PYSEC-2026-293
Vulnerability from pysec - Published: 2026-06-29 11:50 - Updated: 2026-06-29 12:05
VLAI
Details
Summary
bbot's gitdumper.py insufficiently sanitises a .git/config file, leading to Remote Code Execution (RCE).
bbot's gitdumper.py can be made to consume a malicious .git/index file, leading to arbitrary file write which can be used to achieve Remote Code Execution (RCE).
Impact
A user who uses bbot to scan a malicious webserver may have arbitrary code executed on their system.
Severity
9.6 (Critical)
Impacted products
| Name | purl | bbot |
|---|
Aliases
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "bbot"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.7.0"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"1.0.0",
"1.0.1",
"1.0.2",
"1.0.3",
"1.0.3.512",
"1.0.3.521",
"1.0.3.545",
"1.0.3.583",
"1.0.3.696",
"1.0.3.777",
"1.0.3.780",
"1.0.3.919",
"1.0.4.1132rc0",
"1.0.4.1134rc0",
"1.0.4.1139rc0",
"1.0.4.1141rc0",
"1.0.4.1147rc0",
"1.0.4.1156rc0",
"1.0.4.1158rc0",
"1.0.4.1160rc0",
"1.0.4.1162rc0",
"1.0.4.1164rc0",
"1.0.4.1166rc0",
"1.0.4.1168rc0",
"1.0.4.1170rc0",
"1.0.4.1173rc0",
"1.0.4.1175rc0",
"1.0.4.1177rc0",
"1.0.4.1183rc0",
"1.0.4.1185rc0",
"1.0.4.1193rc0",
"1.0.4.1197rc0",
"1.0.4.1199rc0",
"1.0.4.1233rc0",
"1.0.4.1235rc0",
"1.0.4.1237rc0",
"1.0.4.1242rc0",
"1.0.4.1262rc0",
"1.0.4.1266rc0",
"1.0.4.1269rc0",
"1.0.4.1272rc0",
"1.0.4.1276rc0",
"1.0.4.1279rc0",
"1.0.4.1285rc0",
"1.0.4.1303rc0",
"1.0.4.1306rc0",
"1.0.4.1310rc0",
"1.0.4.922",
"1.0.5.1313rc0",
"1.0.5.1317rc0",
"1.0.5.1329rc0",
"1.0.5.1331",
"1.0.5.1331rc0",
"1.0.5.1333rc0",
"1.0.5.1336",
"1.0.5.1342rc0",
"1.0.5.1345rc0",
"1.0.5.1347rc0",
"1.0.5.1351rc0",
"1.0.5.1355",
"1.0.5.1356rc0",
"1.0.5.1358",
"1.0.5.1360rc0",
"1.0.5.1362rc0",
"1.0.5.1366rc0",
"1.0.5.1370rc0",
"1.0.5.1374rc0",
"1.0.5.1377rc0",
"1.0.5.1388rc0",
"1.0.5.1391",
"1.0.5.1393",
"1.0.5.1395rc0",
"1.0.5.1406rc0",
"1.0.5.1413rc0",
"1.0.5.1419rc0",
"1.0.5.1423rc0",
"1.0.5.1429rc0",
"1.0.5.1432rc0",
"1.0.5.1436rc0",
"1.0.5.1444rc0",
"1.0.5.1448rc0",
"1.0.5.1450rc0",
"1.0.5.1456rc0",
"1.0.5.1460rc0",
