CVE-2026-27113
中文标题:
(暂无数据)
英文标题:
Liquid Prompt arbitrary command injection via crafted Git branch names in gitstatusd backend
漏洞描述
中文描述:
(暂无数据)
英文描述:
Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git repository containing a crafted branch name. Exploitation requires the LP_ENABLE_GITSTATUSD config option to be enabled (enabled by default), gitstatusd to be installed and started before Liquid Prompt is loaded (not the default), and shell prompt substitution to be active (enabled by default in Bash via "shopt -s promptvars", not enabled by default in Zsh). A branch name containing shell syntax such as "$(...)" or backtick expressions in the default branch or a checked-out branch will be evaluated by the shell when the prompt is rendered. No stable release is affected; only the master branch contains the vulnerable commit. Commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround, set the LP_ENABLE_GITSTATUSD config option to 0.
CWE类型:
标签:
受影响产品
| 厂商 | 产品 | 版本 | 版本范围 | 平台 | CPE |
|---|---|---|---|---|---|
| liquidprompt | liquidprompt | >= cf3441250bb5d8b45f6f8b389fcdf427a99ac28a, < a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c | - | - |
cpe:2.3:a:liquidprompt:liquidprompt:>=_cf3441250bb5d8b45f6f8b389fcdf427a99ac28a,_<_a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c:*:*:*:*:*:*:*
|
解决方案
中文解决方案:
英文解决方案:
临时解决方案:
CVSS评分详情
3.1 (cna)
MEDIUMCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
时间信息
利用信息
数据源详情
| 数据源 | 记录ID | 版本 | 提取时间 |
|---|---|---|---|
| CVE | cve_CVE-2026-27113 |
2026-02-21 03:19:36 | 2026-02-20 22:00:02 |
| NVD | nvd_CVE-2026-27113 |
2026-02-21 02:00:05 | 2026-02-20 22:00:05 |
版本与语言
安全公告
变更历史
查看详细变更
- data_sources: ['cve'] -> ['cve', 'nvd']