CVE-2026-44243
GitPython reference APIs has a path traversal vulnerability that allows arbitrary file write and delete outside the repository
7.1
HIGH
CVSS 3.1
EPSS 0.14%
Description
GitPython is a python library used to interact with Git repositories. Prior to version 3.1.48, a vulnerability in GitPython allows attackers who can supply a crafted reference path to an application using GitPython to write, overwrite, move, or delete files outside the repository’s .git directory via insufficient validation of reference paths in reference creation, rename, and delete operations. This issue has been patched in version 3.1.48.
How to fix CVE-2026-44243
To remediate CVE-2026-44243, upgrade the affected package to a fixed version below.
- —no fix listed
- —upgrade to 3.1.48 or later
Is CVE-2026-44243 being exploited?
Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0
- from 0, < 3.1.48
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 4.0 | — | CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N/E:P |
| osv | CVSS 3.1 | HIGH7.1 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H |