"1.0.5.1469rc0",
"1.0.5.1471rc0",
"1.0.5.1515rc0",
"1.0.5.1519rc0",
"1.0.5.1524rc0",
"1.0.5.1528rc0",
"1.0.5.1544rc0",
"1.0.5.1547rc0",
"1.0.5.1555rc0",
"1.0.5.1563rc0",
"1.0.5.1567rc0",
"1.0.5.1595rc0",
"1.0.5.1597rc0",
"1.0.5.1598",
"1.0.5.1612rc0",
"1.0.5.1614",
"1.0.5.1625rc0",
"1.0.5.1654rc0",
"1.0.5.1656rc0",
"1.0.5.1660rc0",
"1.0.5.1663rc0",
"1.0.5.1665",
"1.0.5.1665rc0",
"1.0.5.1793rc0",
"1.0.5.1796rc0",
"1.0.5.1798rc0",
"1.0.5.1800rc0",
"1.0.5.1802rc0",
"1.0.5.1804rc0",
"1.0.5.1815rc0",
"1.0.5.1817rc0",
"1.0.5.1821rc0",
"1.0.5.1833rc0",
"1.0.5.1839rc0",
"1.0.6.2",
"1.1.0.1903rc0",
"1.1.0.1905rc0",
"1.1.0.1908rc0",
"1.1.0.1924rc0",
"1.1.0.1936rc0",
"1.1.0.1954rc0",
"1.1.0.1958rc0",
"1.1.0.2024rc0",
"1.1.0.2034rc0",
"1.1.0.2036rc0",
"1.1.0.2039rc0",
"1.1.0.2043rc0",
"1.1.0.2083rc0",
"1.1.0.2090",
"1.1.0.2113rc0",
"1.1.0.2116rc0",
"1.1.0.2119rc0",
"1.1.0.2124",
"1.1.1",
"1.1.1.2135rc0",
"1.1.1.2137rc0",
"1.1.1.2148rc0",
"1.1.1.2167rc0",
"1.1.1.2175rc0",
"1.1.1.2191rc0",
"1.1.1.2196rc0",
"1.1.1.2204rc0",
"1.1.1.2229rc0",
"1.1.1.2234rc0",
"1.1.1.2265rc0",
"1.1.1.2269rc0",
"1.1.1.2276rc0",
"1.1.1.2297rc0",
"1.1.1.2300rc0",
"1.1.2",
"1.1.2.2311rc0",
"1.1.2.2315rc0",
"1.1.2.2317rc0",
"1.1.2.2321rc0",
"1.1.2.2326rc0",
"1.1.2.2330rc0",
"1.1.2.2336rc0",
"1.1.2.2338rc0",
"1.1.2.2343rc0",
"1.1.3",
"1.1.3.2348rc0",
"1.1.3.2367rc0",
"1.1.3.2372rc0",
"1.1.3.2386rc0",
"1.1.3.2411rc0",
"1.1.3.2417rc0",
"1.1.3.2430rc0",
"1.1.3.2446rc0",
"1.1.3.2458rc0",
"1.1.3.2488rc0",
"1.1.3.2497rc0",
"1.1.3.2499rc0",
"1.1.3.2524rc0",
"1.1.3.2542rc0",
"1.1.3.2553rc0",
"1.1.3.2555rc0",
"1.1.3.2564rc0",
"1.1.3.2570rc0",
"1.1.3.2578rc0",
"1.1.3.2580rc0",
"1.1.3.2603rc0",
"1.1.3.2605rc0",
"1.1.3.2612rc0",
"1.1.3.2614rc0",
"1.1.3.2616rc0",
"1.1.3.2636rc0",
"1.1.4",
"1.1.4.2638rc0",
"1.1.4.2640rc0",
"1.1.4.2642rc0",
"1.1.4.2669rc0",
"1.1.4.2672rc0",
"1.1.4.2699rc0",
"1.1.4.2703rc0",
"1.1.5",
"1.1.5.2705rc0",
"1.1.5.2707rc0",
"1.1.5.2714rc0",
"1.1.5.2718rc0",
"1.1.5.2731rc0",
"1.1.5.2733rc0",
"1.1.5.2742rc0",
"1.1.5.2746rc0",
"1.1.5.2748rc0",
"1.1.5.2750rc0",
"1.1.5.2753rc0",
