Post cover image

July 4, 2026

How I Turned a Branch Name into Remote Code Execution

A source-to-sink analysis of CVE-2026–49987 in Repomix — and how a single missing delimiter bypassed built-in security controls and leads…

By Kakashi

5 min read