CVE-2026-25761
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Lifecycle Timeline
2Description
Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1.
Analysis
Command injection in GitHub Super-linter versions 6.0.0 through 8.3.0 allows attackers to execute arbitrary commands in workflow runner contexts by submitting pull requests with maliciously crafted filenames containing shell command substitution syntax. An attacker exploiting this vulnerability can access sensitive workflow credentials, including GITHUB_TOKEN, depending on permission configurations. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Audit all GitHub Actions workflows using Super-linter and identify affected versions (6.0.0-8.3.0). Within 7 days: Implement input validation on filenames processed by Super-linter and restrict workflow permissions to minimum required scope. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today