CVE-2026-42284

EUVD-2026-28412

07.05.2026, 19:16

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.

Argument Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	8.1 HIGH	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

Base Score

CVSS 3.x

EPSS Score

Percentile: 42%

Affected Products (NVD)

Vendor	Product	Version
gitpython_project	gitpython	𝑥 < 3.1.47

𝑥

= Vulnerable software versions

Debian Releases

Debian Product

Codename

python-git

bookworm	vulnerable
bullseye	vulnerable
bullseye (security)	vulnerable
forky	3.1.50-1 fixed
sid	3.1.50-1 fixed
trixie	vulnerable

Ubuntu Releases

Ubuntu Product

Codename

python-git

bionic	not-affected
focal	Fixed 3.0.7-1ubuntu0.1~esm4 released
jammy	Fixed 3.1.24-1ubuntu0.1~esm3 released
noble	Fixed 3.1.37-3ubuntu0.1~esm2 released
questing	needed
resolute	Fixed 3.1.46-1ubuntu0.1~esm1 released
trusty	not-affected
xenial	ignored

Known Exploits!

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485

Common Weakness Enumeration

CWE-88 - Improper Neutralization of Argument Delimiters in a Command ('Argument Injection')
The software constructs a string for a command to executed by a separate component in another control sphere, but it does not properly delimit the intended arguments, options, or switches within that command string.

References

https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485

https://www.tenable.com/cve/CVE-2026-32686