PatchSiren cyber security CVE debrief
CVE-2026-42563 jelmer CVE debrief
CVE-2026-42563 is a HIGH severity vulnerability in Dulwich, a pure-Python implementation of Git file formats and protocols. The vulnerability affects versions 0.24.0 to 1.2.4 of Dulwich. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. The vulnerability is due to the `ProcessMergeDriver` substituting the file path from the git tree into the merge driver command via the `%P` placeholder and executing it with `subprocess.run(..., shell=True)`. Version 1.2.5 of Dulwich fixes the issue.
- Vendor
- jelmer
- Product
- dulwich
- CVSS
- HIGH 7.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-11
Who should care
Users of Dulwich, especially those who merge untrusted branches, should be aware of this vulnerability and take steps to mitigate it.
Technical summary
The `ProcessMergeDriver` in Dulwich substitutes the file path from the git tree into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`. This allows an attacker to execute arbitrary commands by crafting malicious file paths.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to Dulwich version 1.2.5 or later.
- Avoid merging untrusted branches.
Evidence notes
The vulnerability is due to the insecure use of `subprocess.run(..., shell=True)` in the `ProcessMergeDriver`.
Official resources
CVE-2026-42563 was published on 2026-06-10T23:16:46.413Z and modified on 2026-06-11T15:21:07.370Z.