GHSA-rvp7-w75q-9fv2

Suggest an improvement
Source
https://github.com/advisories/GHSA-rvp7-w75q-9fv2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-rvp7-w75q-9fv2/GHSA-rvp7-w75q-9fv2.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-rvp7-w75q-9fv2
Aliases
  • CVE-2026-12567
Published
2026-06-18T15:04:00Z
Modified
2026-06-18T15:17:20.554123502Z
Severity
  • 2.2 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N CVSS Calculator
Summary
BBOT: Symlink-Following Arbitrary Write via github_workflows Module
Details

The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.

Database specific 
{
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-18T15:04:00Z",
    "nvd_published_at": "2026-06-17T23:17:03Z",
    "severity": "LOW",
    "cwe_ids": [
        "CWE-22",
        "CWE-59"
    ]
}
References

Affected packages

PyPI / bbot

Package

Name
bbot
View open source insights on deps.dev
Purl
pkg:pypi/bbot

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.0.0
Fixed
2.8.5

Affected versions

2.*
2.0.0
2.0.0.4250rc0
2.0.0.4372rc0
2.0.0.4378rc0
2.0.0.4380rc0
2.0.0.4398rc0
2.0.0.4400rc0
2.0.0.4434rc0
2.0.0.4460rc0
2.0.0.4478rc0
2.0.0.4494rc0
2.0.0.4515rc0
2.0.0.4524rc0
2.0.0.4535rc0
2.0.0.4538rc0
2.0.0.4569rc0
2.0.0.4575rc0
2.0.0.4580rc0
2.0.0.4582rc0
2.0.0.4585rc0
2.0.0.4588rc0
2.0.0.4591rc0
2.0.0.4603rc0
2.0.0.4606rc0
2.0.0.4610rc0
2.0.1
2.0.1.4638rc0
2.0.1.4642rc0
2.0.1.4648rc0
2.0.1.4650rc0
2.0.1.4654rc0
2.0.1.4657rc0
2.0.1.4660rc0
2.0.1.4675rc0
2.0.1.4685rc0
2.0.1.4705rc0
2.0.1.4709rc0
2.0.1.4716rc0
2.0.1.4720rc0
2.0.1.4722rc0
2.0.1.4730rc0
2.0.1.4732rc0
2.0.1.4745rc0
2.0.1.4750rc0
2.0.1.4756rc0
2.0.1.4760rc0
2.0.1.4762rc0
2.0.1.4764rc0
2.0.1.4774rc0
2.0.1.4777rc0
2.0.1.4779rc0
2.0.1.4782rc0
2.0.1.4790rc0
2.0.1.4792rc0
2.1.0
2.1.0.4809rc0
2.1.0.4813rc0
2.1.0.4815rc0
2.1.0.4817rc0
2.1.0.4819rc0
2.1.0.4921rc0
2.1.0.4929rc0
2.1.0.4935rc0
2.1.0.4937rc0
2.1.0.4939rc0
2.1.0.4951rc0
2.1.0.4954rc0
2.1.0.4957rc0
2.1.0.4959rc0
2.1.0.4971rc0
2.1.0.4978rc0
2.1.0.4980rc0
2.1.0.4984rc0
2.1.0.4992rc0
2.1.0.4995rc0
2.1.0.4999rc0
2.1.0.5001rc0
2.1.0.5004rc0
2.1.0.5021rc0
2.1.0.5028rc0
2.1.0.5036rc0
