CVE-2026-27113 (GCVE-0-2026-27113)

Vulnerability from cvelistv5 – Published: 2026-02-20 21:34 – Updated: 2026-02-23 19:39
VLAI?
Title
Liquid Prompt arbitrary command injection via crafted Git branch names in gitstatusd backend
Summary
Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git repository containing a crafted branch name. Exploitation requires the LP_ENABLE_GITSTATUSD config option to be enabled (enabled by default), gitstatusd to be installed and started before Liquid Prompt is loaded (not the default), and shell prompt substitution to be active (enabled by default in Bash via "shopt -s promptvars", not enabled by default in Zsh). A branch name containing shell syntax such as "$(...)" or backtick expressions in the default branch or a checked-out branch will be evaluated by the shell when the prompt is rendered. No stable release is affected; only the master branch contains the vulnerable commit. Commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround, set the LP_ENABLE_GITSTATUSD config option to 0.
Severity ?
6.3 (Medium)
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE
  • CWE-78 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
Assigner
References
Impacted products
Vendor Product Version
liquidprompt liquidprompt Affected: >= cf3441250bb5d8b45f6f8b389fcdf427a99ac28a, < a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c
Create a notification for this product.
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-27113",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-02-23T19:36:21.539868Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-02-23T19:39:02.895Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "liquidprompt",
          "vendor": "liquidprompt",
          "versions": [
            {
              "status": "affected",
              "version": "\u003e= cf3441250bb5d8b45f6f8b389fcdf427a99ac28a, \u003c a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git repository containing a crafted branch name. Exploitation requires the LP_ENABLE_GITSTATUSD config option to be enabled (enabled by default), gitstatusd to be installed and started before Liquid Prompt is loaded (not the default), and shell prompt substitution to be active (enabled by default in Bash via \"shopt -s promptvars\", not enabled by default in Zsh). A branch name containing shell syntax such as \"$(...)\" or backtick expressions in the default branch or a checked-out branch will be evaluated by the shell when the prompt is rendered. No stable release is affected; only the master branch contains the vulnerable commit. Commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround, set the LP_ENABLE_GITSTATUSD config option to 0."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "LOCAL",
            "availabilityImpact": "NONE",
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "NONE",
            "scope": "UNCHANGED",
            "userInteraction": "REQUIRED",
            "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N",
            "version": "3.1"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-78",
              "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-20T21:34:22.107Z",
        "orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
        "shortName": "GitHub_M"
      },
      "references": [
        {
          "name": "https://github.com/liquidprompt/liquidprompt/security/advisories/GHSA-q6hm-vf4f-47jf",
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://github.com/liquidprompt/liquidprompt/security/advisories/GHSA-q6hm-vf4f-47jf"
        },
        {
          "name": "https://github.com/liquidprompt/liquidprompt/commit/a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c",
          "tags": [
            "x_refsource_MISC"
          ],
          "url": "https://github.com/liquidprompt/liquidprompt/commit/a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c"
        }
      ],
      "source": {
        "advisory": "GHSA-q6hm-vf4f-47jf",
        "discovery": "UNKNOWN"
      },
      "title": "Liquid Prompt arbitrary command injection via crafted Git branch names in gitstatusd backend"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
    "assignerShortName": "GitHub_M",
    "cveId": "CVE-2026-27113",
    "datePublished": "2026-02-20T21:34:22.107Z",
    "dateReserved": "2026-02-17T18:42:27.042Z",
    "dateUpdated": "2026-02-23T19:39:02.895Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-27113\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-02-20T22:16:29.503\",\"lastModified\":\"2026-02-23T18:14:13.887\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git repository containing a crafted branch name. Exploitation requires the LP_ENABLE_GITSTATUSD config option to be enabled (enabled by default), gitstatusd to be installed and started before Liquid Prompt is loaded (not the default), and shell prompt substitution to be active (enabled by default in Bash via \\\"shopt -s promptvars\\\", not enabled by default in Zsh). A branch name containing shell syntax such as \\\"$(...)\\\" or backtick expressions in the default branch or a checked-out branch will be evaluated by the shell when the prompt is rendered. No stable release is affected; only the master branch contains the vulnerable commit. Commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround, set the LP_ENABLE_GITSTATUSD config option to 0.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N\",\"baseScore\":6.3,\"baseSeverity\":\"MEDIUM\",\"attackVector\":\"LOCAL\",\"attackComplexity\":\"HIGH\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"REQUIRED\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":1.0,\"impactScore\":5.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-78\"}]}],\"references\":[{\"url\":\"https://github.com/liquidprompt/liquidprompt/commit/a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/liquidprompt/liquidprompt/security/advisories/GHSA-q6hm-vf4f-47jf\",\"source\":\"security-advisories@github.com\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-27113\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"no\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-02-23T19:36:21.539868Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-02-23T19:38:40.468Z\"}}], \"cna\": {\"title\": \"Liquid Prompt arbitrary command injection via crafted Git branch names in gitstatusd backend\", \"source\": {\"advisory\": \"GHSA-q6hm-vf4f-47jf\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 6.3, \"attackVector\": \"LOCAL\", \"baseSeverity\": \"MEDIUM\", \"vectorString\": \"CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N\", \"integrityImpact\": \"HIGH\", \"userInteraction\": \"REQUIRED\", \"attackComplexity\": \"HIGH\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}], \"affected\": [{\"vendor\": \"liquidprompt\", \"product\": \"liquidprompt\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= cf3441250bb5d8b45f6f8b389fcdf427a99ac28a, \u003c a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c\"}]}], \"references\": [{\"url\": \"https://github.com/liquidprompt/liquidprompt/security/advisories/GHSA-q6hm-vf4f-47jf\", \"name\": \"https://github.com/liquidprompt/liquidprompt/security/advisories/GHSA-q6hm-vf4f-47jf\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/liquidprompt/liquidprompt/commit/a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c\", \"name\": \"https://github.com/liquidprompt/liquidprompt/commit/a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git repository containing a crafted branch name. Exploitation requires the LP_ENABLE_GITSTATUSD config option to be enabled (enabled by default), gitstatusd to be installed and started before Liquid Prompt is loaded (not the default), and shell prompt substitution to be active (enabled by default in Bash via \\\"shopt -s promptvars\\\", not enabled by default in Zsh). A branch name containing shell syntax such as \\\"$(...)\\\" or backtick expressions in the default branch or a checked-out branch will be evaluated by the shell when the prompt is rendered. No stable release is affected; only the master branch contains the vulnerable commit. Commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround, set the LP_ENABLE_GITSTATUSD config option to 0.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-78\", \"description\": \"CWE-78: Improper Neutralization of Special Elements used in an OS Command (\u0027OS Command Injection\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-02-20T21:34:22.107Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-27113\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-02-23T19:39:02.895Z\", \"dateReserved\": \"2026-02-17T18:42:27.042Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-02-20T21:34:22.107Z\", \"assignerShortName\": \"GitHub_M\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.