CVE-2026-7062 - Vulnerability Details

- Intina47 context-sync Git Integration git-integration.ts os command injection

Description

A security vulnerability has been detected in Intina47 context-sync up to 2.0.0. This affects an unknown part of the file src/git-integration.ts of the component Git Integration. Such manipulation leads to os command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.

Published: 2026-04-26

Score: 6.9 Medium

EPSS: 1.7% Low

KEV: No

Impact:

Action:

Analysis

Impact

A remote attacker can exploit unsanitized user input in the Git Integration component of Intina47 context-sync to inject arbitrary operating‑system commands. The flaw resides in src/git‑integration.ts and is classified as CWE‑77 and CWE‑78. Successful exploitation would allow the attacker to execute arbitrary commands on the host running the application, potentially compromising confidentiality, integrity, and availability of the affected system. The vulnerability impacts all versions of Intina47 context-sync up to 2.0.0.

Affected Systems

Affected systems include all deployments of Intina47 context-sync with versions 1.x through 2.0.0, regardless of environment, as the vulnerable code path is present in the component named Git Integration. The component is available in the open‑source repository and may be used in web applications, CI/CD pipelines, or services that interact with Git repositories. Any installation that relies on the unpatched source code is vulnerable.

Risk and Exploitability

The CVSS base score of 6.9 indicates a medium to high severity. The EPSS score is less than 1%, suggesting a low current exploitation probability, and the issue is not listed in the CISA KEV catalog. Because the attack can be performed remotely through manipulated input, the risk is elevated for exposed interfaces. However, exploitation requires that the vulnerable Git Integration module is in use and that the application runs with sufficient privileges to execute system commands. Mitigations such as disabling shell execution or updating to a patched release lower the risk substantially.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Intina47

context-sync

affected

Version	Status	Constraints
`2.0`	affected	—

No data.

Vendor Product Confidence Versions

Intina47

Context-sync

100%

Version	Status	Scheme	Platform
`2.0`	affected	generic	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Intina47 context-sync to the latest release that contains the fix for the Git Integration command injection.
If upgrade is not immediately possible, remove or disable the Git Integration feature or any command execution paths that accept untrusted input.
Validate and sanitize all inputs that reach OS command execution and avoid directly passing user‑controlled strings to the shell.

Generated by OpenCVE AI on April 28, 2026 at 05:03 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

This CVE is not in the KEV list.

The EPSS score is 0.01715.

Exploitation poc

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/Intina47/context-sync/
https://github.com/Intina47/context-sync/issues/31
https://github.com/wing3e/public_exp/issues/22
https://vuldb.com/submit/798614
https://vuldb.com/vuln/359637
https://vuldb.com/vuln/359637/cti

History

Mon, 27 Apr 2026 21:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 27 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Intina47 Intina47 context-sync
Vendors & Products		Intina47 Intina47 context-sync

Sun, 26 Apr 2026 22:30:00 +0000

Type	Values Removed	Values Added
Description		A security vulnerability has been detected in Intina47 context-sync up to 2.0.0. This affects an unknown part of the file src/git-integration.ts of the component Git Integration. Such manipulation leads to os command injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
Title		Intina47 context-sync Git Integration git-integration.ts os command injection
Weaknesses		CWE-77 CWE-78
References		https://github.com/Intina47/context-sync/ https://github.com/Intina47/context-sync/issues/31 https://github.com/wing3e/public_exp/issues/22 https://vuldb.com/submit/798614 https://vuldb.com/vuln/359637 https://vuldb.com/vuln/359637/cti
Metrics		cvssV2_0 `{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}` cvssV3_0 `{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV3_1 `{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}` cvssV4_0 `{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}`

Subscriptions

Intina47 Context-sync

MITRE

Status: PUBLISHED

Assigner: VulDB

Published: 2026-04-26T22:15:12.951Z

Updated: 2026-04-27T20:13:34.907Z

Reserved: 2026-04-26T07:07:18.190Z

Link: CVE-2026-7062

Vulnrichment

Updated: 2026-04-27T20:13:29.309Z

NVD

Status : Deferred

Published: 2026-04-26T23:16:21.093

Modified: 2026-04-29T01:00:01.613

Link: CVE-2026-7062

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-28T05:15:22Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact Low

Vulnerable System Integrity Impact Low

Vulnerable System Availability Impact Low

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact Low

User Interaction None

Access Vector Network

Access Complexity Low

Authentication None

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

Exploitation poc

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object