CVE-2026-42215

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...

CVE-2026-41506

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

UBUNTU-CVE-2026-41506

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

CVE-2026-41506 go-git Credential leak via cross-host redirect in smart HTTP transport

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

EUVD-2026-28596

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

CVE-2026-41506

go-git is vulnerable to credential leakage during smart-HTTP redirects in clone/fetch operations prior to versions 5.18.0 and 6.0.0-alpha.2. The issue, a cross-host redirect exposure, has been patched in 5.18.0 and 6.0.0-alpha.2. Impact is a potential exposure of HTTP credentials during redirects...

GHSA-X494-MJ8G-CJ27 gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data

Summary Multiple denial-of-service vectors in gix-pack: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch. Details Bug 1: Unchecked array...

gix-pack has multiple DoS vectors: unchecked indexing panics and uncapped OOM allocations from crafted pack data

Summary Multiple denial-of-service vectors in gix-pack: unchecked array indexing causes panics on crafted delta data, and uncapped attacker-controlled size headers enable OOM process kills. Both are triggered by malicious pack data received during clone/fetch. Details Bug 1: Unchecked array...

PT-2026-37179

Name of the Vulnerable Software and Affected Versions GitPython versions 3.1.30 through 3.1.46 Description GitPython fails to properly validate certain Python keyword arguments, allowing a bypass of the safety checks intended to block dangerous Git options. While the library blocks options like...

git: The sideband payload is passed unfiltered to the terminal in git

A flaw was found in Git. When cloning, fetching, or pushing from a server, informational or error messages are transported from the remote Git process to the client via a sideband channel. These messages are prefixed with "remote:" and printed directly to the standard error output. Typically, thi...

CLSA-2024-1728056367 Fix CVE(s): CVE-2024-32465

SECURITY UPDATE: Bypass of protections in untrusted repositories - debian/patches/CVE-2024-32465.patch: Disable lazy-fetching by default in upload-pack to prevent arbitrary command execution during clone/fetch - CVE-2024-32465...