Main Vulnerability Database SB2026050673

SB2026050673 - Fedora EPEL 9 update for GitPython

Published: May 6, 2026

Security Bulletin ID SB2026050673

CSH Severity

Medium

Patch available

YES

Number of vulnerabilities 1

Exploitation vector Remote access

Highest impact Code execution

Breakdown by Severity

Low
Medium
High
Critical

Description

This security bulletin contains information about 1 vulnerability.

1) OS Command Injection (CVE-ID: CVE-2026-42215)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to command injection in Repo.clone_from(), Remote.fetch(), Remote.pull(), and Remote.push() when processing attacker-controlled kwargs that are normalized into unsafe Git options. A remote user can supply crafted upload_pack or receive_pack values to execute arbitrary code.

The issue occurs because underscore-form kwargs bypass the unsafe-option check before being converted into dangerous command-line flags, and it does not require a malicious repository.

Remediation

Install update from vendor's website.

References

https://bodhi.fedoraproject.org/updates/FEDORA-EPEL-2026-d67d81b1fd