What is the CVSS score of CVE-2026-42603?

CVE-2026-42603 has a CVSS 3.1 base score of 8.8 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of OWASP BLT are affected by CVE-2026-42603?

OWASP BLT versions before 2.1.2 contain a remote code execution vulnerability in GitHub Actions workflows that allows attackers to execute arbitrary code with repository write permissions through…. A patch is available.

OWASP BLT CVE-2026-42603

EUVD-2026-29126 HIGH

Code Injection (CWE-94)

2026-05-11 GitHub_M

RCE Code Injection

8.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Patch available

May 11, 2026 - 18:17 EUVD

Analysis Generated

May 11, 2026 - 16:47 vuln.today

CVE Published

May 11, 2026 - 16:11 nvd

HIGH 8.8

DescriptionNVD

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2.

AnalysisAI

Remote code execution in OWASP BLT versions prior to 2.1.2 enables attackers to execute arbitrary code with repository write permissions via malicious GitHub pull requests. The vulnerability exploits a GitHub Actions workflow misconfiguration where pull_request_target triggers execute code directly from attacker-controlled forks without proper validation. …

RemediationAI

Within 24 hours: Identify all repositories running OWASP BLT versions prior to 2.1.2 and disable pull_request_target workflows or restrict them to trusted branches only. Within 7 days: Implement GitHub branch protection rules requiring code review before merge and audit recent pull request activity for suspicious commits. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42603 vulnerability details – vuln.today

Back

OWASP BLT CVE-2026-42603

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code