Fedora 43 : GitPython (2026-fdbf3705cc)

The remote Fedora 43 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-fdbf3705cc advisory. Fixes security defects GHSA-rpm5-65cw-6hj4, GHSA-x2qx-6953-8485, GHSA-7545-fcxq-7j24, and GHSA-v87r-6q3f-2j67. Tenable has extracted the preceding descriptio...

Fedora 44 : GitPython (2026-9342da13e0)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-9342da13e0 advisory. Fixes security defects GHSA-rpm5-65cw-6hj4, GHSA-x2qx-6953-8485, GHSA-7545-fcxq-7j24, and GHSA-v87r-6q3f-2j67. Tenable has extracted the preceding descriptio...

GitPython has Command Injection via Git options bypass

Summary GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an application passes attacker-controlled kwargs into Repo.clonefrom, Remote.fetch, Remote.pull, or Remote.push, th...

Command Injection

Overview GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Command Injection via the uploadpack or receivepack kwargs in the Repo.clonefrom, Remote.fetch, Remote.pull, or Remote.push functions. An attacker can execute arbitrar...

GHSA-RPM5-65CW-6HJ4 GitPython has Command Injection via Git options bypass

Summary GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an application passes attacker-controlled kwargs into Repo.clonefrom, Remote.fetch, Remote.pull, or Remote.push, th...

ac-solver (=0.1.0), acedeploy (>=2.4.15 <=2.4.338) +761 more potentially affected by CVE-2026-42284 via gitpython (>=3.0.0 <=3.1.46)

gitpython PYPI version =3.0.0, =2.4.15, =2025.10.17, =0.4.0, =0.4.0, =0.0.5, =1.2.3, =0.4.7, =0.4.7, =0.2.0, =1.0.3, =0.1.8, =0.87.2.dev9, =0.5.0, =0.86.1 and more Source cves: CVE-2026-42284 Source advisory: SNYK:PYTHON-GITPYTHON-16298054...

GHSA-X2QX-6953-8485 GitPython: Unsafe option check validates multi_options before shlex.split transformation

Summary clone validates multioptions as the original list, then executes shlex.split" ".joinmultioptions. A string like "--branch main --config core.hooksPath=/x" passes validation starts with --branch, but after split becomes "--branch", "main", "--config", "core.hooksPath=/x". Git applies the...

ac-solver (=0.1.0), acedeploy (>=2.4.15 <=2.4.338) +906 more potentially affected by CVE-2026-32686 +1 more via gitpython (>=0.3.4 <=3.1.46)

gitpython PYPI version =0.3.4, =2.4.15, =2025.10.17, =0.4.0, =0.4.0, =0.0.5, =1.2.3, =0.4.7, =0.4.7, =0.2.0, =1.0.3, =0.1.8, =0.87.2.dev9, =0.5.0, =0.86.1 and more Source cves: CVE-2026-32686, CVE-2026-42284 Source advisory: OSV:GHSA-X2QX-6953-8485...

Arbitrary Argument Injection

Overview GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Arbitrary Argument Injection in the multioptions parameter of the clone function, which may be passed in via the clonefrom, clone, or Submodule.update functions. An...

PT-2026-37179

Name of the Vulnerable Software and Affected Versions GitPython versions 3.1.30 through 3.1.46 Description GitPython fails to properly validate certain Python keyword arguments, allowing a bypass of the safety checks intended to block dangerous Git options. While the library blocks options like...

PT-2026-37191

Name of the Vulnerable Software and Affected Versions GitPython versions prior to 3.1.47 Description GitPython is a Python library used to interact with Git repositories. The clone function validates the multi options variable as an original list but then executes shlex.split" ".joinmulti options...

CVE-2026-27735

Model Context Protocol Servers is a collection of reference implementations for the model context protocol MCP. In mcp-server-git versions prior to 2026.1.14, the gitadd tool did not validate that file paths provided in the files argument were within the repository boundaries. Because the tool us...

EUVD-2026-8770

mcp-server-git : Path traversal in gitadd allows staging files outside repository boundaries...

CVE-2026-27735

CVE-2026-27735 affects the Model Context Protocol Servers (mcp-server-git) prior to version 2026.1.14. The git_add tool did not validate that file paths in the files argument stay within the repository, because it used GitPython's repo.index.add() instead of the Git CLI. This allowed relative pat...

EUVD-2024-0062

Malicious code in bioql PyPI...

EUVD-2023-0085

Malicious code in bioql PyPI...

EUVD-2023-0087

Malicious code in bioql PyPI...

EUVD-2023-0086

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2022-24439

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - All versions of package gitpython are vulnerable to Remote Code Execution RCE due to improper user input validation, which makes it possible to inject a...

Linux Distros Unpatched Vulnerability : CVE-2024-22190

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted...