CVE-2026-42563 HIGH

CVE-2026-42563: Dulwich Vulnerable to Command Injection via Merge Driver Path

Vendor Jelmer
Product dulwich
Weakness CWE-78
Published June 10, 2026
Last update June 12, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.24.0 and prior to version 1.2.5, Dulwich's `ProcessMergeDriver` substitutes the file path (from the git tree, controllable by an attacker via a malicious branch) into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. Version 1.2.5 fixes the issue.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 12, 2026 Record updated