CVE-2026-42563

UNKNOWN 0.0

Dulwich Vulnerable to Command Injection via Merge Driver Path

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.

CWE	CWE-78
Vendor	jelmer
Product	dulwich
Published	Jun 10, 2026

Stay Ahead of the Next One

Get instant alerts for jelmer dulwich

Be the first to know when new unknown vulnerabilities affecting jelmer dulwich are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

jelmer / dulwich

>= 0.24.0, < 1.2.5

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf github.com: https://github.com/jelmer/dulwich/commit/e3331b3b3a122fc313460182f928f59723580b7b github.com: https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5