Vowpal Wabbit
Monthly
{{ github.event.pull_request.title }} directly into bash double-quoted strings across four steps in four separate jobs, enabling shell escape via crafted PR title content. No public exploit has been identified and EPSS stands at 0.03% (10th percentile), though the supply-chain nature of this CI-targeting vulnerability means successful exploitation could expose repository secrets and runner tokens.
{{ github.event.pull_request.title }} directly into bash double-quoted strings across four steps in four separate jobs, enabling shell escape via crafted PR title content. No public exploit has been identified and EPSS stands at 0.03% (10th percentile), though the supply-chain nature of this CI-targeting vulnerability means successful exploitation could expose repository secrets and runner tokens.