{"id":"CVE-2026-44244","summary":"GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath","details":"GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.set_value() passes values to Python's configparser without validating for newlines. GitPython's own _write() converts embedded newlines into indented continuation lines (e.g. \\n becomes \\n\\t), but Git still accepts an indented [core] stanza as a section header — so the injected core.hooksPath becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path. This issue has been patched in version 3.1.49.","aliases":["GHSA-v87r-6q3f-2j67"],"modified":"2026-07-08T08:12:34.757887230Z","published":"2026-05-07T18:22:39.704Z","related":["CGA-3wf6-6w7m-9m2w","SUSE-SU-2026:21813-1","openSUSE-SU-2026:10758-1","openSUSE-SU-2026:20777-1"],"database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44244.json","cna_assigner":"GitHub_M","cwe_ids":["CWE-94"]},"references":[{"type":"WEB","url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44244.json"},{"type":"ADVISORY","url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44244"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/gitpython-developers/gitpython","events":[{"introduced":"0"},{"fixed":"aee2fd5c13770954469e650f1df8f92f0183bc70"}],"database_specific":{"source":["AFFECTED_FIELD","CPE_RANGE","REFERENCES"],"extracted_events":[{"introduced":"0"},{"fixed":"3.1.49"}],"cpe":"cpe:2.3:a:gitpython_project:gitpython:*:*:*:*:*:python:*:*"}}],"versions":["3.1.48","3.1.47","3.1.44","3.1.43","3.1.42","3.1.41","3.1.40","3.1.38","3.1.35","3.1.34","3.1.33","3.1.32","3.1.31","3.1.30","3.1.29","3.1.28","3.1.27","3.1.26","3.1.25","3.1.24","3.1.23","3.1.22","3.1.20","3.1.19","3.1.18","3.1.17","3.1.16","3.1.13","3.1.12","3.1.11","3.1.10","3.1.9","3.1.8","3.1.7","3.1.6","3.1.5","3.1.4","3.1.3","3.1.2","3.1.1","3.1.0","3.0.9","3.0.8","3.0.7","3.0.6","3.0.5","3.0.4","3.0.3","3.0.2","3.0.1","2.1.13","3.0.0","2.1.12","2.1.11","2.1.10","2.1.9","2.1.8","2.1.6","2.1.5","2.1.4","2.1.3","2.1.2","2.1.1","2.1.0","2.0.9","winerr_show","2.0.8","2.0.7","2.0.6","2.0.5","2.0.4","2.0.3","2.0.2","2.0.1","2.0.0","0.3.2.1","1.0.2","0.3.7","1.0.1","1.0.0","0.3.6","0.3.5","0.3.4","0.3.3","0.3.2","0.3.2-RC1","0.3.1-beta2","0.3.1-beta1","0.3.0-beta2","0.3.0-beta1","0.2.0-beta1","0.1.6","0.1.5","0.1.4","0.1.4-pre"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44244.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}]}