Cyber Resilience

CVE-2026-42215

HighPublic PoCRCE

Published: 07 May 2026

Published
07 May 2026
Modified
11 May 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0072 49.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42215 is a high-severity OS Command Injection (CWE-78) vulnerability in Gitpython Project Gitpython. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Python (T1059.006); ranked at the 49.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that…

more

check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.006 Python Execution
Adversaries may abuse Python commands and scripts for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

CWE-78 OS command injection in GitPython enables arbitrary command execution when attacker-controlled kwargs reach clone/fetch/pull/push methods, directly mapping to Python interpreter abuse and client-side exploitation.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42284Same product: Gitpython Project Gitpython
CVE-2026-44243Same product: Gitpython Project Gitpython
CVE-2026-44244Same product: Gitpython Project Gitpython
CVE-2026-44345Shared CWE-78
CVE-2026-26331Shared CWE-78
CVE-2025-56803Shared CWE-78
CVE-2026-5485Shared CWE-78
CVE-2026-40032Shared CWE-78
CVE-2026-33412Shared CWE-78
CVE-2024-14010Shared CWE-78

Affected Assets

gitpython project
gitpython
3.1.30 — 3.1.47

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References