CVE-2026-44723

Source
https://cve.org/CVERecord?id=CVE-2026-44723
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44723.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44723
Aliases
  • GHSA-cg2g-xgg7-3xxq
Published
2026-05-26T15:49:17.951Z
Modified
2026-07-15T01:48:58.329124786Z
Severity
  • 5.0 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
Vowpal Wabbit: Shell injection via crafted PR title in python_checks.yml allows arbitrary command execution on CI runner
Details

Vowpal Wabbit is a machine learning system. The workflow .github/workflows/pythonchecks.yml embeds ${{ github.event.pullrequest.title }} directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script runtestsmodelgenandload.py. The shell interprets the expanded string before invoking Python, allowing an attacker to break out of the quotes and execute arbitrary commands on the runner. The pullrequest trigger fires on PRs targeting any branch (branches: ['*']), with no additional access gate. This vulnerability is fixed by the 998e390e80a7e8192d7849b7784bc113dbd190ad commit.

Database specific
{
    "cwe_ids": [
        "CWE-1336",
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44723.json",
    "unresolved_ranges": [
        {
            "extracted_events": [
                {
                    "fixed": "998e390e80a7e8192d7849b7784bc113dbd190ad"
                }
            ],
            "source": "AFFECTED_FIELD"
        }
    ],
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/vowpalwabbit/vowpal_wabbit

Affected ranges

Type
GIT
Repo
https://github.com/vowpalwabbit/vowpal_wabbit
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": "REFERENCES"
}

Affected versions

2.*
2.3
4.*
4.0
4.1
6.*
6.0
6.1
7.*
7.4
8.*
8.10.0
8.11.0
8.6.0
8.7.0
8.8.0
8.9.0
9.*
9.0.0
9.1.0
9.10.0
9.11.1
9.11.2
9.2.0
9.3.0
9.4.0
9.5.0
9.6.0
9.7.0
9.8.0
9.9.0
r_l.*
r_l.snapshot.1
wasm_v0.*
wasm_v0.0.3
wasm_v0.0.4
wasm_v0.0.5
wasm_v0.0.6
wasm_v0.0.7
wasm_v0.0.9

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44723.json"