CVE-2026-27113: Liquid Prompt is an adaptive prompt for Bash and Zsh. Starting in commit cf3441250bb5d8b45f6f8b389fcdf427a99ac28a and pr
Summary
Liquid Prompt, a customizable shell prompt tool for Bash and Zsh, has a vulnerability where malicious Git branch names can execute arbitrary commands (code injection, where attackers trick software into running unintended code) if certain settings are enabled. The vulnerability only affects the development version and requires specific configurations to be active, including the LP_ENABLE_GITSTATUSD option enabled by default and gitstatusd running beforehand.
Solution / Mitigation
Commit a4f6b8d8c90b3eaa33d13dfd1093062ab9c4b30c contains a fix. As a workaround, set the LP_ENABLE_GITSTATUSD config option to 0.
Vulnerability Details
6.3(medium)
EPSS: 0.0%
Classification
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-27113
First tracked: February 20, 2026 at 07:07 PM
Classified by LLM (prompt v3) · confidence: 95%