{"id":"CVE-2026-42284","summary":"GitPython: Unsafe option check validates multi_options before shlex.split transforms it","details":"GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(\" \".join(multi_options)). A string like \"--branch main --config core.hooksPath=/x\" passes validation (starts with --branch), but after split becomes [\"--branch\", \"main\", \"--config\", \"core.hooksPath=/x\"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.","aliases":["GHSA-x2qx-6953-8485"],"modified":"2026-07-08T08:12:34.672247585Z","published":"2026-05-07T18:19:20.129Z","related":["CGA-8pr5-gmq5-xw9j","SUSE-SU-2026:21813-1","openSUSE-SU-2026:20777-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42284.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-88"]},"references":[{"type":"WEB","url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/42xxx/CVE-2026-42284.json"},{"type":"ADVISORY","url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-42284"},{"type":"EVIDENCE","url":"https://www.tenable.com/cve/CVE-2026-32686"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gitpython-developers/gitpython","events":[{"introduced":"0"},{"fixed":"4199cb89755f705801a4cb241723325b46201f51"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"3.1.47"}],"cpe":"cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*"}}],"versions":["3.1.44","3.1.43","3.1.42","3.1.41","3.1.40","3.1.38","3.1.35","3.1.34","3.1.33","3.1.32","3.1.31","3.1.30","3.1.29","3.1.28","3.1.27","3.1.26","3.1.25","3.1.24","3.1.23","3.1.22","3.1.20","3.1.19","3.1.18","3.1.17","3.1.16","3.1.13","3.1.12","3.1.11","3.1.10","3.1.9","3.1.8","3.1.7","3.1.6","3.1.5","3.1.4","3.1.3","3.1.2","3.1.1","3.1.0","3.0.9","3.0.8","3.0.7","3.0.6","3.0.5","3.0.4","3.0.3","3.0.2","3.0.1","2.1.13","3.0.0","2.1.12","2.1.11","2.1.10","2.1.9","2.1.8","2.1.6","2.1.5","2.1.4","2.1.3","2.1.2","2.1.1","2.1.0","2.0.9","winerr_show","2.0.8","2.0.7","2.0.6","2.0.5","2.0.4","2.0.3","2.0.2","2.0.1","2.0.0","0.3.2.1","1.0.2","0.3.7","1.0.1","1.0.0","0.3.6","0.3.5","0.3.4","0.3.3","0.3.2","0.3.2-RC1","0.3.1-beta2","0.3.1-beta1","0.3.0-beta2","0.3.0-beta1","0.2.0-beta1","0.1.6","0.1.5","0.1.4","0.1.4-pre"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-42284.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}