GHSA-MV93-W799-CJ2W: GHSA-MV93-W799-CJ2W: Remote Code Execution via Config Section Injection in G…

1 / 2

GHSA-MV93-W799-CJ2W: GHSA-MV93-W799-CJ2W: Remote Code Execution via Config Section Injection in GitPython

DEV Community·CVE Reports·24 days ago

#2Ga2yswR

#security #cve #cybersecurity #ghsa #gitpython #mv93

Reading 0:00

15s threshold

GHSA-MV93-W799-CJ2W: Remote Code Execution via Config Section Injection in GitPython Vulnerability ID: GHSA-MV93-W799-CJ2W CVSS Score: 7.8 Published: 2026-05-08 GitPython versions prior to 3.1.50 are vulnerable to a newline injection attack in the config_writer() and set_value() methods. An incomplete fix for CVE-2026-44244 failed to sanitize the configuration section parameter, allowing an attacker to inject malicious Git configuration blocks such as [core] and override the hooksPath . This leads to unauthenticated remote code execution when subsequent Git operations trigger the injected hooks. TL;DR Newline injection in GitPython's config_writer section parameter allows attackers to override core.hooksPath and achieve Remote Code Execution.…

Continue reading — create a free account

Join HashtagPLUS to read full articles, follow hashtags, vote, and join the conversation.

Create free account Log in

Menu

GHSA-MV93-W799-CJ2W: GHSA-MV93-W799-CJ2W: Remote Code Execution via Config Section Injection in GitPython