CVE-2026-42284

Name of the Vulnerable Software and Affected Versions GitPython versions prior to 3.1.47

Description GitPython is a Python library used to interact with Git repositories. The clone() function validates the multi options variable as an original list but then executes shlex.split(" ".join(multi options)). This allows a string that starts with a safe option, such as --branch, to pass validation while containing unsafe options like --config core.hooksPath=/x. After the split operation, the unsafe option becomes a separate token that Git applies, potentially leading to the execution of attacker-controlled hooks during the clone process. This issue also affects Submodule.update() via clone multi options. The vulnerability occurs when applications pass user-controlled input to clone from(), clone(), or Submodule.update().

Recommendations Update to version 3.1.47.