CVE-2026-25761

Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1.

CVSS v3 8.8 HIGH

8.8^/10

CVSS v3 : HIGH

Vector :

Exploitability : 2.8 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction REQUIRED

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/super-linter/super-linter/releases/tag/v8.3.1	Product Release Notes
https://github.com/super-linter/super-linter/security/advisories/GHSA-r79c-pqj3-577x	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:super-linter_project:super-linter:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-02-09 21:15

Updated : 2026-02-28 00:21

NVD link : CVE-2026-25761

Mitre link : CVE-2026-25761

CVE.ORG link : CVE-2026-25761

JSON object : View

Products Affected

super-linter_project

super-linter

CWE

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

{"id": "CVE-2026-25761", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.8, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 2.8}]}, "published": "2026-02-09T21:15:49.323", "references": [{"url": "https://github.com/super-linter/super-linter/releases/tag/v8.3.1", "tags": ["Product", "Release Notes"], "source": "security-advisories@github.com"}, {"url": "https://github.com/super-linter/super-linter/security/advisories/GHSA-r79c-pqj3-577x", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-77"}]}], "descriptions": [{"lang": "en", "value": "Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job\u2019s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1."}, {"lang": "es", "value": "Super-linter es una combinaci\u00f3n de m\u00faltiples linters para ejecutar como una Acci\u00f3n de GitHub o de forma independiente. Desde la 6.0.0 hasta la 8.3.0, la Acci\u00f3n de GitHub Super-linter es vulnerable a inyecci\u00f3n de comandos a trav\u00e9s de nombres de archivo manipulados. Cuando esta acci\u00f3n se utiliza en flujos de trabajo de GitHub Actions posteriores, un atacante puede enviar una solicitud de extracci\u00f3n que introduce un archivo cuyo nombre contiene sintaxis de sustituci\u00f3n de comandos de shell, como $(...). En las versiones afectadas de Super-linter, los scripts en tiempo de ejecuci\u00f3n pueden ejecutar el comando incrustado durante el procesamiento de descubrimiento de archivos, lo que permite la ejecuci\u00f3n arbitraria de comandos en el contexto del ejecutor del flujo de trabajo. Esto puede usarse para divulgar el GITHUB_TOKEN del trabajo dependiendo de c\u00f3mo el flujo de trabajo configure los permisos. Esta vulnerabilidad se corrige en la 8.3.1."}], "lastModified": "2026-02-28T00:21:30.757", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:super-linter_project:super-linter:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "8793631B-2725-45CA-BB01-D0D6D2EDC1EE", "versionEndExcluding": "8.3.1", "versionStartIncluding": "6.0.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}