What is the CVSS score of CVE-2026-42215?

CVE-2026-42215 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of GitPython are affected by CVE-2026-42215?

GitPython versions 3.1.30 through 3.1.46 contain a command injection vulnerability allowing authenticated attackers to execute arbitrary commands through improperly validated function arguments,…. A patch is available.

Is there a public PoC exploit available for CVE-2026-42215?

Yes, a public proof-of-concept exploit is available for CVE-2026-42215. Prioritise patching immediately. EPSS: 0.1%.

GitPython CVE-2026-42215

EUVD-2026-28411 HIGH

OS Command Injection (CWE-78)

2026-05-07 GitHub_M

GHSA-rpm5-65cw-6hj4

Python Command Injection Suse

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 07, 2026 - 20:02 EUVD

Source Code Evidence Fetched

May 07, 2026 - 19:47 vuln.today

Analysis Generated

May 07, 2026 - 19:47 vuln.today

CVE Published

May 07, 2026 - 18:17 nvd

HIGH 8.8

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

55 pypi packages depend on gitpython (55 direct, 0 indirect)

Ecosystem-wide dependent count for version 3.1.30.

DescriptionNVD

GitPython is a python library used to interact with Git repositories. From version 3.1.30 to before version 3.1.47, GitPython blocks dangerous Git options such as --upload-pack and --receive-pack by default, but the equivalent Python kwargs upload_pack and receive_pack bypass that check. If an application passes attacker-controlled kwargs into Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push(), this leads to arbitrary command execution even when allow_unsafe_options is left at its default value of False. This issue has been patched in version 3.1.47.

AnalysisAI

Command injection in GitPython 3.1.30-3.1.46 allows remote authenticated attackers to execute arbitrary commands via underscore-formatted kwargs that bypass unsafe option validation. Applications passing attacker-controlled kwargs to Repo.clone_from(), Remote.fetch(), Remote.pull(), or Remote.push() are vulnerable even when allow_unsafe_options=False (default). …

RemediationAI

Within 24 hours: Inventory all internal applications and dependencies using GitPython versions 3.1.30-3.1.46 via package managers and software composition analysis tools. Within 7 days: Upgrade GitPython to version 3.1.47 or later across all affected systems; test in staging environments first. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2026-9256 HIGH This Week

8.1 May 22

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows unauthenticated remote attackers

Vendor StatusVendor

CVE-2026-42215 vulnerability details – vuln.today

Back

GitPython CVE-2026-42215

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

More from same product – last 7 days

Vendor StatusVendor

Share

External POC / Exploit Code