Skip to main content

Dbt Core

2 CVEs product

Monthly

CVE-2026-39382 CRITICAL Act Now

Command injection in dbt-labs/actions workflow allows remote code execution via malicious GitHub issue comments. Unauthenticated attackers can inject arbitrary shell commands through unescaped comment-body output in the open-issue-in-repo.yml reusable workflow, affecting dbt-core infrastructure. The vulnerability exists in GitHub Actions workflows where attacker-controlled comment text is interpolated directly into bash if statements without sanitization. Fixed in commit bbed8d28, no public exploit identified at time of analysis, but EPSS scoring and CVSS 9.3 indicate critical severity with network attack vector requiring no privileges.

Command Injection Dbt Core
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2024-40637 PyPI HIGH POC PATCH This Week

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Dbt Core
NVD GitHub
CVSS 3.1
7.8
EPSS
0.4%
EPSS 0% CVSS 9.3
CRITICAL Act Now

Command injection in dbt-labs/actions workflow allows remote code execution via malicious GitHub issue comments. Unauthenticated attackers can inject arbitrary shell commands through unescaped comment-body output in the open-issue-in-repo.yml reusable workflow, affecting dbt-core infrastructure. The vulnerability exists in GitHub Actions workflows where attacker-controlled comment text is interpolated directly into bash if statements without sanitization. Fixed in commit bbed8d28, no public exploit identified at time of analysis, but EPSS scoring and CVSS 9.3 indicate critical severity with network attack vector requiring no privileges.

Command Injection Dbt Core
NVD GitHub
EPSS 0% CVSS 7.8
HIGH POC PATCH This Week

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Rated high severity (CVSS 7.8), this vulnerability is low attack complexity. Public exploit code available.

Information Disclosure Dbt Core
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy