Description
GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.
Published: 2026-05-28
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

GitButler, a Git‑based interface for AI workflows, contains a code‑injection flaw (CWE‑94) in its Tauri‑based desktop application before version 0.19.7. An attacker can place a malicious link within a pull‑request body; when the user opens that link, the app interprets it as a script and executes arbitrary code inside the Tauri webview. This vulnerability grants full control of the victim’s desktop environment and compromises confidentiality, integrity, and availability of all data handled by the application.

Affected Systems

The affected product is GitButler (gitbutlerapp:gitbutler). Only installations using the forge integration feature are vulnerable. Versions prior to 0.19.7 are impacted; newer releases contain the fix.

Risk and Exploitability

The CVSS score of 9.3 indicates a high‑severity remote code execution risk. EPSS data is not available and the vulnerability is not listed in CISA KEV, but the need for a user click makes it a social‑engineering scenario with a clear attack vector. The impact is system‑wide for the compromised desktop, and the exploitation requires only that a user opens a crafted pull‑request link.

Generated by OpenCVE AI on May 28, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade GitButler to version 0.19.7 or later.
  • If upgrading is not immediately possible, disable the forge integration feature to eliminate the attack surface.
  • Educate users to avoid clicking suspicious links in pull‑request bodies and monitor for anomalous script execution in the Tauri webview.

Generated by OpenCVE AI on May 28, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.
Title GitButler: Link injection via forge integration enables arbitrary script execution
Weaknesses CWE-94
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T16:20:52.462Z

Reserved: 2026-05-11T18:41:13.155Z

Link: CVE-2026-45261

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-28T17:16:31.900

Modified: 2026-05-28T17:16:31.900

Link: CVE-2026-45261

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T18:30:23Z

Weaknesses