GitPython: Path traversal in GitPython reference APIs allows arbitrary file...

7.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P

Description

GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.

Basic Information

ID CVE-2026-44243

Source GitHub_M

Published May 7, 2026 at 18:22

Modified May 7, 2026 at 19:12

Affected Product

Vendor gitpython-developers

Product GitPython

Version < 3.1.48

Affected Versions gitpython-developers GitPython < 3.1.48

CWE Classification

CWE-22

References

{
    "lastseen": "",
    "description": "GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository\u2019s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.",
    "published": "2026-05-07T18:22:53.622Z",
    "modified": "2026-05-07T19:12:49.856Z",
    "type": "cve",
    "title": "GitPython: Path traversal in GitPython reference APIs allows arbitrary file write and delete outside the repository",
    "source": "GitHub_M",
    "references": "https://github.com/gitpython-developers/GitPython/security/advisories/GHSA-7545-fcxq-7j24\nhttps://github.com/gitpython-developers/GitPython/releases/tag/3.1.48",
    "id": "CVE-2026-44243",
    "bulletinFamily": "",
    "cwe": [
        "CWE-22"
    ],
    "cvelist": null,
    "sourceData": "gitpython-developers GitPython < 3.1.48",
    "sourceHref": "",
    "cvss": {
        "score": 7.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "GitPython",
    "version": "< 3.1.48",
    "vendor": "gitpython-developers",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

GitPython: Path traversal in GitPython reference APIs allows arbitrary file write and delete outside the repository_CVE-2026-44243