{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/repomix/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-59703"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["repomix \u003c 1.14.1"],"_cs_severities":["high"],"_cs_tags":["local-file-inclusion","web-vulnerability","cve","repomix"],"_cs_type":"advisory","_cs_vendors":["repomix"],"content_html":"\u003cp\u003eA critical local file inclusion vulnerability, identified as CVE-2026-59703, has been discovered in \u003ccode\u003erepomix\u003c/code\u003e, a tool for managing git repositories. This flaw allows unauthenticated attackers to read arbitrary local git repositories and sensitive server filesystem contents. The vulnerability stems from the \u003ccode\u003eisValidRemoteValue\u003c/code\u003e function in \u003ccode\u003esrc/core/git/gitRemoteParse.ts\u003c/code\u003e, which fails to block \u003ccode\u003efile://\u003c/code\u003e URLs. Attackers can supply these specially crafted \u003ccode\u003efile://\u003c/code\u003e scheme URLs via the \u003ccode\u003egit clone\u003c/code\u003e endpoint, bypassing validation and causing the application to pass them directly to the underlying \u003ccode\u003egit clone\u003c/code\u003e command. This enables unauthorized access to tracked files on the server. The vulnerability impacts \u003ccode\u003erepomix\u003c/code\u003e versions prior to 1.14.1. The advisory was published on July 8, 2026, highlighting the immediate need for organizations using vulnerable \u003ccode\u003erepomix\u003c/code\u003e instances to upgrade or implement protective measures to prevent data exfiltration.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eUnauthenticated attacker identifies a public-facing \u003ccode\u003erepomix\u003c/code\u003e instance vulnerable to CVE-2026-59703 (versions \u0026lt; 1.14.1).\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP POST or GET request targeting the \u003ccode\u003erepomix\u003c/code\u003e \u003ccode\u003egit clone\u003c/code\u003e endpoint, embedding a \u003ccode\u003efile://\u003c/code\u003e URI in the \u003ccode\u003eremote\u003c/code\u003e parameter, e.g., \u003ccode\u003e/git/clone?remote=file:///etc/passwd\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eisValidRemoteValue\u003c/code\u003e function in \u003ccode\u003esrc/core/git/gitRemoteParse.ts\u003c/code\u003e fails to properly validate and block the \u003ccode\u003efile://\u003c/code\u003e scheme URL.\u003c/li\u003e\n\u003cli\u003e\u003ccode\u003erepomix\u003c/code\u003e passes the attacker-supplied \u003ccode\u003efile://\u003c/code\u003e URI directly to the underlying \u003ccode\u003egit clone\u003c/code\u003e command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003egit clone\u003c/code\u003e command attempts to access and clone the local file path specified by the \u003ccode\u003efile://\u003c/code\u003e URI (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e).\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003erepomix\u003c/code\u003e application returns the content of the targeted local file or directory within the HTTP response to the attacker.\u003c/li\u003e\n\u003cli\u003eThis allows the unauthenticated attacker to read arbitrary local git repositories and other sensitive server filesystem contents, leading to data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59703 allows unauthenticated attackers to achieve local file inclusion, leading to the unauthorized disclosure of sensitive information. This includes access to arbitrary local git repositories, configuration files (e.g., \u003ccode\u003e/etc/passwd\u003c/code\u003e, database credentials), source code, and other proprietary data stored on the server's filesystem. While no specific victim count or targeted sectors have been disclosed, any organization using vulnerable \u003ccode\u003erepomix\u003c/code\u003e instances is at risk of significant data exfiltration and potential further compromise if credentials or other sensitive information are discovered through this vulnerability.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-59703 by upgrading \u003ccode\u003erepomix\u003c/code\u003e to version 1.14.1 or higher immediately.\u003c/li\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect attempts to exploit CVE-2026-59703 by monitoring webserver logs for \u003ccode\u003efile://\u003c/code\u003e URLs in \u003ccode\u003egit clone\u003c/code\u003e requests.\u003c/li\u003e\n\u003cli\u003eImplement a Web Application Firewall (WAF) rule to block HTTP requests to the \u003ccode\u003egit clone\u003c/code\u003e endpoint containing \u003ccode\u003efile://\u003c/code\u003e URI schemes in request parameters, as described in the attack chain.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-08T15:21:07Z","date_published":"2026-07-08T15:21:07Z","id":"https://feed.craftedsignal.io/briefs/2026-07-repomix-lfi/","summary":"repomix contains a local file inclusion vulnerability (CVE-2026-59703) in its git clone endpoint, allowing unauthenticated attackers to read arbitrary local git repositories and server filesystem contents by bypassing validation with crafted file:// URLs.","title":"CVE-2026-59703: repomix Local File Inclusion Vulnerability","url":"https://feed.craftedsignal.io/briefs/2026-07-repomix-lfi/"}],"language":"en","title":"CraftedSignal Threat Feed - Repomix","version":"https://jsonfeed.org/version/1.1"}