CVE-2024-47516

Critical

Published: 26 March 2025

Published

26 March 2025

Modified

15 April 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0196 83.6th percentile

Risk Priority 21 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-47516 is a critical-severity Argument Injection (CWE-88) vulnerability. Its CVSS base score is 9.8 (Critical).

Operationally, ranked in the top 16.4% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match

prevent

Requires identifying, reporting, and correcting flaws like the Pagure argument injection vulnerability via timely patching to prevent RCE.

SI-10 Information Input Validation good match

prevent

Enforces validation of crafted inputs to the repository history retrieval process before constructing Git commands, blocking argument injection.

RA-5 Vulnerability Monitoring and Scanning good match

preventdetect

Provides vulnerability scanning to identify CVE-2024-47516 in Pagure and mandates remediation to stop exploitation.

NVD Description

A vulnerability was found in Pagure. An argument injection in Git during retrieval of the repository history leads to remote code execution on the Pagure instance.

Deeper analysisAI

CVE-2024-47516 is a critical vulnerability in Pagure, a lightweight Git forge and web-based Git repository manager. It stems from an argument injection flaw (CWE-88) in the Git command used during retrieval of repository history, enabling remote code execution on the Pagure instance. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its network accessibility, low complexity, and lack of prerequisites for exploitation.

Any unauthenticated remote attacker can exploit this vulnerability by triggering the faulty repository history retrieval process, such as through a crafted request to Pagure's API or web interface. Successful exploitation grants arbitrary code execution on the server hosting the Pagure instance, potentially allowing full compromise including data theft, persistence, or lateral movement within the environment.

Red Hat advisories provide details on this vulnerability, including patches and mitigation guidance, accessible at https://access.redhat.com/security/cve/CVE-2024-47516 and https://bugzilla.redhat.com/show_bug.cgi?id=2315805. Security practitioners should review these for version-specific fixes and workarounds.

Details

CWE(s): CWE-88

CVEs Like This One

CVE-2026-26194Shared CWE-88

CVE-2026-22582Shared CWE-88

CVE-2026-40113Shared CWE-88

CVE-2025-41761Shared CWE-88

CVE-2026-25134Shared CWE-88

CVE-2026-42284Shared CWE-88

CVE-2026-2298Shared CWE-88

CVE-2026-24061Shared CWE-88

CVE-2026-24126Shared CWE-88

CVE-2025-0065Shared CWE-88

References

https://access.redhat.com/security/cve/CVE-2024-47516
secalert@redhat.com
https://bugzilla.redhat.com/show_bug.cgi?id=2315805
secalert@redhat.com