CVE-2026-44244

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.setvalue passes values to Python's configparser without validating for newlines. GitPython's own write converts embedded newlines into indented continuation lines e.g. \n becomes \n\t, b...

CVE-2026-44244

CVE-2026-44244 (GitPython) : A newline injection in config_writer().set_value() allowed an attacker-controlled core.hooksPath to be injected via an unvalidated value, enabling RCE when Git hooks run (commit, merge, checkout). GitConfigParser.set_value() passes input to configparser without newlin...

GHSA-V87R-6Q3F-2J67 GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath

GitConfigParser.setvalue passes values to Python's configparser without validating for newlines. GitPython's own write converts embedded newlines into indented continuation lines e.g. \n becomes \n\t, but Git still accepts an indented core stanza as a section header — so the injected core.hooksPa...

PT-2026-38295

Name of the Vulnerable Software and Affected Versions GitPython versions prior to 3.1.49 Description The set value function in GitConfigParser passes values to Python's configparser without validating for newlines. Although the write function converts embedded newlines into indented continuation...