soft-serve

by charmbraceletv0.11.6

Last updated Jun 8, 2026

A tasty, self-hostable Git server for the command line🍦

Install with winget

$ winget install --id charmbracelet.soft-serve --exact --version 0.11.6

Run in Command Prompt, PowerShell, or Windows Terminal. Prompts for any agreements.

Built by Pckgr

For Intune admins

Stop chasing app updates. Pckgr patches them for you.

Automated application patching for Microsoft Intune. Pckgr keeps a curated library of 1,000+ apps continuously up-to-date in your tenant via Microsoft Graph - no manual repackaging, no chasing vendor sites.

Start free 30-day trial

No credit card required.

Installers · v0.11.6

Architecture	Type	Scope	Install	Download
x64	Portable	-		Direct

Copy a command tailored to that specific architecture, type, and scope - useful when winget would otherwise pick a different default.

Security

7 known CVEs via NVD

medium6.5Patched in wingetCVE-2026-33353affects before 0.11.6Mar 24, 2026
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository...
Patch Vendor advisory
critical9.1Patched in wingetCVE-2026-30832affects before 0.11.4Mar 7, 2026
Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.4, an authenticated SSH user can force the server to make HTTP requests to internal/private IP addresses by running repo import with a crafted --lfs-endpoint URL. The initial...
Patch Vendor advisory
critical9.8Patched in wingetCVE-2026-24058affects before 0.11.3Jan 22, 2026
Soft Serve is a self-hostable Git server for the command line. Versions 0.11.2 and below have a critical authentication bypass vulnerability that allows an attacker to impersonate any user (including admin) by "offering" the victim's public key during the SSH handshake before au...
Patch Vendor advisory
medium5.4Patched in wingetCVE-2026-22253affects before 0.11.2Jan 8, 2026
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulner...
Patch Vendor advisory
critical9.1Patched in wingetCVE-2025-64522affects before 0.11.1Nov 10, 2025
Soft Serve is a self-hostable Git server for the command line. Versions prior to 0.11.1 have a SSRF vulnerability where webhook URLs are not validated, allowing repository administrators to create webhooks targeting internal services, private networks, and cloud metadata endpoin...
Patch Vendor advisory
high8.8Patched in wingetCVE-2025-22130affects before 0.8.2Jan 8, 2025
Soft Serve is a self-hostable Git server for the command line. Prior to 0.8.2 , a path traversal attack allows existing non-admin users to access and take over other user's repositories. A malicious user then can modify, delete, and arbitrarily repositories as if they were an ad...
Patch Vendor advisory
high7.5Patched in wingetCVE-2023-43809affects before 0.6.2Oct 4, 2023
Soft Serve is a self-hostable Git server for the command line. Prior to version 0.6.2, a security vulnerability in Soft Serve could allow an unauthenticated, remote attacker to bypass public key authentication when keyboard-interactive SSH authentication is active, through the `...
Patch Vendor advisory

Source: NVD, updated 3h ago. Patch status is best-effort: NVD's fix version is compared against the latest version in winget, but the two version formats don't always align. Confirm with the vendor advisory before treating any specific build as safe.

See a CVE that affects your fleet? Push the patched version to Intune in one click with Pckgr - automated patching is the only way to keep up.

Related apps

freezecharmbracelet
charmbracelet.freezev0.2.2
Generate images of code and terminal output.
wishlistcharmbracelet
charmbracelet.wishlistv0.15.2
The SSH directory
vhscharmbracelet
charmbracelet.vhsv0.11.0
A tool for recording terminal GIFs
skatecharmbracelet
charmbracelet.skatev1.0.1
A personal key value store 🛼
sequincharmbracelet
charmbracelet.sequinv0.3.1
Human-readable ANSI sequences.
popcharmbracelet
charmbracelet.popv0.2.1
Send emails from your terminal. 📬

Frequently asked questions

How do I install soft-serve on Windows?

Open Windows Terminal, PowerShell, or Command Prompt and run: winget install --id charmbracelet.soft-serve --exact --version 0.11.6. winget downloads the installer from charmbracelet and runs it. Requires Windows 10 (1809+) or Windows 11.

How do I install soft-serve silently for unattended deployment?

Add --silent and accept the agreements upfront: winget install --id charmbracelet.soft-serve --exact 0.11.6 --silent --accept-package-agreements --accept-source-agreements. This is the variant Intune, Configuration Manager, and other deployment tools should use.

How do I uninstall soft-serve via winget?

Run: winget uninstall --id charmbracelet.soft-serve --exact. Add --silent for unattended uninstalls. winget will use the registered uninstaller from soft-serve's Apps & Features entry.

Is soft-serve free?

soft-serve is distributed under MIT. Refer to the publisher (https://charm.land/) for the full license terms - Wingetly itself does not charge for installation.

Does soft-serve work on Windows 10?

Yes, as long as your Windows 10 build supports winget (1809 or newer). winget ships with App Installer on Windows 10/11 and pulls soft-serve directly from the publisher.

How do I keep soft-serve up to date?

Run winget upgrade --id charmbracelet.soft-serve --exact, or winget upgrade --all to update everything winget tracks. We index 10 versions of soft-serve from microsoft/winget-pkgs.

Recent versions

0.11.6latest
0.11.5
0.11.4
0.11.3
0.11.2
0.11.1
0.11.0
0.10.0
0.9.1
0.9.0