2.1.0.5040rc0
2.1.0.5078rc0
2.1.0.5082rc0
2.1.0.5097rc0
2.1.1
2.1.1.5103rc0
2.1.1.5119rc0
2.1.1.5121rc0
2.1.1.5123rc0
2.1.1.5125rc0
2.1.1.5127rc0
2.1.1.5138rc0
2.1.2
2.1.2.5140rc0
2.1.2.5147rc0
2.1.2.5149rc0
2.1.2.5152rc0
2.1.2.5154rc0
2.1.2.5156rc0
2.1.2.5158rc0
2.1.2.5161rc0
2.1.2.5171rc0
2.1.2.5173rc0
2.1.2.5175rc0
2.1.2.5180rc0
2.1.2.5182rc0
2.1.2.5184rc0
2.1.2.5192rc0
2.1.2.5196rc0
2.1.2.5202rc0
2.1.2.5217rc0
2.1.2.5221rc0
2.1.2.5223rc0
2.1.2.5232rc0
2.1.2.5234rc0
2.1.2.5236rc0
2.1.2.5238rc0
2.1.2.5240rc0
2.2.0
2.2.0.5242rc0
2.2.0.5263rc0
2.2.0.5279rc0
2.2.0.5309rc0
2.2.0.5311rc0
2.3.0.5324rc0
2.3.0.5328rc0
2.3.0.5336rc0
2.3.0.5354rc0
2.3.0.5362rc0
2.3.0.5364rc0
2.3.0.5368rc0
2.3.0.5370rc0
2.3.0.5376rc0
2.3.0.5382rc0
2.3.0.5384rc0
2.3.0.5397rc0
2.3.0.5399rc0
2.3.0.5401rc0
2.3.0.5404rc0
2.3.0.5412rc0
2.3.0.5414rc0
2.3.0.5418rc0
2.3.0.5423rc0
2.3.0.5438rc0
2.3.0.5445rc0
2.3.0.5447rc0
2.3.0.5455rc0
2.3.0.5459rc0
2.3.0.5461rc0
2.3.0.5465rc0
2.3.0.5467rc0
2.3.0.5473rc0
2.3.0.5477rc0
2.3.0.5479rc0
2.3.0.5482rc0
2.3.0.5484rc0
2.3.0.5489rc0
2.3.0.5491rc0
2.3.0.5504rc0
2.3.0.5515rc0
2.3.0.5518rc0
2.3.0.5520rc0
2.3.0.5522rc0
2.3.0.5524rc0
2.3.0.5532rc0
2.3.0.5538rc0
2.3.0.5546rc0
2.3.0.5809rc0
2.3.1
2.3.1.5815rc0
2.3.1.5818rc0
2.3.1.5820rc0
2.3.2
2.3.2.5825rc0
2.3.2.5827rc0
2.3.2.5829rc0
2.3.2.5832rc0
2.3.2.5836rc0
2.3.2.5838rc0
2.3.2.5841rc0
2.3.2.5848rc0
2.3.2.5850rc0
2.3.2.5855rc0
2.3.2.5874rc0
2.3.2.5889rc0
2.3.2.5893rc0
2.3.2.5897rc0
2.3.2.5904rc0
2.3.2.5906rc0
2.3.2.5909rc0
2.3.2.5913rc0
2.3.2.5915rc0
2.3.2.5927rc0
2.3.2.5938rc0
2.3.2.5942rc0
2.3.2.5944rc0
2.3.2.5950rc0
2.3.2.5958rc0
2.3.2.5967rc0
2.3.2.5971rc0
2.4.0
2.4.0.5974rc0
2.4.0.5977rc0
2.4.0.5984rc0
2.4.0.5986rc0
2.4.0.5988rc0
2.4.0.5992rc0
2.4.0.5995rc0
2.4.0.5997rc0
2.4.0.5999rc0
2.4.0.6005rc0
2.4.0.6007rc0
2.4.0.6031rc0
2.4.0.6037rc0
2.4.0.6039rc0
2.4.0.6045rc0
2.4.0.6050rc0
2.4.0.6067rc0
2.4.0.6073rc0
2.4.1
2.4.1.6075rc0
2.4.1.6077rc0
2.4.1.6089rc0
2.4.1.6094rc0
2.4.1.6095rc0
2.4.1.6100rc0
2.4.1.6107rc0
2.4.2
2.4.2.6109rc0
2.4.2.6590rc0
2.4.2.6596rc0
2.4.2.6608rc0
2.4.2.6611rc0
2.4.2.6615rc0
2.4.2.6621rc0
2.4.2.6623rc0
2.4.2.6635rc0
2.4.2.6638rc0
