CVE-2023-26134
CRITICAL EXPLOITEDgit-commit-info <2.0.2 - Command Injection
Title source: llmExploitation Summary
CVE-2023-26134 has been observed exploited in the wild (reported by VulnCheck KEV).
Description
Versions of the package git-commit-info before 2.0.2 are vulnerable to Command Injection such that the package-exported method gitCommitInfo () fails to sanitize its parameter commit, which later flows into a sensitive command execution API. As a result, attackers may inject malicious commands once they control the hash content.
References (3)
Core 3
Core References
Patch
https://github.com/JPeer264/node-git-commit-info/commit/f7c491ede51f886a988af9b266797cb24591d18c
Exploit, Issue Tracking
https://github.com/JPeer264/node-git-commit-info/issues/24
Exploit, Third Party Advisory
https://security.snyk.io/vuln/SNYK-JS-GITCOMMITINFO-5740174
Scores
CVSS v3
9.8
EPSS
0.0031
EPSS Percentile
54.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
VulnCheck KEV
2025-01-21
CWE
CWE-78
CWE-77
Status
published
Products (2)
git-commit-info_project/git-commit-info
< 2.0.2
npm/git-commit-info
0 - 2.0.2npm
Published
Jun 28, 2023
Tracked Since
Feb 18, 2026