FKIE_CVE-2026-25761

Vulnerability from fkie_nvd - Published: 2026-02-09 21:15 - Updated: 2026-02-28 00:21
Severity ?
8.8 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Summary
Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1.
References
security-advisories@github.comhttps://github.com/super-linter/super-linter/releases/tag/v8.3.1Product, Release Notes
security-advisories@github.comhttps://github.com/super-linter/super-linter/security/advisories/GHSA-r79c-pqj3-577xVendor Advisory
Impacted products
Vendor Product Version
super-linter_project super-linter *
To clipboard 

{
  "configurations": [
    {
      "nodes": [
        {
          "cpeMatch": [
            {
              "criteria": "cpe:2.3:a:super-linter_project:super-linter:*:*:*:*:*:*:*:*",
              "matchCriteriaId": "8793631B-2725-45CA-BB01-D0D6D2EDC1EE",
              "versionEndExcluding": "8.3.1",
              "versionStartIncluding": "6.0.0",
              "vulnerable": true
            }
          ],
          "negate": false,
          "operator": "OR"
        }
      ]
    }
  ],
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job\u2019s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1."
    },
    {
      "lang": "es",
      "value": "Super-linter es una combinaci\u00f3n de m\u00faltiples linters para ejecutar como una Acci\u00f3n de GitHub o de forma independiente. Desde la 6.0.0 hasta la 8.3.0, la Acci\u00f3n de GitHub Super-linter es vulnerable a inyecci\u00f3n de comandos a trav\u00e9s de nombres de archivo manipulados. Cuando esta acci\u00f3n se utiliza en flujos de trabajo de GitHub Actions posteriores, un atacante puede enviar una solicitud de extracci\u00f3n que introduce un archivo cuyo nombre contiene sintaxis de sustituci\u00f3n de comandos de shell, como $(...). En las versiones afectadas de Super-linter, los scripts en tiempo de ejecuci\u00f3n pueden ejecutar el comando incrustado durante el procesamiento de descubrimiento de archivos, lo que permite la ejecuci\u00f3n arbitraria de comandos en el contexto del ejecutor del flujo de trabajo. Esto puede usarse para divulgar el GITHUB_TOKEN del trabajo dependiendo de c\u00f3mo el flujo de trabajo configure los permisos. Esta vulnerabilidad se corrige en la 8.3.1."
    }
  ],
  "id": "CVE-2026-25761",
  "lastModified": "2026-02-28T00:21:30.757",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "HIGH",
          "baseScore": 8.8,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "HIGH",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "REQUIRED",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
          "version": "3.1"
        },
        "exploitabilityScore": 2.8,
        "impactScore": 5.9,
        "source": "security-advisories@github.com",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-02-09T21:15:49.323",
  "references": [
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Product",
        "Release Notes"
      ],
      "url": "https://github.com/super-linter/super-linter/releases/tag/v8.3.1"
    },
    {
      "source": "security-advisories@github.com",
      "tags": [
        "Vendor Advisory"
      ],
      "url": "https://github.com/super-linter/super-linter/security/advisories/GHSA-r79c-pqj3-577x"
    }
  ],
  "sourceIdentifier": "security-advisories@github.com",
  "vulnStatus": "Analyzed",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-77"
        }
      ],
      "source": "security-advisories@github.com",
      "type": "Primary"
    }
  ]
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.