Логотип exploitDog
Консоль
Логотип exploitDog

exploitDog

debian логотип

CVE-2026-31900

Опубликовано: 11 мар. 2026
Источник: debian
EPSS Низкий

Описание

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

Пакеты

ПакетСтатусВерсия исправленияРелизТип
blackunfixedpackage

Примечания

  • https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm

  • Fixed by: https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611 (26.3.0)

  • GitHub action code from action/main.py not provided in the Debian built binay packages

EPSS

Процентиль: 40%
0.00184
Низкий

Связанные уязвимости

ubuntu логотип

CVE-2026-31900

CVSS3: 9.8
ubuntu
18 дней назад

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

nvd логотип

CVE-2026-31900

CVSS3: 9.8
nvd
18 дней назад

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

github логотип

GHSA-v53h-f6m7-xcgm

github
23 дня назад

Black's vulnerable version parsing leads to RCE in GitHub Action

EPSS

Процентиль: 40%
0.00184
Низкий