CVE Catalog

CVE-2026-42563

HighCVSS 7.7
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.08%

25th percentile - higher than 25% of all known CVEs

Summary

Dulwich, a pure-Python implementation of Git file formats and protocols, has a vulnerability in versions from 0.24.0 to 1.2.4. The `ProcessMergeDriver` improperly substitutes the file path into the merge driver command, allowing an attacker to execute arbitrary commands.

Risk Assessment

An attacker can exploit this vulnerability to execute malicious code on the victim's system, posing a serious security threat to the organization.

Recommendation

It is recommended to upgrade Dulwich to version 1.2.5 or later to mitigate this vulnerability.

Original NVD description (English source)

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS