CVE-2026-42215

EUVD-2026-28411
GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.
OS Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
8.8 HIGH
NETWORK
LOW
LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 48%
Affected Products (NVD)
VendorProductVersion
gitpython_projectgitpython
3.1.30 ≤
𝑥
< 3.1.47
𝑥
= Vulnerable software versions
Debian logo
Debian Releases
Debian Product
Codename
python-git
bookworm
vulnerable
bullseye
vulnerable
bullseye (security)
vulnerable
forky
3.1.50-1
fixed
sid
3.1.50-1
fixed
trixie
vulnerable
Ubuntu logo
Ubuntu Releases
Ubuntu Product
Codename
python-git
bionic
Fixed 2.1.8-1ubuntu0.1~esm4
released
focal
Fixed 3.0.7-1ubuntu0.1~esm4
released
jammy
Fixed 3.1.24-1ubuntu0.1~esm3
released
noble
Fixed 3.1.37-3ubuntu0.1~esm2
released
questing
needed
resolute
Fixed 3.1.46-1ubuntu0.1~esm1
released
trusty
Fixed 0.3.2~RC1-3ubuntu0.1~esm3
released
xenial
ignored
Common Weakness Enumeration
References
https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4
https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4