UBUNTU-CVE-2026-27113

See a problem?
Please try reporting it to the source first.

Source

https://ubuntu.com/security/CVE-2026-27113

Import Source

https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27113.json

JSON Data

https://api.osv.dev/v1/vulns/UBUNTU-CVE-2026-27113

Upstream

CVE-2026-27113

Published

2026-02-20T22:16:00Z

Modified

2026-02-27T09:59:13Z

Severity

6.3 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVSS Calculator
Ubuntu - medium

Summary

[none]

Details

Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git repository containing a crafted branch name. Exploitation requires the LPENABLEGITSTATUSD config option to be enabled (enabled by default), gitstatusd to be installed and started before Liquid Prompt is loaded (not the default), and shell prompt substitution to be active (enabled by default in Bash via "shopt -s promptvars", not enabled by default in Zsh). A branch name containing shell syntax such as "$(...)" or backtick expressions in the default branch or a checked-out branch will be evaluated by the shell when the prompt is rendered. No stable release is affected; only the master branch contains the vulnerable commit. Commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround, set the LPENABLEGITSTATUSD config option to 0.

References

Affected packages

Ubuntu:16.04:LTS

liquidprompt

Package

Name: liquidprompt
Purl: pkg:deb/ubuntu/liquidprompt@1.9-5?arch=source&distro=xenial

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.9-3

1.9-4

1.9-5

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liquidprompt",
            "binary_version": "1.9-5"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27113.json"

Ubuntu:18.04:LTS

liquidprompt

Package

Name: liquidprompt
Purl: pkg:deb/ubuntu/liquidprompt@1.11-3ubuntu1?arch=source&distro=bionic

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11-3

1.11-3ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liquidprompt",
            "binary_version": "1.11-3ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27113.json"

Ubuntu:20.04:LTS

liquidprompt

Package

Name: liquidprompt
Purl: pkg:deb/ubuntu/liquidprompt@1.11-3ubuntu1?arch=source&distro=focal

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11-3ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liquidprompt",
            "binary_version": "1.11-3ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27113.json"

Ubuntu:22.04:LTS

liquidprompt

Package

Name: liquidprompt
Purl: pkg:deb/ubuntu/liquidprompt@1.11-3ubuntu1?arch=source&distro=jammy

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

1.*

1.11-3ubuntu1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liquidprompt",
            "binary_version": "1.11-3ubuntu1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27113.json"

Ubuntu:24.04:LTS

liquidprompt

Package

Name: liquidprompt
Purl: pkg:deb/ubuntu/liquidprompt@2.1.2-1?arch=source&distro=noble

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.2-1

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liquidprompt",
            "binary_version": "2.1.2-1"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27113.json"

Ubuntu:25.10

liquidprompt

Package

Name: liquidprompt
Purl: pkg:deb/ubuntu/liquidprompt@2.2.1-2?arch=source&distro=questing

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Affected versions

2.*

2.1.2-1

2.2.1-2

Ecosystem specific

{
    "binaries": [
        {
            "binary_name": "liquidprompt",
            "binary_version": "2.2.1-2"
        }
    ]
}

Database specific

source

"https://github.com/canonical/ubuntu-security-notices/blob/main/osv/cve/2026/UBUNTU-CVE-2026-27113.json"