"1.1.6",
"1.1.6.1",
"1.1.6.2756rc0",
"1.1.6.2759rc0",
"1.1.6.2762rc0",
"1.1.6.2767rc0",
"1.1.6.2769rc0",
"1.1.6.2772rc0",
"1.1.6.2777rc0",
"1.1.6.2785rc0",
"1.1.6.2787rc0",
"1.1.6.2792rc0",
"1.1.6.2795rc0",
"1.1.6.2797rc0",
"1.1.6.2801rc0",
"1.1.6.2804rc0",
"1.1.6.2826rc0",
"1.1.6.2832rc0",
"1.1.6.2834rc0",
"1.1.6.2879rc0",
"1.1.6.2886rc0",
"1.1.6.2888rc0",
"1.1.6.2891rc0",
"1.1.6.2896rc0",
"1.1.6.2902rc0",
"1.1.6.2910rc0",
"1.1.6.2913rc0",
"1.1.6.3",
"1.1.7",
"1.1.7.2968rc0",
"1.1.7.2972rc0",
"1.1.7.2980rc0",
"1.1.7.2982rc0",
"1.1.7.2984rc0",
"1.1.7.2998rc0",
"1.1.7.2rc0",
"1.1.7.3001rc0",
"1.1.7.3005rc0",
"1.1.7.3010rc0",
"1.1.7.3012rc0",
"1.1.7.3020rc0",
"1.1.7.3022rc0",
"1.1.7.3024rc0",
"1.1.7.3028rc0",
"1.1.7.3042rc0",
"1.1.7.3044rc0",
"1.1.7.3050rc0",
"1.1.7.3052rc0",
"1.1.7.3054rc0",
"1.1.7.3061rc0",
"1.1.7.3072rc0",
"1.1.7.3078rc0",
"1.1.7.3083rc0",
"1.1.7.3085rc0",
"1.1.7.3087rc0",
"1.1.7.3089rc0",
"1.1.7.3091rc0",
"1.1.7.3093rc0",
"1.1.7.3095rc0",
"1.1.7.3098rc0",
"1.1.7.3108rc0",
"1.1.7.3131rc0",
"1.1.7.3133rc0",
"1.1.7.3144rc0",
"1.1.7.3146rc0",
"1.1.7.3148rc0",
"1.1.7.3150rc0",
"1.1.7.3152rc0",
"1.1.7.3172rc0",
"1.1.7.3175rc0",
"1.1.7.3177rc0",
"1.1.7.3179rc0",
"1.1.7.3196rc0",
"1.1.7.3207rc0",
"1.1.7.3209rc0",
"1.1.7.3211rc0",
"1.1.7.3213rc0",
"1.1.7.3218rc0",
"1.1.7.3220rc0",
"1.1.7.3222rc0",
"1.1.7.3230rc0",
"1.1.7.3232rc0",
"1.1.7.3235rc0",
"1.1.7.3238rc0",
"1.1.7.3240rc0",
"1.1.7.3242rc0",
"1.1.7.3244rc0",
"1.1.7.3246rc0",
"1.1.7.3251rc0",
"1.1.7.3258rc0",
"1.1.7.3261rc0",
"1.1.7.3263rc0",
"1.1.7.3265rc0",
"1.1.7.3268rc0",
"1.1.7.3270rc0",
"1.1.7.3273rc0",
"1.1.7.3275rc0",
"1.1.7.3277rc0",
"1.1.7.3283rc0",
"1.1.7.3285rc0",
"1.1.7.3302rc0",
"1.1.7.3312rc0",
"1.1.7.3316rc0",
"1.1.7.6rc0",
"1.1.7.7rc0",
"1.1.8",
"1.1.8.3321rc0",
"1.1.8.3332rc0",
"1.1.8.3335rc0",
"1.1.8.3341rc0",
"1.1.8.3344rc0",
"1.1.8.3346rc0",
"1.1.8.3348rc0",
"1.1.8.3350rc0",
"1.1.8.3354rc0",
"1.1.8.3356rc0",
"1.1.8.3358rc0",
"1.1.8.3361rc0",
"1.1.8.3366rc0",
"1.1.8.3368rc0",
"1.1.9.3370rc0",
"1.1.9.3372rc0",
"1.1.9.3376rc0",
"1.1.9.3387rc0",
"1.1.9.3390rc0",
