Vowpal Wabbit is a machine learning system. The workflow .github/workflows/pythonchecks.yml embeds ${{ github.event.pullrequest.title }} directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script runtestsmodelgenandload.py. The shell interprets the expanded string before invoking Python, allowing an attacker to break out of the quotes and execute arbitrary commands on the runner. The pullrequest trigger fires on PRs targeting any branch (branches: ['*']), with no additional access gate. This vulnerability is fixed by the 998e390e80a7e8192d7849b7784bc113dbd190ad commit.
{
"cwe_ids": [
"CWE-1336",
"CWE-78"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44723.json",
"unresolved_ranges": [
{
"extracted_events": [
{
"fixed": "998e390e80a7e8192d7849b7784bc113dbd190ad"
}
],
"source": "AFFECTED_FIELD"
}
],
"cna_assigner": "GitHub_M"
}