CVE-2026-31900

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611	Patch
https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:python:black:*:*:*:*:*:*:*:*

History

No history.

Information

Published : 2026-03-11 20:16

Updated : 2026-03-16 20:02

NVD link : CVE-2026-31900

Mitre link : CVE-2026-31900

CVE.ORG link : CVE-2026-31900

JSON object : View

Products Affected

python

black

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

{"id": "CVE-2026-31900", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}, "impactScore": 5.9, "exploitabilityScore": 3.9}], "cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.7, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-03-11T20:16:15.960", "references": [{"url": "https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm", "tags": ["Mitigation", "Vendor Advisory"], "source": "security-advisories@github.com"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-20"}]}, {"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}], "descriptions": [{"lang": "en", "value": "Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability."}, {"lang": "es", "value": "Black es el formateador de c\u00f3digo Python intransigente. Black proporciona una acci\u00f3n de GitHub para formatear c\u00f3digo. Esta acci\u00f3n admite una opci\u00f3n, use_pyproject: true, para leer la versi\u00f3n de Black a utilizar desde el archivo pyproject.toml del repositorio. Una solicitud de extracci\u00f3n maliciosa podr\u00eda editar pyproject.toml para usar una referencia de URL directa a un repositorio malicioso. Esto podr\u00eda conducir a la ejecuci\u00f3n de c\u00f3digo arbitrario en el contexto de la Acci\u00f3n de GitHub. Los atacantes podr\u00edan entonces obtener acceso a secretos o permisos disponibles en el contexto de la acci\u00f3n. La versi\u00f3n 26.3.0 corrige esta vulnerabilidad."}], "lastModified": "2026-03-16T20:02:12.730", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:python:black:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "4B156B90-4B50-44ED-A82A-0466FD506870", "versionEndExcluding": "26.3.0"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}