{"id":"CVE-2026-38974","details":"Dulwich through 1.1.0 was found to be missing SSH host key verification in contrib/paramiko_vendor.py.","modified":"2026-07-18T03:41:45.075273176Z","published":"2026-07-15T00:00:00Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/38xxx/CVE-2026-38974.json","cna_assigner":"mitre"},"references":[{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/38xxx/CVE-2026-38974.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-38974"},{"type":"FIX","url":"https://github.com/jelmer/dulwich/pull/2123"},{"type":"PACKAGE","url":"https://github.com/jelmer/dulwich"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/jelmer/dulwich","events":[{"introduced":"0"},{"fixed":"7dddd93c1e6f6d49e8b8911dab94e509710e90c8"}],"database_specific":{"source":"DESCRIPTION","extracted_events":[{"introduced":"0"},{"fixed":"1.1.0"}]}}],"versions":["dulwich-1.0.0","dulwich-0.25.2","dulwich-0.25.1","dulwich-0.25.0","dulwich-0.24.8","dulwich-0.24.7","dulwich-0.24.6","dulwich-0.24.5","dulwich-0.24.2","dulwich-0.24.1","dulwich-0.24.0","dulwich-0.23.2","dulwich-0.23.1","dulwich-0.22.8","dulwich-0.22.7","dulwich-0.22.6","dulwich-0.22.5","dulwich-0.22.4","dulwich-0.22.3","dulwich-0.22.2","dulwich-0.22.1","dulwich-0.22.0","dulwich-0.21.7","dulwich-0.21.6","dulwich-0.21.5","dulwich-0.21.4.1","dulwich-0.21.3","dulwich-0.21.2","dulwich-0.21.1","dulwich-0.21.0","dulwich-0.20.50","dulwich-0.20.44","dulwich-0.20.43","dulwich-0.20.42","dulwich-0.20.41","dulwich-0.20.40","dulwich-0.20.39","dulwich-0.20.38","dulwich-0.20.37","dulwich-0.20.36","dulwich-0.20.35","dulwich-0.20.34","dulwich-0.20.33","dulwich-0.20.32","dulwich-0.20.25","dulwich-0.20.30","dulwich-0.20.29","dulwich-0.20.28","dulwich-0.20.27","dulwich-0.20.26","dulwich-0.20.24","dulwich-0.20.23","dulwich-0.20.22","dulwich-0.20.21","dulwich-0.20.20","dulwich-0.20.19","dulwich-0.20.18","dulwich-0.20.17","dulwich-0.20.15","dulwich-0.20.14","dulwich-0.20.13","dulwich-0.20.12","dulwich-0.20.11","dulwich-0.20.9","dulwich-0.20.8","dulwich-0.20.7","dulwich-0.20.6","dulwich-0.20.5","dulwich-0.20.4","dulwich-0.20.3","dulwich-0.20.2","dulwich-0.20.1","dulwich-0.20.0","dulwich-0.19.16","dulwich-0.19.15","dulwich-0.19.14","dulwich-0.19.13","dulwich-0.19.12","dulwich-0.19.11","dulwich-0.19.10","dulwich-0.19.9","dulwich-0.19.8","dulwich-0.19.7","dulwich-0.19.6","dulwich-0.19.5","dulwich-0.19.4","dulwich-0.19.3","dulwich-0.19.2-2","dulwich-0.19.2-1","dulwich-0.19.2","dulwich-0.19.1","dulwich-0.19.0","dulwich-0.18.6","dulwich-0.18.5","dulwich-0.18.4","dulwich-0.18.3","dulwich-0.18.2","dulwich-0.18.1","dulwich-0.18.0","dulwich-0.17.3","dulwich-0.17.2","dulwich-0.17.1","dulwich-0.17.0","dulwich-0.16.3","dulwich-0.16.2","dulwich-0.16.1","dulwich-0.16.0","dulwich-0.15.0","dulwich-0.14.1","dulwich-0.14.0","dulwich-0.13.0","dulwich-0.12.0","dulwich-0.11.1","dulwich-0.11.0","dulwich-0.10.1","dulwich-0.10.0","dulwich-0.9.8","dulwich-0.9.7","dulwich-0.9.6","dulwich-0.9.5","dulwich-0.9.4","dulwich-0.9.3","dulwich-0.9.2","dulwich-0.9.1","dulwich-0.9.0","dulwich-0.8.7","dulwich-0.8.6","dulwich-0.8.5","dulwich-0.8.4","dulwich-0.8.3","dulwich-0.8.2","dulwich-0.8.1","dulwich-0.8.0","dulwich-0.7.1","dulwich-0.7.0","dulwich-0.6.2","dulwich-0.6.1","dulwich-0.6.0","dulwich-0.5.0","dulwich-0.4.1","dulwich-0.4.0","dulwich-0.3.3","dulwich-0.3.2","dulwich-0.3.1","dulwich-0.3.0","dulwich-0.2.1","dulwich-0.2.0","dulwich-0.1.1","dulwich-0.1.0"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-38974.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"}]}