CVE-2026-44244
published 2026-05-07CVE-2026-44244: GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's…
PriorityP342high7.8CVSS 3.1
AVLACLPRLUINSUCHIHAH
EPSS
0.24%
14.6th percentile
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.
Affected
4 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| gitpython-developers | gitpython | < 3.1.49 | 3.1.49 |
| gitpython_project | gitpython | < 3.1.49 | 3.1.49 |
| gitpython_project | gitpython | >= 0 < 3.1.49 | 3.1.49 |
| ubuntu | python-git | — | — |
CVSS provenance
nvdv3.17.8HIGHCVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vendor_ubuntu6.5MEDIUM
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
GitPython vulnerabilities
vendor_ubuntu·2026-05-26·CVSS 6.5
CVE-2026-42215 [MEDIUM] GitPython vulnerabilities
Title: GitPython vulnerabilities
Summary: Several security issues were fixed in GitPython.
Santos Gallegos discovered that GitPython did not properly validate
paths when resolving certain Git references. An attacker could possibly
use this issue to cause files outside the .git directory to be accessed,
leading to a denial of service. This issue only affected Ubuntu 14.04
LTS, Ubuntu 16.04 LTS, Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, and Ubuntu
22.04 LTS. (CVE-2023-41040)
Wes Ring discovered that GitPython did not properly block certain unsafe
Git options when they were provided as Python keyword arguments. An
attacker could possibly use this issue to cause arbitrary command
execution. (CVE-2026-42215)
It was discovered that GitPython did not properly validate clone options
before processin
VulDB
gitpython-developers GitPython up to 3.1.48 GitConfigParser.set_value code injection (GHSA-v87r-6q3f-2j67)
vuldb·2026-05-07·CVSS 7.8
CVE-2026-44244 [HIGH] gitpython-developers GitPython up to 3.1.48 GitConfigParser.set_value code injection (GHSA-v87r-6q3f-2j67)
A vulnerability identified as critical has been detected in gitpython-developers GitPython up to 3.1.48. This issue affects the function GitConfigParser.set_value. The manipulation leads to code injection.
This vulnerability is uniquely identified as CVE-2026-44244. Local access is required to approach this attack. No exploit exists.
You should upgrade the affected component.
GHSA
GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
ghsa·2026-05-06
CVE-2026-44244 [HIGH] CWE-94 GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath
`GitConfigParser.set_value()` passes values to Python's `configparser` without validating for newlines. GitPython's own `_write()` converts embedded newlines into indented continuation lines (e.g. `\n` becomes `\n\t`), but Git still accepts an indented `[core]` stanza as a section header — so the injected `core.hooksPath` becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path.
The vulnerability is not merely malformed config output: GitPython's own writer converts embedded newlines into indented continuation lines, but Git still accepts an indented `[core]` stanza as a section header, so the injecte
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-05-07
Published