CVE-2026-45261
CRITICALGitButler: Link injection via forge integration enables arbitrary script execution
Title source: cnaDescription
GitButler is a modern Git-based version control interface for AI-powered workflows. Prior to 0.19.7, a emote code execution vulnerability exists in the Tauri-based GitButler desktop application. An attacker can inject a malicious link in a pull request body, which if clicked by the user allows for arbitrary script execution in the Tauri webview. Users that have not enabled forge integration are not at risk. This vulnerability is fixed in 0.19.7.
References (1)
Core 1
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/gitbutlerapp/gitbutler/security/advisories/GHSA-xpmj-536r-9fc6
Scores
CVSS v4
9.3
EPSS
0.0052
EPSS Percentile
39.5%
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
total
Details
CWE
CWE-94
Status
published
Products (1)
gitbutlerapp/gitbutler
< 0.19.7
Published
May 28, 2026
Tracked Since
May 28, 2026