Sourcetree Security Advisory 2018-04-25

Still need help?

The Atlassian Community is here for you.

Ask the community

Sourcetree - Argument injection via Mercurial tag names on Windows - CVE-2018-5226


CVE-2018-5226 - Argument injection through the name of a tag for Windows

Advisory Release Date

 10:00 AM PDT (Pacific Time, -7 hours)

ProductSourcetree for Windows

Affected Sourcetree Versions

    • All versions of SourceTree for Windows before version

Fixed Sourcetree Versions

    • Sourcetree for Windows version and later.
CVE ID(s)CVE-2018-5226

Summary of Vulnerability

This advisory discloses a critical severity security vulnerability which affects Sourcetree for Window before (the fixed version). 

Customers who have upgraded Sourcetree for Windows to version and later are not affected.

Customers using Sourcetree for Mac are not affected.

Customers who have downloaded and installed Sourcetree for Windows before version

Please upgrade your Sourcetree installations to fix this vulnerability.

Argument injection via Mercurial tag names on Windows (CVE-2018-5226)


We have rated this a critical severity vulnerability as measured by the Atlassian severity levels scale. The scale allows us to rank the severity as critical, high, moderate or low.

This is our assessment and you should evaluate its applicability to your own IT environment.


There was an argument injection vulnerability in Sourcetree for Windows via Mercurial repository tag name that is going to be deleted. An attacker with permission to create a tag on a Mercurial repository linked in Sourcetree for Windows is able to exploit this issue to gain code execution on the system.

All versions of Sourcetree for Windows before are affected by this vulnerability. This issue can be tracked here:


Atlassian would like to credit Tianqi Zhang@Tophant for reporting this issue to us.


There is no known mitigation for this issue.


We have taken the following steps to address this issue:

  1. Released Sourcetree version that contains a fix for this issue which can be downloaded from and

What You Need to Do

Atlassian recommends that you upgrade to the latest version. For a full description of the latest version of Sourcetree, see the release notes for Windows. You can download the latest version of Sourcetree from the Sourcetree website.


Atlassian supports SourceTree through the Atlassian Community. If you have questions or concerns regarding this advisory, go to


Severity Levels for security issuesAtlassian security advisories include a severity level and a CVE identifier. This severity level is based on our self-calculated CVSS score for each specific vulnerability. CVSS is an industry standard vulnerability metric. You can also learn more about CVSS at
Last modified on Jul 9, 2018

Was this helpful?

Provide feedback about this article
Powered by Confluence and Scroll Viewport.