Tag
Dulwich is vulnerable to command injection (CVE-2026-42563). By injecting malicious file paths through a crafted git tree, an attacker can achieve arbitrary command execution when a victim merges an untrusted branch because the `ProcessMergeDriver` substitutes the file path into the merge driver command via the `%P` placeholder and executes it with `subprocess.run(..., shell=True)`.