


Subscriptions

Tortoisegit Tortoisegit
cve-icon MITRE

Status: PUBLISHED

Assigner: GitLab

Published:

Updated: 2026-06-24T12:01:06.166Z

Reserved: 2026-06-11T10:19:36.614Z

Link: CVE-2026-11968

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:45:06Z

Weaknesses
  • CWE-88

    Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')