CVE-2026-42215

Published: May 7, 2026Modified: May 11, 2026

8.8

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 2.8 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.

Affected (1)

Products: Gitpython Project: Gitpython

Gitpython Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gitpython Project Gitpython	From 3.1.30 to 3.1.47

Related CWEs

Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

References (3)

https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47

Source: security-advisories@github.com

PatchRelease Notes

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4

Source: security-advisories@github.com

ExploitVendor Advisory

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitVendor Advisory

Timeline

No history available yet.