diff --git a/app/Jobs/ApplicationDeploymentJob.php b/app/Jobs/ApplicationDeploymentJob.php
index eafd25e07..8e5b32d1c 100644
--- a/app/Jobs/ApplicationDeploymentJob.php
+++ b/app/Jobs/ApplicationDeploymentJob.php
@@ -1892,9 +1892,27 @@ private function check_git_if_build_needed()
             );
         }
         if ($this->saved_outputs->get('git_commit_sha') && ! $this->rollback) {
-            $this->commit = $this->saved_outputs->get('git_commit_sha')->before("\t");
-            $this->application_deployment_queue->commit = $this->commit;
-            $this->application_deployment_queue->save();
+            // Extract commit SHA from git ls-remote output, handling multi-line output (e.g., redirect warnings)
+            // Expected format: "commit_sha\trefs/heads/branch" possibly preceded by warning lines
+            // Note: Git warnings can be on the same line as the result (no newline)
+            $lsRemoteOutput = $this->saved_outputs->get('git_commit_sha');
+
+            // Find the part containing a tab (the actual ls-remote result)
+            // Handle cases where warning is on the same line as the result
+            if ($lsRemoteOutput->contains("\t")) {
+                // Get everything from the last occurrence of a valid commit SHA pattern before the tab
+                // A valid commit SHA is 40 hex characters
+                $output = $lsRemoteOutput->value();
+
+                // Extract the line with the tab (actual ls-remote result)
+                preg_match('/([0-9a-f]{40})\s*\t/', $output, $matches);
+
+                if (isset($matches[1])) {
+                    $this->commit = $matches[1];
+                    $this->application_deployment_queue->commit = $this->commit;
+                    $this->application_deployment_queue->save();
+                }
+            }
         }
         $this->set_coolify_variables();
 
diff --git a/app/Models/Application.php b/app/Models/Application.php
index 595ba1cde..3e4b22db0 100644
--- a/app/Models/Application.php
+++ b/app/Models/Application.php
@@ -1305,7 +1305,8 @@ public function generateGitImportCommands(string $deployment_uuid, int $pull_req
         }
         if ($this->deploymentType() === 'other') {
             $fullRepoUrl = $customRepository;
-            $git_clone_command = "{$git_clone_command} {$customRepository} {$baseDir}";
+            $escapedCustomRepository = escapeshellarg($customRepository);
+            $git_clone_command = "{$git_clone_command} {$escapedCustomRepository} {$escapedBaseDir}";
             $git_clone_command = $this->setGitImportSettings($deployment_uuid, $git_clone_command, public: true);
 
             if ($pull_request_id !== 0) {
diff --git a/tests/Unit/GitLsRemoteParsingTest.php b/tests/Unit/GitLsRemoteParsingTest.php
new file mode 100644
index 000000000..f4fd2e881
--- /dev/null
+++ b/tests/Unit/GitLsRemoteParsingTest.php
@@ -0,0 +1,49 @@
+<?php
+
+uses(\Tests\TestCase::class);
+
+it('extracts commit SHA from git ls-remote output without warnings', function () {
+    $output = "196d3df7665359a8c8fa3329a6bcde0267e550bf\trefs/heads/master";
+
+    preg_match('/([0-9a-f]{40})\s*\t/', $output, $matches);
+    $commit = $matches[1] ?? null;
+
+    expect($commit)->toBe('196d3df7665359a8c8fa3329a6bcde0267e550bf');
+});
+
+it('extracts commit SHA from git ls-remote output with redirect warning on separate line', function () {
+    $output = "warning: redirecting to https://tangled.org/@tangled.org/core/\n196d3df7665359a8c8fa3329a6bcde0267e550bf\trefs/heads/master";
+
+    preg_match('/([0-9a-f]{40})\s*\t/', $output, $matches);
+    $commit = $matches[1] ?? null;
+
+    expect($commit)->toBe('196d3df7665359a8c8fa3329a6bcde0267e550bf');
+});
+
+it('extracts commit SHA from git ls-remote output with redirect warning on same line', function () {
+    // This is the actual format from tangled.sh - warning and result on same line, no newline
+    $output = "warning: redirecting to https://tangled.org/@tangled.org/core/196d3df7665359a8c8fa3329a6bcde0267e550bf\trefs/heads/master";
+
+    preg_match('/([0-9a-f]{40})\s*\t/', $output, $matches);
+    $commit = $matches[1] ?? null;
+
+    expect($commit)->toBe('196d3df7665359a8c8fa3329a6bcde0267e550bf');
+});
+
+it('extracts commit SHA from git ls-remote output with multiple warning lines', function () {
+    $output = "warning: redirecting to https://example.org/repo/\ninfo: some other message\n196d3df7665359a8c8fa3329a6bcde0267e550bf\trefs/heads/main";
+
+    preg_match('/([0-9a-f]{40})\s*\t/', $output, $matches);
+    $commit = $matches[1] ?? null;
+
+    expect($commit)->toBe('196d3df7665359a8c8fa3329a6bcde0267e550bf');
+});
+
+it('handles git ls-remote output with extra whitespace', function () {
+    $output = "  196d3df7665359a8c8fa3329a6bcde0267e550bf  \trefs/heads/master";
+
+    preg_match('/([0-9a-f]{40})\s*\t/', $output, $matches);
+    $commit = $matches[1] ?? null;
+
+    expect($commit)->toBe('196d3df7665359a8c8fa3329a6bcde0267e550bf');
+});