"1.1.9.3395rc0",
"1.1.9.3398rc0",
"1.1.9.3400rc0",
"1.1.9.3411rc0",
"1.1.9.3427rc0",
"1.1.9.3432rc0",
"1.1.9.3434rc0",
"1.1.9.3442rc0",
"1.1.9.3444rc0",
"1.1.9.3448rc0",
"1.1.9.3453rc0",
"1.1.9.3458rc0",
"1.1.9.3464rc0",
"1.1.9.3467rc0",
"2.0.0",
"2.0.0.4250rc0",
"2.0.0.4372rc0",
"2.0.0.4378rc0",
"2.0.0.4380rc0",
"2.0.0.4398rc0",
"2.0.0.4400rc0",
"2.0.0.4434rc0",
"2.0.0.4460rc0",
"2.0.0.4478rc0",
"2.0.0.4494rc0",
"2.0.0.4515rc0",
"2.0.0.4524rc0",
"2.0.0.4535rc0",
"2.0.0.4538rc0",
"2.0.0.4569rc0",
"2.0.0.4575rc0",
"2.0.0.4580rc0",
"2.0.0.4582rc0",
"2.0.0.4585rc0",
"2.0.0.4588rc0",
"2.0.0.4591rc0",
"2.0.0.4603rc0",
"2.0.0.4606rc0",
"2.0.0.4610rc0",
"2.0.1",
"2.0.1.4638rc0",
"2.0.1.4642rc0",
"2.0.1.4648rc0",
"2.0.1.4650rc0",
"2.0.1.4654rc0",
"2.0.1.4657rc0",
"2.0.1.4660rc0",
"2.0.1.4675rc0",
"2.0.1.4685rc0",
"2.0.1.4705rc0",
"2.0.1.4709rc0",
"2.0.1.4716rc0",
"2.0.1.4720rc0",
"2.0.1.4722rc0",
"2.0.1.4730rc0",
"2.0.1.4732rc0",
"2.0.1.4745rc0",
"2.0.1.4750rc0",
"2.0.1.4756rc0",
"2.0.1.4760rc0",
"2.0.1.4762rc0",
"2.0.1.4764rc0",
"2.0.1.4774rc0",
"2.0.1.4777rc0",
"2.0.1.4779rc0",
"2.0.1.4782rc0",
"2.0.1.4790rc0",
"2.0.1.4792rc0",
"2.1.0",
"2.1.0.4809rc0",
"2.1.0.4813rc0",
"2.1.0.4815rc0",
"2.1.0.4817rc0",
"2.1.0.4819rc0",
"2.1.0.4921rc0",
"2.1.0.4929rc0",
"2.1.0.4935rc0",
"2.1.0.4937rc0",
"2.1.0.4939rc0",
"2.1.0.4951rc0",
"2.1.0.4954rc0",
"2.1.0.4957rc0",
"2.1.0.4959rc0",
"2.1.0.4971rc0",
"2.1.0.4978rc0",
"2.1.0.4980rc0",
"2.1.0.4984rc0",
"2.1.0.4992rc0",
"2.1.0.4995rc0",
"2.1.0.4999rc0",
"2.1.0.5001rc0",
"2.1.0.5004rc0",
"2.1.0.5021rc0",
"2.1.0.5028rc0",
"2.1.0.5036rc0",
"2.1.0.5040rc0",
"2.1.0.5078rc0",
"2.1.0.5082rc0",
"2.1.0.5097rc0",
"2.1.1",
"2.1.1.5103rc0",
"2.1.1.5119rc0",
"2.1.1.5121rc0",
"2.1.1.5123rc0",
"2.1.1.5125rc0",
"2.1.1.5127rc0",
"2.1.1.5138rc0",
"2.1.2",
"2.1.2.5140rc0",
"2.1.2.5147rc0",
"2.1.2.5149rc0",
"2.1.2.5152rc0",
"2.1.2.5154rc0",
"2.1.2.5156rc0",
"2.1.2.5158rc0",
"2.1.2.5161rc0",
"2.1.2.5171rc0",
"2.1.2.5173rc0",
"2.1.2.5175rc0",
"2.1.2.5180rc0",
"2.1.2.5182rc0",
"2.1.2.5184rc0",
"2.1.2.5192rc0",
"2.1.2.5196rc0",
"2.1.2.5202rc0",
