Skip to main content

Vowpal Wabbit CVE-2026-44723

| EUVDEUVD-2026-31902 MEDIUM
OS Command Injection (CWE-78)
2026-05-26 GitHub_M
5.0
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.0 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 12:33 vuln.today
Analysis Generated
Jun 08, 2026 - 12:33 vuln.today
Patch available
May 26, 2026 - 18:02 EUVD

DescriptionGitHub Advisory

Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pull_request.title }} directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script run_tests_model_gen_and_load.py. The shell interprets the expanded string before invoking Python, allowing an attacker to break out of the quotes and execute arbitrary commands on the runner. The pull_request trigger fires on PRs targeting any branch (branches: ['*']), with no additional access gate. This vulnerability is fixed by the 998e390e80a7e8192d7849b7784bc113dbd190ad commit.

AnalysisAI

{{ github.event.pull_request.title }} directly into bash double-quoted strings across four steps in four separate jobs, enabling shell escape via crafted PR title content. No public exploit has been identified and EPSS stands at 0.03% (10th percentile), though the supply-chain nature of this CI-targeting vulnerability means successful exploitation could expose repository secrets and runner tokens.

Technical ContextAI

This is a GitHub Actions expression injection vulnerability rooted in CWE-78 (OS Command Injection). GitHub Actions workflows evaluate ${{ }} expressions before the shell runtime executes the run: step script, meaning the PR title string is substituted directly into the bash script text. When placed inside double-quoted bash arguments - as seen in the four affected steps passing --skip_pr_tests '${{ github.event.pull_request.title }}' - an attacker can include shell metacharacters (e.g., "; malicious_cmd; ") to break out of the quoted context and inject arbitrary commands. The workflow uses a pull_request trigger scoped to all branches (branches: ['*']), so any fork-and-PR submission activates the vulnerable jobs. The fix, confirmed in commit 998e390e80a7e8192d7849b7784bc113dbd190ad, moves the PR title into an environment variable (PR_TITLE: ${{ github.event.pull_request.title }}) which is then referenced as $PR_TITLE in the shell - this correctly prevents expression interpolation from being interpreted as shell syntax. The affected CPE is cpe:2.3:a:vowpalwabbit:vowpal_wabbit:*:*:*:*:*:*:*:*.

RemediationAI

Upstream fix available via commit 998e390e80a7e8192d7849b7784bc113dbd190ad; a released tagged version containing this fix has not been independently confirmed beyond the commit reference. Repository maintainers and forks running this workflow should apply the fix by updating .github/workflows/python_checks.yml to pass ${{ github.event.pull_request.title }} as an environment variable (e.g., env: PR_TITLE: ${{ github.event.pull_request.title }}) and reference $PR_TITLE in the shell run step rather than embedding the expression directly. As a compensating control prior to patching, maintainers can restrict the pull_request trigger to require the pull_request_target event type combined with explicit approval gates, preventing untrusted fork PRs from executing workflows with access to repository secrets - note this changes the workflow trigger model and may affect CI coverage for external contributors. The fix commit and advisory are at https://github.com/VowpalWabbit/vowpal_wabbit/commit/998e390e80a7e8192d7849b7784bc113dbd190ad and https://github.com/VowpalWabbit/vowpal_wabbit/security/advisories/GHSA-cg2g-xgg7-3xxq respectively.

More in Python

View all
CVE-2025-24016 CRITICAL POC
9.9 Feb 10

Wazuh SIEM platform versions 4.4.0 through 4.9.0 contain an unsafe deserialization vulnerability in the DistributedAPI t

CVE-2025-27520 CRITICAL POC
9.8 Apr 04

BentoML version 1.4.2 and earlier contains an unauthenticated remote code execution vulnerability through insecure deser

CVE-2025-2945 CRITICAL POC
9.9 Apr 03

pgAdmin 4 contains critical remote code execution vulnerabilities in the Query Tool download and Cloud Deployment endpoi

CVE-2013-5093 MEDIUM POC
6.8 Sep 27

The renderLocalView function in render/views.py in graphite-web in Graphite 0.9.5 through 0.9.10 uses the pickle Python

CVE-2025-32375 CRITICAL POC
9.8 Apr 09

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Rated critica

CVE-2014-0224 HIGH POC
7.4 Jun 05

OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h does not properly restrict processing of ChangeCiph

CVE-2024-21644 HIGH POC
7.5 Jan 08

pyLoad download manager version prior to 0.5.0b3.dev77 exposes the Flask SECRET_KEY through an unauthenticated endpoint.

CVE-2017-9462 HIGH POC
8.8 Jun 06

In Mercurial before 4.1.3, "hg serve --stdio" allows remote authenticated users to launch the Python debugger, and conse

CVE-2026-39987 CRITICAL POC
9.3 Apr 08

Unauthenticated remote code execution in Marimo ≤0.20.4 allows attackers to execute arbitrary system commands via the `/

CVE-2024-21645 MEDIUM POC
5.3 Jan 08

pyLoad is the free and open-source Download Manager written in pure Python. Rated medium severity (CVSS 5.3), this vulne

CVE-2026-33017 CRITICAL POC
9.3 Mar 17

Langflow (a visual LLM pipeline builder) contains a critical unauthenticated code execution vulnerability (CVE-2026-3301

CVE-2026-55255 HIGH POC
8.4 Jun 19

Cross-user flow execution in Langflow (< 1.9.1) lets any authenticated API-key holder run another user's flow by passing

Share

CVE-2026-44723 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy