PatchSiren

Dulwich CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM Dulwich CVE published 2026-07-15

CVE-2026-38974

Dulwich through 1.1.0 was found to be missing SSH host key verification in contrib/paramiko_vendor.py. This issue was reported in the CVE record and the NVD entry is currently being reviewed. The vulnerability allows for potential man-in-the-middle attacks if an attacker can intercept and modify the communication between the client and server. Users of Dulwich through version 1.1.0 who utilize SSH connect [truncated]