High severityGHSA Advisory· Published Jun 10, 2026· Updated Jun 11, 2026
CVE-2026-42563
CVE-2026-42563
Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's ProcessMergeDriver substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the %P placeholder and executes it with subprocess.run(..., shell=True). An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
dulwichPyPI | >= 0.24.0, < 1.2.5 | 1.2.5 |
Affected products
5- Range: >= 0.24.0, < 1.2.5
- osv-coords4 versionspkg:apk/chainguard/kserve-storage-controllerpkg:apk/wolfi/kserve-storage-controllerpkg:pypi/dulwichpkg:rpm/opensuse/python-dulwich&distro=openSUSE%20Tumbleweed
< 0.18.0-r4+ 3 more
- (no CPE)range: < 0.18.0-r4
- (no CPE)range: < 0.18.0-r4
- (no CPE)range: >= 0.24.0, < 1.2.5
- (no CPE)range: < 1.2.5-1.1
Patches
Vulnerability mechanics
References
5- github.com/advisories/GHSA-9277-mp7x-85jfghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-42563ghsaADVISORY
- github.com/jelmer/dulwich/commit/e3331b3b3a122fc313460182f928f59723580b7bnvdWEB
- github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5nvdWEB
- github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jfnvdWEB
News mentions
0No linked articles in our index yet.