2.4.2.6653rc0
2.4.2.6655rc0
2.4.2.6659rc0
2.4.2.6677rc0
2.4.2.6706rc0
2.5.0
2.5.0.6715rc0
2.5.0.6719rc0
2.5.0.6721rc0
2.5.0.6730rc0
2.5.0.6734rc0
2.5.0.6737rc0
2.5.0.6742rc0
2.5.0.6747rc0
2.5.0.6765rc0
2.5.0.6769rc0
2.5.0.6773rc0
2.5.0.6779rc0
2.5.0.6782rc0
2.5.0.6790rc0
2.5.0.6803rc0
2.5.0.6807rc0
2.5.0.6817rc0
2.5.0.6831rc0
2.6.0
2.6.0.6840rc0
2.6.0.6842rc0
2.6.0.6846rc0
2.6.0.6851rc0
2.6.0.6853rc0
2.6.0.6856rc0
2.6.0.6871rc0
2.6.0.6879rc0
2.6.1
2.6.1.6901rc0
2.6.1.6913rc0
2.6.1.6915rc0
2.7.0
2.7.0.6919rc0
2.7.0.6925rc0
2.7.0.6930rc0
2.7.0.6932rc0
2.7.0.6948rc0
2.7.0.6962rc0
2.7.0.6989rc0
2.7.0.6995rc0
2.7.0.7002rc0
2.7.0.7010rc0
2.7.0.7014rc0
2.7.0.7023rc0
2.7.0.7027rc0
2.7.0.7090rc0
2.7.0.7092rc0
2.7.0.7094rc0
2.7.0.7096rc0
2.7.0.7098rc0
2.7.0.7100rc0
2.7.0.7108rc0
2.7.0.7112rc0
2.7.0.7116rc0
2.7.0.7136rc0
2.7.1
2.7.1.7141rc0
2.7.1.7149rc0
2.7.1.7151rc0
2.7.1.7153rc0
2.7.1.7159rc0
2.7.1.7167rc0
2.7.1.7169rc0
2.7.1.7175rc0
2.7.1.7198rc0
2.7.1.7202rc0
2.7.1.7207rc0
2.7.1.7212rc0
2.7.2
2.7.2.7226rc0
2.7.2.7236rc0
2.7.2.7238rc0
2.7.2.7244rc0
2.7.2.7254rc0
2.7.2.7256rc0
2.7.2.7269rc0
2.7.2.7271rc0
2.7.2.7278rc0
2.7.2.7284rc0
2.7.2.7286rc0
2.7.2.7288rc0
2.7.2.7298rc0
2.7.2.7303rc0
2.7.2.7311rc0
2.7.2.7319rc0
2.7.2.7324rc0
2.7.2.7334rc0
2.7.2.7337rc0
2.7.2.7342rc0
2.7.2.7353rc0
2.7.2.7355rc0
2.7.2.7361rc0
2.7.2.7364rc0
2.7.2.7367rc0
2.7.2.7369rc0
2.7.2.7379rc0
2.7.2.7381rc0
2.7.2.7383rc0
2.7.2.7388rc0
2.7.2.7396rc0
2.7.2.7400rc0
2.7.2.7406rc0
2.7.2.7410rc0
2.7.2.7412rc0
2.7.2.7414rc0
2.7.2.7418rc0
2.7.2.7424rc0
2.7.2.7426rc0
2.7.2.7428rc0
2.7.2.7439rc0
2.8.0
2.8.0.7448rc0
2.8.0.7450rc0
2.8.0.7452rc0
2.8.0.7459rc0
2.8.1
2.8.1.7464rc0
2.8.1.7470rc0
2.8.1.7477rc0
2.8.2
2.8.2.7481rc0
2.8.2.7483rc0
2.8.2.7485rc0
2.8.2.7495rc0
2.8.2.7498rc0
2.8.2.7503rc0
2.8.2.7505rc0
2.8.2.7508rc0
2.8.2.7516rc0
2.8.3
2.8.3.7522rc0
2.8.3.7533rc0
2.8.3.7535rc0
2.8.3.7546rc0
2.8.3.7550rc0
2.8.3.7553rc0
2.8.3.7555rc0
2.8.4
2.8.4.7557rc0
2.8.4.7559rc0
2.8.4.7575rc0
2.8.4.7578rc0

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/06/GHSA-rvp7-w75q-9fv2/GHSA-rvp7-w75q-9fv2.json"
last_known_affected_version_range 
"<= 2.8.4"