Main Vulnerability Database Vulnerabilities #VU128348

Path traversal in GitPython - #VU128348

Published: April 28, 2026

Vulnerability identifier: #VU128348

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: N/A

CWE-ID: CWE-22

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: gitpython-developers

Affected software:
GitPython

Detailed vulnerability description

The vulnerability allows a local user to write, overwrite, move, or delete files outside the repository's .git directory.

The vulnerability exists due to path traversal in GitPython reference APIs when processing application-controlled reference paths in reference creation, rename, and delete operations. A local user can supply a crafted reference path to write, overwrite, move, or delete files outside the repository's .git directory.

Exploitation requires the ability to influence reference names supplied by the consuming application.

Remediation

Install security update from vendor's website.

Sources

https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24

Path traversal in GitPython - #VU128348

Detailed vulnerability description

Remediation

Sources

Please verify you're human