"2.1.2.5217rc0",
"2.1.2.5221rc0",
"2.1.2.5223rc0",
"2.1.2.5232rc0",
"2.1.2.5234rc0",
"2.1.2.5236rc0",
"2.1.2.5238rc0",
"2.1.2.5240rc0",
"2.2.0",
"2.2.0.5242rc0",
"2.2.0.5263rc0",
"2.2.0.5279rc0",
"2.2.0.5309rc0",
"2.2.0.5311rc0",
"2.3.0.5324rc0",
"2.3.0.5328rc0",
"2.3.0.5336rc0",
"2.3.0.5354rc0",
"2.3.0.5362rc0",
"2.3.0.5364rc0",
"2.3.0.5368rc0",
"2.3.0.5370rc0",
"2.3.0.5376rc0",
"2.3.0.5382rc0",
"2.3.0.5384rc0",
"2.3.0.5397rc0",
"2.3.0.5399rc0",
"2.3.0.5401rc0",
"2.3.0.5404rc0",
"2.3.0.5412rc0",
"2.3.0.5414rc0",
"2.3.0.5418rc0",
"2.3.0.5423rc0",
"2.3.0.5438rc0",
"2.3.0.5445rc0",
"2.3.0.5447rc0",
"2.3.0.5455rc0",
"2.3.0.5459rc0",
"2.3.0.5461rc0",
"2.3.0.5465rc0",
"2.3.0.5467rc0",
"2.3.0.5473rc0",
"2.3.0.5477rc0",
"2.3.0.5479rc0",
"2.3.0.5482rc0",
"2.3.0.5484rc0",
"2.3.0.5489rc0",
"2.3.0.5491rc0",
"2.3.0.5504rc0",
"2.3.0.5515rc0",
"2.3.0.5518rc0",
"2.3.0.5520rc0",
"2.3.0.5522rc0",
"2.3.0.5524rc0",
"2.3.0.5532rc0",
"2.3.0.5538rc0",
"2.3.0.5546rc0",
"2.3.0.5809rc0",
"2.3.1",
"2.3.1.5815rc0",
"2.3.1.5818rc0",
"2.3.1.5820rc0",
"2.3.2",
"2.3.2.5825rc0",
"2.3.2.5827rc0",
"2.3.2.5829rc0",
"2.3.2.5832rc0",
"2.3.2.5836rc0",
"2.3.2.5838rc0",
"2.3.2.5841rc0",
"2.3.2.5848rc0",
"2.3.2.5850rc0",
"2.3.2.5855rc0",
"2.3.2.5874rc0",
"2.3.2.5889rc0",
"2.3.2.5893rc0",
"2.3.2.5897rc0",
"2.3.2.5904rc0",
"2.3.2.5906rc0",
"2.3.2.5909rc0",
"2.3.2.5913rc0",
"2.3.2.5915rc0",
"2.3.2.5927rc0",
"2.3.2.5938rc0",
"2.3.2.5942rc0",
"2.3.2.5944rc0",
"2.3.2.5950rc0",
"2.3.2.5958rc0",
"2.3.2.5967rc0",
"2.3.2.5971rc0",
"2.4.0",
"2.4.0.5974rc0",
"2.4.0.5977rc0",
"2.4.0.5984rc0",
"2.4.0.5986rc0",
"2.4.0.5988rc0",
"2.4.0.5992rc0",
"2.4.0.5995rc0",
"2.4.0.5997rc0",
"2.4.0.5999rc0",
"2.4.0.6005rc0",
"2.4.0.6007rc0",
"2.4.0.6031rc0",
"2.4.0.6037rc0",
"2.4.0.6039rc0",
"2.4.0.6045rc0",
"2.4.0.6050rc0",
"2.4.0.6067rc0",
"2.4.0.6073rc0",
"2.4.1",
"2.4.1.6075rc0",
"2.4.1.6077rc0",
"2.4.1.6089rc0",
"2.4.1.6094rc0",
"2.4.1.6095rc0",
"2.4.1.6100rc0",
"2.4.1.6107rc0",
"2.4.2",
"2.4.2.6109rc0",
"2.4.2.6590rc0",
"2.4.2.6596rc0",
"2.4.2.6608rc0",
"2.4.2.6611rc0",
"2.4.2.6615rc0",
"2.4.2.6621rc0",
