CVE-2026-42563
HighCVSS 7.7Exploitation Probability (EPSS)
Low risk25th percentile - higher than 25% of all known CVEs
Summary
Dulwich, a pure-Python implementation of Git file formats and protocols, has a vulnerability in versions from 0.24.0 to 1.2.4. The `ProcessMergeDriver` improperly substitutes the file path into the merge driver command, allowing an attacker to execute arbitrary commands.
Risk Assessment
An attacker can exploit this vulnerability to execute malicious code on the victim's system, posing a serious security threat to the organization.
Recommendation
It is recommended to upgrade Dulwich to version 1.2.5 or later to mitigate this vulnerability.
Original NVD description (English source)
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.

