CVE-2026-27113

Name of the Vulnerable Software and Affected Versions Liquid Prompt (affected versions not specified)

Description Liquid Prompt, an adaptive prompt for Bash and Zsh, contains a flaw where arbitrary command injection can lead to code execution. This occurs when a user enters a directory within a Git repository that has a specially crafted branch name. The issue requires the LP ENABLE GITSTATUSD configuration option to be enabled, gitstatusd to be installed and running before Liquid Prompt is loaded, and shell prompt substitution to be active. A branch name containing shell syntax, such as $(...) or backtick expressions, in either the default or a checked-out branch will be evaluated by the shell when the prompt is rendered. The vulnerable code exists between commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch.

Recommendations Set the LP ENABLE GITSTATUSD configuration option to 0.