{"@context":"https://openvex.dev/ns/v0.2.0","@id":"https://database.harborguard.co/cve/CVE-2026-42305/vex.json","author":"HarborGuard Database","role":"Document Creator","timestamp":"2026-06-12T03:55:29.808Z","version":1,"tooling":"HarborGuard Database (https://database.harborguard.co)","statements":[{"vulnerability":{"name":"CVE-2026-42305","@id":"https://www.cve.org/CVERecord?id=CVE-2026-42305","description":"Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accepted tree entries whose filenames contained bytes that Windows interprets as structural path syntax. Contributing configuration bugs made matters worse. The core.protectNTFS and core.protectHFS settings we"},"products":[{"@id":"cpe:2.3:a:jelmer:dulwich:\\>\\=_0.10.0\\,_\\<_1.2.5:*:*:*:*:*:*:*","identifiers":{"cpe23":"cpe:2.3:a:jelmer:dulwich:\\>\\=_0.10.0\\,_\\<_1.2.5:*:*:*:*:*:*:*"}}],"status":"affected","action_statement":"No fixed version is published yet; monitor the upstream advisory.","timestamp":"2026-06-12T03:55:29.808Z"}]}