CVE-2026-12567

Source
https://cve.org/CVERecord?id=CVE-2026-12567
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12567.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-12567
Aliases
Published
2026-06-17T23:17:03.220Z
Modified
2026-07-13T16:43:32.838473456Z
Severity
  • 2.2 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
[none]
Details

The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.

References

Affected packages

Git / github.com/blacklanternsecurity/bbot

Affected ranges

Type
GIT
Repo
https://github.com/blacklanternsecurity/bbot
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-12567.json"