Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Lifecycle Timeline
3DescriptionGitHub Advisory
Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script run_tests_model_gen_and_load.py. The shell interprets the expanded string before invoking Python, allowing an attacker to break out of the quotes and execute arbitrary commands on the runner. The pull_request trigger fires on PRs targeting any branch (branches: ['*']), with no additional access gate. This vulnerability is fixed by the 998e390e80a7e8192d7849b7784bc113dbd190ad commit.
AnalysisAI
{{ github.event.pull_request.title }} directly into bash double-quoted strings across four steps in four separate jobs, enabling shell escape via crafted PR title content. No public exploit has been identified and EPSS stands at 0.03% (10th percentile), though the supply-chain nature of this CI-targeting vulnerability means successful exploitation could expose repository secrets and runner tokens.
Technical ContextAI
This is a GitHub Actions expression injection vulnerability rooted in CWE-78 (OS Command Injection). GitHub Actions workflows evaluate ${{ }} expressions before the shell runtime executes the run: step script, meaning the PR title string is substituted directly into the bash script text. When placed inside double-quoted bash arguments - as seen in the four affected steps passing --skip_pr_tests '${{ github.event.pull_request.title }}' - an attacker can include shell metacharacters (e.g., "; malicious_cmd; ") to break out of the quoted context and inject arbitrary commands. The workflow uses a pull_request trigger scoped to all branches (branches: ['*']), so any fork-and-PR submission activates the vulnerable jobs. The fix, confirmed in commit 998e390e80a7e8192d7849b7784bc113dbd190ad, moves the PR title into an environment variable (PR_TITLE: ${{ github.event.pull_request.title }}) which is then referenced as $PR_TITLE in the shell - this correctly prevents expression interpolation from being interpreted as shell syntax. The affected CPE is cpe:2.3:a:vowpalwabbit:vowpal_wabbit:*:*:*:*:*:*:*:*.
RemediationAI
Upstream fix available via commit 998e390e80a7e8192d7849b7784bc113dbd190ad; a released tagged version containing this fix has not been independently confirmed beyond the commit reference. Repository maintainers and forks running this workflow should apply the fix by updating .github/workflows/python_checks.yml to pass ${{ github.event.pull_request.title }} as an environment variable (e.g., env: PR_TITLE: ${{ github.event.pull_request.title }}) and reference $PR_TITLE in the shell run step rather than embedding the expression directly. As a compensating control prior to patching, maintainers can restrict the pull_request trigger to require the pull_request_target event type combined with explicit approval gates, preventing untrusted fork PRs from executing workflows with access to repository secrets - note this changes the workflow trigger model and may affect CI coverage for external contributors. The fix commit and advisory are at https://github.com/VowpalWabbit/vowpal_wabbit/commit/998e390e80a7e8192d7849b7784bc113dbd190ad and https://github.com/VowpalWabbit/vowpal_wabbit/security/advisories/GHSA-cg2g-xgg7-3xxq respectively.
Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t
BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser
pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi
The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica
OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph
pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.
In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse
Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/
pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne
Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301
Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31902