216.73.217.64

CVE-2026-42563

· Published 11/06/2026 01:16 · Modified 11/06/2026 15:21 · Author: The MITRE Corporation

Labels: CVE-2026-42563 2026-06-10CVE-2026-42563CWE-78[email protected]

Essential information

Published
11/06/2026 01:16
Modified
11/06/2026 15:21
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
7.7 HIGH (v3) 7.7 HIGH (v4.0)
CISA KEV
No
CWE
CWE-78
CVSS vector

CVSS metrics

Description

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dulwich / dulwich cpe:2.3:a:dulwich:dulwich:0.24.0-1.2.5:*:*:*:*:*:*:*

References