8.5
CVE-2026-3515
- EPSS 0.3%
- Veröffentlicht 24.05.2026 03:32:32
- Zuletzt bearbeitet 26.05.2026 20:06:20
- Quelle security@huntr.dev
- CVE-Watchlists
- Unerledigt
Argument Injection in prefecthq/prefect
A vulnerability in the `GitHubRepository` block of the `prefect-github` integration in Prefect version 3.6.18 allows an attacker to inject arbitrary git command-line options via the `reference` field. The `reference` field is concatenated directly into a `git clone` command string without proper sanitization, and then parsed by `shlex.split()`. This enables injection of options such as `-c`, leading to potential Server-Side Request Forgery (SSRF), credential theft, or remote code execution (RCE). The vulnerability affects both the `aget_directory()` and `get_directory()` methods in `src/integrations/prefect-github/prefect_github/repository.py`. This issue does not affect the GitLab and BitBucket integrations, which use a safer list-based command construction approach.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerprefecthq
≫
Produkt
prefecthq/prefect
Version <=
latest
Version
unspecified
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.3% | 0.213 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| security@huntr.dev | 8.5 | 3.1 | 4.7 |
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N
|
CWE-88 Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The product constructs a string for a command to be executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.
https://huntr.com/bounties/f3b048b8-7f4e-45ef-a5a7-cb841c39acde