PatchSiren cyber security CVE debrief
CVE-2026-11572 Rich-Harris CVE debrief
CVE-2026-11572 is a high-severity vulnerability in the degit package. Versions before 2.8.6 and from 3.0.0 to before 3.3.1 are vulnerable to command injection due to improper sanitization of user input for git shell commands. This allows an attacker to execute arbitrary operating system commands as the process user by supplying a specially crafted git repository name.
- Vendor
- Rich-Harris
- Product
- degit
- CVSS
- HIGH 7.4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Developers and users of the degit package, especially those using versions before 2.8.6 or between 3.0.0 and 3.3.1, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The vulnerability exists in the _cloneWithGit() and fetchRefs() functions, which directly invoke git shell commands with user-input data without proper sanitization. This can be exploited by providing a malicious git repository name, allowing the execution of arbitrary system commands.
Defensive priority
High
Recommended defensive actions
- Update to a secure version of degit (2.8.6 or later, or 3.3.1 or later) as soon as possible.
- Use secure coding practices to validate and sanitize user input.
- Monitor your systems for suspicious activity related to degit.
Evidence notes
Evidence of this vulnerability comes from Snyk, as indicated by the sourceItem and resourceLinks.
Official resources
CVE-2026-11572 was published on 2026-06-09T06:16:53.000Z and modified on 2026-06-09T14:16:34.570Z.