Dulwich Vulnerable to Command Injection via Merge Driver Path
CVE-2026-42563

7.7HIGH

Key Information:

Vendor

Jelmer

Status
Dulwich
Vendor
CVE Published:
10 June 2026

What is CVE-2026-42563?

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's ProcessMergeDriver substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the %P placeholder and executes it with subprocess.run(..., shell=True). An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.

Affected Version(s)

dulwich >= 0.24.0, < 1.2.5

References

https://github.com/jelmer/dulwich/security/advisories/GHS...
x_refsource_CONFIRM
https://github.com/jelmer/dulwich/commit/e3331b3b3a122fc3...
x_refsource_MISC
https://github.com/jelmer/dulwich/releases/tag/dulwich-1.2.5
x_refsource_MISC

CVSS V4

Score:
7.7
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
Physical
Privileges Required:
Undefined
User Interaction:
Unknown

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.