These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.
CVE-2026-47712 is a security vulnerability in Dulwich, a pure-Python implementation of Git file formats and protocols. The vulnerability exists in the `dulwich.porcelain.format_patch` function, which derives patch filenames from commit subject lines. An attacker can exploit this vulnerability by crafting a malicious commit subject that directs the generated patch file outside the requested output director [truncated]
CVE-2026-42563 is a HIGH severity vulnerability in Dulwich, a pure-Python implementation of Git file formats and protocols. The vulnerability affects versions 0.24.0 to 1.2.4 of Dulwich. An attacker who can cause a victim to merge an untrusted branch can achieve arbitrary command execution by crafting malicious file paths. The vulnerability is due to the `ProcessMergeDriver` substituting the file path fro [truncated]
Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing [truncated]