CVE-2026-45033EPSS p26.7%

CVE-2026-45033CVE-2026-45033

github / copilot-cli

Description

GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent performs git operations. By exploiting git's automatic bare repository discovery during directory traversal, an attacker can set core.fsmonitor or other executable config keys to run arbitrary commands without user awareness or approval. The vulnerability arises because git's core.fsmonitor config key (and 15+ similar keys such as core.hookspath, diff.external, merge.tool, etc.) can specify arbitrary shell commands that git will execute as part of normal operations like status, diff, or rev-parse. This vulnerability is fixed in 1.0.43.

Scoring

CVSS 7.8 ()
VectorCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS0.35% probability of exploitation · percentile 26.7% · 2026-06-18T12:00:27Z
Last modified2026-06-02

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-21256
CVE
CVE-2026-45482
CVE
CVE-2025-64660
CVE
CVE-2026-21518
CVE
CVE-2026-21257
CVE
CVE-2026-41109
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.