Linux Distros Unpatched Vulnerability : CVE-2026-52726

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5,...

CVE-2026-52726

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, dulwich.porcelain.submoduleupdate, and by extension porcelain.clone..., recursesubmodules=True, materializes attacker-controlled submodule paths from a crafted...

CVE-2026-47734

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack 174 bytes whose delta header declares a huge destsize. When dulwich ingested it via addthinpack /...

EUVD-2026-36195

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, dulwich.porcelain.submoduleupdate, and by extension porcelain.clone..., recursesubmodules=True, materializes attacker-controlled submodule paths from a crafted...

CVE-2026-52726

Technical details about CVE-2026-52726 are not publicly provided in the supplied documents; monitor for updates.

EUVD-2026-36193

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.1.0 and prior to version 1.2.5, a client with push access could push a tiny crafted thin pack 174 bytes whose delta header declares a huge destsize. When dulwich ingested it via addthinpack /...

PT-2026-48568

🔴 CVE-2026-52726 is being exploited for RCE: attackers can drop malicious .git/hooks payloads via Dulwich's submodule path traversal flaw. This bypasses standard protections. Patch immediately to prevent full compromise. NerdieNews CyberSecurity Vulnerability https://t.co/tIoG1l3nqd...

5gasp-cli (>=0.1.0 <=0.4.0), agentos (>=0.1.0 <=0.2.0) +605 more potentially affected by CVE-2026-47734 via dulwich (>=0.20.2 <=1.0.0)

dulwich PYPI version =0.20.2, =0.1.0, =0.1.0, =0.5.1, =21.7.1, =0.0.1, =0.1.0, =1.3.4, =2023.2.21, =0.12.0, =0.1.0, =0.2.0, =0.2.0, =0.2.1, =0.5.1 and more Source cves: CVE-2026-47734 Source advisory: OSV:GHSA-XRVJ-V92F-53GJ...

GHSA-9277-MP7X-85JF Dulwich Vulnerable to Command Injection via Merge Driver Path

Summary Dulwich's ProcessMergeDriver substitutes the file path from the git tree, controllable by an attacker via a malicious branch into the merge driver command via the %P placeholder and executes it with subprocess.run..., shell=True. An attacker who can cause a victim to merge an untrusted...

aiidalab (>=22.6.0 <=26.5.2), aiidalab-chemshell (>=0.0.1 <=0.1.1) +137 more potentially affected by CVE-2026-42563 via dulwich (>=0.24.1 <=1.0.0)

dulwich PYPI version =0.24.1, =22.6.0, =0.0.1, =0.1.0, =1.3.4, =0.12.0, =0.1.0, =0.2.0, =0.2.0, =0.2.1, =0.2.1, =0.1.0, =0.1.6 - artificial-detection =0.1.0 - attp =0.1.0a0 and more Source cves: CVE-2026-42563 Source advisory: SNYK:PYTHON-DULWICH-17054926...

5gasp-cli (>=0.1.0 <=0.4.0), agentos (>=0.1.0 <=0.2.0) +617 more potentially affected by CVE-2026-42305 via dulwich (>=0.16.3 <=1.0.0)

dulwich PYPI version =0.16.3, =0.1.0, =0.1.0, =0.5.1, =21.7.1, =0.0.1, =0.1.0, =1.3.4, =2023.2.21, =0.12.0, =0.1.0, =0.2.0, =0.2.0, =0.2.1, =0.5.1 and more Source cves: CVE-2026-42305 Source advisory: SNYK:PYTHON-DULWICH-17054927...

5gasp-cli (>=0.1.0 <=0.4.0), agentos (>=0.1.0 <=0.2.0) +617 more potentially affected by CVE-2026-42305 via dulwich (>=0.16.3 <=1.0.0)

dulwich PYPI version =0.16.3, =0.1.0, =0.1.0, =0.5.1, =21.7.1, =0.0.1, =0.1.0, =1.3.4, =2023.2.21, =0.12.0, =0.1.0, =0.2.0, =0.2.0, =0.2.1, =0.5.1 and more Source cves: CVE-2026-42305 Source advisory: OSV:GHSA-897W-FCG9-F6XJ...

EUVD-2015-0019

Malware in sbrugna...

Linux Distros Unpatched Vulnerability : CVE-2017-16228

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in th...

GHSA-4J5J-58J7-6C3W Dulwich Arbitrary code execution via commit with directory path starting with .git

The buildindexfromtree function in index.py in Dulwich versions 0.9.9 and below allows remote attackers to execute arbitrary code via a commit with a directory path starting with .git/, which is not properly handled when checking out a working tree...

Dulwich Arbitrary Command Execution Vulnerability

Dulwich is a Python implementation of the file format and protocols of the Git version control system developed by software developer Jelmer Vernooij. A security vulnerability exists in versions of Dulwich prior to 0.18.5. The vulnerability can be exploited by a remote attacker to execute arbitra...

PYSEC-2017-12

Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117...

CVE-2017-16228

Dulwich before 0.18.5, when an SSH subprocess is used, allows remote attackers to execute arbitrary commands via an ssh URL with an initial dash character in the hostname, a related issue to CVE-2017-9800, CVE-2017-12836, CVE-2017-12976, CVE-2017-1000116, and CVE-2017-1000117...

Dulwich 'build_index_from_tree' function arbitrary command execution vulnerability

Dulwich is a Python implementation of the file format and protocols of the Git version control system developed by software developer Jelmer Vernooij. A security vulnerability exists in the 'buildindexfromtree' function in the index.py file in versions of Dulwich prior to 0.9.9. A remote attacker...

CVE-2015-0838

Buffer overflow in the C implementation of the applydelta function in pack.c in Dulwich before 0.9.9 allows remote attackers to execute arbitrary code via a crafted pack file...