"2.4.2.6623rc0",
"2.4.2.6635rc0",
"2.4.2.6638rc0",
"2.4.2.6653rc0",
"2.4.2.6655rc0",
"2.4.2.6659rc0",
"2.4.2.6677rc0",
"2.4.2.6706rc0",
"2.5.0",
"2.5.0.6715rc0",
"2.5.0.6719rc0",
"2.5.0.6721rc0",
"2.5.0.6730rc0",
"2.5.0.6734rc0",
"2.5.0.6737rc0",
"2.5.0.6742rc0",
"2.5.0.6747rc0",
"2.5.0.6765rc0",
"2.5.0.6769rc0",
"2.5.0.6773rc0",
"2.5.0.6779rc0",
"2.5.0.6782rc0",
"2.5.0.6790rc0",
"2.5.0.6803rc0",
"2.5.0.6807rc0",
"2.5.0.6817rc0",
"2.5.0.6831rc0",
"2.6.0",
"2.6.0.6840rc0",
"2.6.0.6842rc0",
"2.6.0.6846rc0",
"2.6.0.6851rc0",
"2.6.0.6853rc0",
"2.6.0.6856rc0",
"2.6.0.6871rc0",
"2.6.0.6879rc0",
"2.6.1",
"2.6.1.6901rc0",
"2.6.1.6913rc0",
"2.6.1.6915rc0"
]
}
],
"aliases": [
"CVE-2025-10283",
"GHSA-h6m2-r6h9-4c44"
],
"details": "### Summary\n\nbbot\u0027s `gitdumper.py` insufficiently sanitises a `.git/config` file, leading to Remote Code Execution (RCE).\n\nbbot\u0027s `gitdumper.py` can be made to consume a malicious `.git/index` file, leading to arbitrary file write which can be used to achieve Remote Code Execution (RCE).\n\n### Impact\n\nA user who uses bbot to scan a malicious webserver may have arbitrary code executed on their system.",
"id": "PYSEC-2026-293",
"modified": "2026-06-29T12:05:21.720055Z",
"published": "2026-06-29T11:50:36.804691Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/blacklanternsecurity/bbot/security/advisories/GHSA-h6m2-r6h9-4c44"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10283"
},
{
"type": "WEB",
"url": "https://github.com/blacklanternsecurity/bbot/commit/0ede97fa887de33fcfd1378b4213a09c21dc6140"
},
{
"type": "WEB",
"url": "https://blog.blacklanternsecurity.com/p/bbot-security-advisory-gitdumper"
},
{
"type": "PACKAGE",
"url": "https://github.com/blacklanternsecurity/bbot"
},
{
"type": "PACKAGE",
"url": "https://pypi.org/project/bbot"
},
{
"type": "ADVISORY",
"url": "https://github.com/advisories/GHSA-h6m2-r6h9-4c44"
}
],
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "BBOT\u0027s insufficient sanitization issues in gitdumper.py can lead to RCE"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…