Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-52726— Dulwich's submodule path traversal in porcelain.submodule_update / porcelain.clone(recurse_submodules=True) yields RCE via attacker-dropped .git/hooks payload

CVSS 7.5 · High EPSS 0.45% · P36

Affected Version Matrix 1

VendorProductVersion RangeStatus
jelmerdulwich>= 0.23.2, < 1.2.5affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-52726

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
Dulwich's submodule path traversal in porcelain.submodule_update / porcelain.clone(recurse_submodules=True) yields RCE via attacker-dropped .git/hooks payload
Source: NVD (National Vulnerability Database)
Vulnerability Description
Dulwich is a pure-Python implementation of the Git file formats and protocols. Starting in version 0.23.2 and prior to version 1.2.5, `dulwich.porcelain.submodule_update`, and by extension `porcelain.clone(..., recurse_submodules=True)`, materializes attacker-controlled submodule paths from a crafted upstream repository without path validation. A malicious `.gitmodules` plus a matching tree gitlink whose `path` is `.git/hooks` (or any other directory inside the parent repository's `.git` directory) causes the attacker's submodule tree contents to be written directly into the victim's `.git/hooks/` directory, preserving executable mode bits. The dropped executables are then run by any subsequent `git` or `dulwich` command that invokes the matching hook, resulting in arbitrary code execution. This is the dulwich equivalent of the upstream Git fixes for CVE-2024-32002 / CVE-2024-32004, which were never propagated into dulwich's separately implemented submodule porcelain. Version 1.2.5 patches the issue.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对路径名的限制不恰当(路径遍历)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Dulwich 路径遍历漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Dulwich是Jelmer Vernooij个人开发者的一款纯Python实现的Git仓库操作接口。 Dulwich 0.23.2版本至1.2.5之前版本存在路径遍历漏洞,该漏洞源于porcelain.submodule_update方法未验证子模块路径,导致恶意.gitmodules可将子模块内容写入.git/hooks目录,从而执行任意代码。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
jelmerdulwich >= 0.23.2, < 1.2.5 -

II. Public POCs for CVE-2026-52726

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium
Qwen3.6-35B-A3B · 9758 chars
Pro+ exclusive includes:
Vulnerability reproduction recording (real sandbox build + trigger, exclusive)
In-depth vulnerability mechanism
Trigger conditions & impact
Full executable POC code
Exploit chain & mitigation
POC zip download
100+ AI POC generations per month

III. Intelligence Information for CVE-2026-52726

登录查看更多情报信息。

Vendor Advisories for CVE-2026-52726 (1)

Vendor Pages for CVE-2026-52726 (1)

Same Patch Batch · jelmer · 2026-06-10 · 5 CVEs total

CVE-2026-423058.8 HIGHDulwich has an arbitrary file write via NTFS-hostile tree entries on Windows
CVE-2026-477345.7 MEDIUMDulwich has unbounded memory allocation in receive-pack from crafted thin packs
CVE-2026-477123.3 LOWDulwich doesn't sanitize commit subjects in `porcelain.format_patch`
CVE-2026-42563Dulwich Vulnerable to Command Injection via Merge Driver Path

IV. Related Vulnerabilities

V. Comments for CVE-2026-52726

No comments yet


Leave a comment