CVE-2026-42215 GitPython: Command injection via Git options bypass

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...

EUVD-2026-28411

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...

CVE-2026-42215

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...

CVE-2026-42215

GitPython CVE-2026-42215: A vulnerability in GitPython allows arbitrary command execution when attacker-controlled kwargs are passed to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() via the Python kwargs upload_pack/receive_pack. The default unsafe-options guard (allow_unsafe...

CVE-2026-42215

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs uploadpack and receivepack bypass that check. If an...

CVE-2026-44244

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.setvalue passes values to Python's configparser without validating for newlines. GitPython's own write converts embedded newlines into indented continuation lines e.g. \n becomes \n\t, b...

GitPython 代码注入漏洞

GitPython is a Python library developed by gitpython-developers, designed for interacting with Git repositories. Versions of GitPython prior to 3.1.49 contained a code injection vulnerability. This vulnerability stemmed from the use of GitConfigParser.setvalue, which did not validate line endings...

CVE-2026-44243

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory...

GitPython 操作系统命令注入漏洞

GitPython is a Python library developed by gitpython-developers, used for interacting with Git repositories. Versions of GitPython from 3.1.30 to 3.1.47 contained an operating system command injection vulnerability. This vulnerability stemmed from allowing dangerous Git options without proper...

GitPython 参数注入漏洞

GitPython is a Python library developed by gitpython-developers, designed for interacting with Git repositories. Versions of GitPython prior to 3.1.47 contained a parameter injection vulnerability. This vulnerability stemmed from the use of clone to validate multioptions, followed by the executio...

GitPython 路径遍历漏洞

GitPython is a Python library developed by gitpython-developers, designed for interacting with Git repositories. Versions of GitPython prior to 3.1.48 contained a path traversal vulnerability. This vulnerability stemmed from insufficient validation of reference paths during reference creation,...

ac-solver (=0.1.0), acedeploy (>=2.4.15 <=2.4.342) +765 more potentially affected by CVE-2026-44244 via gitpython (>=3.0.0 <=3.1.47)

gitpython PYPI version =3.0.0, =2.4.15, =2025.10.17, =0.4.0, =0.4.0, =0.0.5, =1.2.3, =0.4.7, =0.4.7, =0.2.0, =1.0.3, =0.1.8, =0.87.2.dev9, =0.5.0, =0.86.1 and more Source cves: CVE-2026-44244 Source advisory: SNYK:PYTHON-GITPYTHON-16438980...

GHSA-V87R-6Q3F-2J67 GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath

GitConfigParser.setvalue passes values to Python's configparser without validating for newlines. GitPython's own write converts embedded newlines into indented continuation lines e.g. \n becomes \n\t, but Git still accepts an indented core stanza as a section header — so the injected core.hooksPa...

GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath

GitConfigParser.setvalue passes values to Python's configparser without validating for newlines. GitPython's own write converts embedded newlines into indented continuation lines e.g. \n becomes \n\t, but Git still accepts an indented core stanza as a section header — so the injected core.hooksPa...

ac-solver (=0.1.0), acedeploy (>=2.4.15 <=2.4.342) +910 more potentially affected by CVE-2026-44244 via gitpython (>=0.3.4 <=3.1.47)

gitpython PYPI version =0.3.4, =2.4.15, =2025.10.17, =0.4.0, =0.4.0, =0.0.5, =1.2.3, =0.4.7, =0.4.7, =0.2.0, =1.0.3, =0.1.8, =0.87.2.dev9, =0.5.0, =0.86.1 and more Source cves: CVE-2026-44244 Source advisory: OSV:GHSA-V87R-6Q3F-2J67...

Arbitrary Code Injection

Overview GitPython is a python library used to interact with Git repositories Affected versions of this package are vulnerable to Arbitrary Code Injection via the setvalue function. An attacker can achieve arbitrary code execution by injecting newline characters into configuration values, which...

ac-solver (=0.1.0), acedeploy (>=2.4.15 <=2.4.342) +910 more potentially affected by CVE-2026-44243 via gitpython (>=0.3.4 <=3.1.47)

gitpython PYPI version =0.3.4, =2.4.15, =2025.10.17, =0.4.0, =0.4.0, =0.0.5, =1.2.3, =0.4.7, =0.4.7, =0.2.0, =1.0.3, =0.1.8, =0.87.2.dev9, =0.5.0, =0.86.1 and more Source cves: CVE-2026-44243 Source advisory: OSV:GHSA-7545-FCXQ-7J24...

ac-solver (=0.1.0), acedeploy (>=2.4.15 <=2.4.342) +765 more potentially affected by CVE-2026-44243 via gitpython (>=3.0.0 <=3.1.47)

gitpython PYPI version =3.0.0, =2.4.15, =2025.10.17, =0.4.0, =0.4.0, =0.0.5, =1.2.3, =0.4.7, =0.4.7, =0.2.0, =1.0.3, =0.1.8, =0.87.2.dev9, =0.5.0, =0.86.1 and more Source cves: CVE-2026-44243 Source advisory: SNYK:PYTHON-GITPYTHON-16438979...

GHSA-7545-FCXQ-7J24 GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository

🧾 Summary A vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and...

GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository

🧾 Summary A vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and...