CVE-2026-31900
- Source
- https://cve.org/CVERecord?id=CVE-2026-31900
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31900.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-31900
- Aliases
- Downstream
- Related
- Published
- 2026-03-11T19:15:20.822Z
- Modified
- 2026-04-10T05:42:14.161257Z
- Severity
-
- 8.7 (High) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N CVSS Calculator
- Summary
- Black's vulnerable version parsing leads to RCE in GitHub Action
- Details
-
Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.
- Database specific
{ "cna_assigner": "GitHub_M", "cwe_ids": [ "CWE-20" ], "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31900.json" }- References
Affected packages
Git / github.com/psf/black
Affected ranges
- Type
- GIT
- Repo
- https://github.com/psf/black
- Events
-
Introduced0 Unknown introduced commit / All previous commits are affectedFixed
Affected versions
18.*
18.3a0
18.3a1
18.3a2
18.3a3
18.3a4
18.4a0
18.4a1
18.4a2
18.4a3
18.4a4
18.5b0
18.5b1
18.6b0
18.6b1
18.6b2
18.6b3
18.6b4
18.9b0
19.*
19.10b0
19.3b0
20.*
20.8b0
20.8b1
21.*
21.10b0
21.11b0
21.11b1
21.12b0
21.4b0
21.4b1
21.4b2
21.5b0
21.5b1
21.5b2
21.6b0
21.7b0
21.8b0
21.9b0
22.*
22.1.0
22.10.0
22.12.0
22.3.0
22.6.0
22.8.0
23.*
23.1.0
23.10.0
23.10.1
23.11.0
23.12.0
23.12.1
23.3.0
23.7.0
23.9.0
23.9.1
24.*
24.1.0
24.1.1
24.10.0
24.2.0
24.3.0
24.4.0
24.4.1
24.4.2
24.8.0
25.*
25.1.0
25.11.0
25.12.0
25.9.0
26.*
26.1.0