Cyber Resilience

CVE-2026-42284

HighPublic PoC

Published: 07 May 2026

Published
07 May 2026
Modified
08 May 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0057 43.0th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-42284 is a high-severity Argument Injection (CWE-88) vulnerability in Gitpython Project Gitpython. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 43.0th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.47, _clone() validates multi_options as the original list, then executes shlex.split(" ".join(multi_options)). A string like "--branch main --config core.hooksPath=/x" passes validation (starts with --branch), but after…

more

split becomes ["--branch", "main", "--config", "core.hooksPath=/x"]. Git applies the config and executes attacker hooks during clone. This issue has been patched in version 3.1.47.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Argument injection (CWE-88) in GitPython _clone allows attacker-controlled Git options to set core.hooksPath and execute arbitrary hook scripts/commands during clone operations, directly enabling client-side code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-42215Same product: Gitpython Project Gitpython
CVE-2026-44243Same product: Gitpython Project Gitpython
CVE-2026-44244Same product: Gitpython Project Gitpython
CVE-2025-21613Shared CWE-88
CVE-2026-3515Shared CWE-88
CVE-2026-22583Shared CWE-88
CVE-2026-44193Shared CWE-88
CVE-2026-24061Shared CWE-88
CVE-2026-22582Shared CWE-88
CVE-2026-22168Shared CWE-88

Affected Assets

gitpython project
gitpython
≤ 3.1.47

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References