Description
Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git repository containing a crafted branch name. Exploitation requires the LP_ENABLE_GITSTATUSD config option to be enabled (enabled by default), gitstatusd to be installed and started before Liquid Prompt is loaded (not the default), and shell prompt substitution to be active (enabled by default in Bash via "shopt -s promptvars", not enabled by default in Zsh). A branch name containing shell syntax such as "$(...)" or backtick expressions in the default branch or a checked-out branch will be evaluated by the shell when the prompt is rendered. No stable release is affected; only the master branch contains the vulnerable commit. Commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround, set the LP_ENABLE_GITSTATUSD config option to 0.
Published: 2026-02-20
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch or Disable
AI Analysis

Impact

Liquid Prompt, an adaptive prompt for Bash and Zsh, contains an arbitrary command injection flaw that allows a user to execute shell commands through specially crafted Git branch names. The vulnerability resides in the gitstatusd backend; when the LP_ENABLE_GITSTATUSD option is enabled, gitstatusd processes branch names and injects them into the prompt. A branch name that contains shell syntax such as $() or backticks is executed by the shell when the prompt is rendered, giving the user who interacts with the prompt unrestricted command execution on their system. This injection path is a classic command injection problem (CWE‑78) and can lead to compromise of the local environment.

Affected Systems

The affected product is Liquid Prompt (liquidprompt:liquidprompt). Only the master branch of the official GitHub repository contains the vulnerable commit. No released version has been affected; the vulnerability exists between commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and the patched commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c. Users who run the development version or those who manually fetch the master branch are at risk.

Risk and Exploitability

The CVSS v3 score is 6.3, with an EPSS score below 1 %, indicating a moderate severity but extremely low probability of exploitation. The issue is not listed in CISA’s KEV catalog. Exploitation requires several preconditions: LP_ENABLE_GITSTATUSD must be enabled (the default), gitstatusd must be installed and started before Liquid Prompt is loaded (not the standard configuration), and shell prompt substitution must be active (enabled by default in Bash through shopt -s promptvars, but not enabled by default in Zsh). Because these prerequisites combine, the attack vector is local and dependent on the user’s environment and administrative configuration, reducing the likelihood of widespread exploitation.

Generated by OpenCVE AI on April 17, 2026 at 17:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Liquid Prompt source to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c or a newer release that incorporates the fix.
  • If an upgrade is not feasible, disable gitstatusd integration by setting LP_ENABLE_GITSTATUSD=0 in your Liquid Prompt configuration.
  • As an additional safeguard, either stop or remove gitstatusd, or start Liquid Prompt after gitstatusd has stopped, so that the vulnerable code path is not exercised.

Generated by OpenCVE AI on April 17, 2026 at 17:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 23 Feb 2026 21:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 23 Feb 2026 15:00:00 +0000

Type Values Removed Values Added
First Time appeared Liquidprompt
Liquidprompt liquidprompt
Vendors & Products Liquidprompt
Liquidprompt liquidprompt

Fri, 20 Feb 2026 21:45:00 +0000

Type Values Removed Values Added
Description Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and prior to commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c on the master branch, arbitrary command injection can lead to code execution when a user enters a directory in a Git repository containing a crafted branch name. Exploitation requires the LP_ENABLE_GITSTATUSD config option to be enabled (enabled by default), gitstatusd to be installed and started before Liquid Prompt is loaded (not the default), and shell prompt substitution to be active (enabled by default in Bash via "shopt -s promptvars", not enabled by default in Zsh). A branch name containing shell syntax such as "$(...)" or backtick expressions in the default branch or a checked-out branch will be evaluated by the shell when the prompt is rendered. No stable release is affected; only the master branch contains the vulnerable commit. Commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround, set the LP_ENABLE_GITSTATUSD config option to 0.
Title Liquid Prompt arbitrary command injection via crafted Git branch names in gitstatusd backend
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.3, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N'}

Subscriptions

Liquidprompt Liquidprompt
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-23T19:39:02.895Z

Reserved: 2026-02-17T18:42:27.042Z

Link: CVE-2026-27113

cve-icon Vulnrichment

Updated: 2026-02-23T19:38:40.468Z

cve-icon NVD

Status : Deferred

Published: 2026-02-20T22:16:29.503

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-27113

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T17:15:23Z

Weaknesses