CVE-2026-45261 gitbutlerapp CVE debrief

Who should care

Organizations and individual developers using GitButler desktop application with forge integration enabled. Security teams managing software development toolchains. Developers working in environments where untrusted pull requests may be reviewed.

Technical summary

The GitButler desktop application, built on the Tauri framework, contains a remote code execution vulnerability in its handling of pull request body content. The application renders pull request bodies within a Tauri webview without adequate input sanitization. An attacker can craft a malicious pull request containing a specially designed link that, when clicked by a victim user, triggers arbitrary script execution within the webview context. This script execution operates with the privileges of the GitButler application, potentially allowing system compromise. The attack requires: (1) the victim has enabled forge integration in GitButler, (2) the victim views a malicious pull request, and (3) the victim clicks the injected malicious link. The vulnerability is resolved in version 0.19.7 through implementation of proper link sanitization and/or execution context restrictions.

Defensive priority

critical

Recommended defensive actions

• Upgrade GitButler desktop application to version 0.19.7 or later immediately
• If immediate upgrade is not possible, disable forge integration to eliminate attack surface
• Educate users about the risk of clicking links within pull request bodies in GitButler
• Monitor for suspicious pull request activity in integrated forges
• Review application logs for unexpected script execution or network activity from the GitButler webview process

Evidence notes

Vulnerability confirmed through GitHub Security Advisory GHSA-xpmj-536r-9fc6. CVSS 4.0 score of 9.3 reflects critical severity with high impacts across all security dimensions. Fix version 0.19.7 explicitly addresses this vulnerability.

Official resources