CVE-2026-44244

Published: May 7, 2026Modified: May 11, 2026

7.8

Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Exploitability: 1.8 / Impact: 5.9

Source: security-advisories@github.com (Secondary)

Description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.

Affected (1)

Products: Gitpython Project: Gitpython

Gitpython Project

1 product

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Gitpython Project Gitpython	Before 3.1.49

Related CWEs

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (3)

https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49

Source: security-advisories@github.com

PatchRelease Notes

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67

Source: security-advisories@github.com

ExploitMitigationVendor Advisory

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0

ExploitMitigationVendor Advisory

Timeline

No history available yet.