Product
The `repomix` CLI tool is vulnerable to command injection (CVE-2026-49987) via unsanitized user input in the `--remote-branch` argument, allowing attackers to inject arbitrary `git` command-line options like `--upload-pack` and achieve remote code execution with the privileges of the running user, potentially leading to CI/CD pipeline compromise.