216.73.217.86

CVE-2026-52726

· Published 11/06/2026 01:16 · Modified 11/06/2026 15:21 · Author: The MITRE Corporation

Labels: CVE-2026-52726 2026-06-10CVE-2026-52726CWE-22[email protected]

Essential information

Published
11/06/2026 01:16
Modified
11/06/2026 15:21
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
7.5 HIGH (v3.1)
CISA KEV
No
CWE
CWE-22
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CVSS metrics

Description

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
dulwich / dulwich cpe:2.3:a:dulwich:dulwich:0.23.2-1.2.4:*:*:*:*:*:*:*

References