Vulnerable Library - GitPython-3.1.42-py3-none-any.whl
GitPython is a Python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/67/c7/995360c87dd74e27539ccbfecddfb58e08f140d849fcd7f35d2ed1a5f80f/GitPython-3.1.42-py3-none-any.whl
Path to dependency file: /src/kubedash/tests/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260421063129_ENTWPD/python_ATEAZC/202604210631431/env/lib/python3.9/site-packages/GitPython-3.1.42.dist-info
Found in HEAD commit: 39ac9ffe42e0bd2d34757b191521a19c3a058305
Vulnerabilities
| Vulnerability |
Severity |
 CVSS |
Dependency |
Type |
Fixed in (GitPython version) |
Remediation Possible** |
| CVE-2026-44243 |
 Critical |
9.1 |
GitPython-3.1.42-py3-none-any.whl |
Direct |
3.1.48 |
❌ |
| CVE-2026-44244 |
 High |
7.8 |
GitPython-3.1.42-py3-none-any.whl |
Direct |
gitpython - 3.1.49 |
❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2026-44243
Vulnerable Library - GitPython-3.1.42-py3-none-any.whl
GitPython is a Python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/67/c7/995360c87dd74e27539ccbfecddfb58e08f140d849fcd7f35d2ed1a5f80f/GitPython-3.1.42-py3-none-any.whl
Path to dependency file: /src/kubedash/tests/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260421063129_ENTWPD/python_ATEAZC/202604210631431/env/lib/python3.9/site-packages/GitPython-3.1.42.dist-info
Dependency Hierarchy:
- ❌ GitPython-3.1.42-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 39ac9ffe42e0bd2d34757b191521a19c3a058305
Found in base branch: main
Vulnerability Details
A vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-05-07
URL: CVE-2026-44243
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7545-fcxq-7j24
Release Date: 2026-05-05
Fix Resolution: 3.1.48
Step up your Open Source Security Game with Mend here
CVE-2026-44244
Vulnerable Library - GitPython-3.1.42-py3-none-any.whl
GitPython is a Python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/67/c7/995360c87dd74e27539ccbfecddfb58e08f140d849fcd7f35d2ed1a5f80f/GitPython-3.1.42-py3-none-any.whl
Path to dependency file: /src/kubedash/tests/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260421063129_ENTWPD/python_ATEAZC/202604210631431/env/lib/python3.9/site-packages/GitPython-3.1.42.dist-info
Dependency Hierarchy:
- ❌ GitPython-3.1.42-py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 39ac9ffe42e0bd2d34757b191521a19c3a058305
Found in base branch: main
Vulnerability Details
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.
Publish Date: 2026-05-07
URL: CVE-2026-44244
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-v87r-6q3f-2j67
Release Date: 2026-05-07
Fix Resolution: gitpython - 3.1.49
Step up your Open Source Security Game with Mend here
GitPython is a Python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/67/c7/995360c87dd74e27539ccbfecddfb58e08f140d849fcd7f35d2ed1a5f80f/GitPython-3.1.42-py3-none-any.whl
Path to dependency file: /src/kubedash/tests/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260421063129_ENTWPD/python_ATEAZC/202604210631431/env/lib/python3.9/site-packages/GitPython-3.1.42.dist-info
Found in HEAD commit: 39ac9ffe42e0bd2d34757b191521a19c3a058305
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - GitPython-3.1.42-py3-none-any.whl
GitPython is a Python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/67/c7/995360c87dd74e27539ccbfecddfb58e08f140d849fcd7f35d2ed1a5f80f/GitPython-3.1.42-py3-none-any.whl
Path to dependency file: /src/kubedash/tests/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260421063129_ENTWPD/python_ATEAZC/202604210631431/env/lib/python3.9/site-packages/GitPython-3.1.42.dist-info
Dependency Hierarchy:
Found in HEAD commit: 39ac9ffe42e0bd2d34757b191521a19c3a058305
Found in base branch: main
Vulnerability Details
A vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2026-05-07
URL: CVE-2026-44243
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7545-fcxq-7j24
Release Date: 2026-05-05
Fix Resolution: 3.1.48
Step up your Open Source Security Game with Mend here
Vulnerable Library - GitPython-3.1.42-py3-none-any.whl
GitPython is a Python library used to interact with Git repositories
Library home page: https://files.pythonhosted.org/packages/67/c7/995360c87dd74e27539ccbfecddfb58e08f140d849fcd7f35d2ed1a5f80f/GitPython-3.1.42-py3-none-any.whl
Path to dependency file: /src/kubedash/tests/requirements.txt
Path to vulnerable library: /tmp/ws-ua_20260421063129_ENTWPD/python_ATEAZC/202604210631431/env/lib/python3.9/site-packages/GitPython-3.1.42.dist-info
Dependency Hierarchy:
Found in HEAD commit: 39ac9ffe42e0bd2d34757b191521a19c3a058305
Found in base branch: main
Vulnerability Details
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \n becomes \n\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.
Publish Date: 2026-05-07
URL: CVE-2026-44244
CVSS 3 Score Details (7.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-v87r-6q3f-2j67
Release Date: 2026-05-07
Fix Resolution: gitpython - 3.1.49
Step up your Open Source Security Game with Mend here