Login Sign Up

CVE-2026-25761

8.8 HIGH
Remote Code Execution

📋 TL;DR

Super-linter GitHub Action versions 6.0.0 to 8.3.0 are vulnerable to command injection via specially crafted filenames containing shell command substitution syntax like $(...). This allows attackers to execute arbitrary commands in GitHub Actions workflow runners, potentially exposing sensitive data like GITHUB_TOKEN. Organizations using Super-linter in their CI/CD pipelines are affected.

💻 Affected Systems

Products:
  • super-linter GitHub Action
Versions: 6.0.0 to 8.3.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects GitHub Actions usage; standalone usage is not vulnerable. Requires attacker to submit pull request with malicious filename.

📦 What is this software?

Super Linter by Super Linter Project

View all CVEs affecting Super Linter →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of GitHub Actions runner environment, exfiltration of secrets and source code, lateral movement within GitHub organization, and persistence in CI/CD pipelines.

🟠

Likely Case

Unauthorized access to GITHUB_TOKEN with repository permissions, allowing code modification, secret disclosure, and workflow manipulation.

🟢

If Mitigated

Limited impact due to restricted GITHUB_TOKEN permissions, runner isolation, and proper security controls.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires ability to submit pull requests to affected repositories. Public proof-of-concept exists in advisory.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 8.3.1

Vendor Advisory: https://github.com/super-linter/super-linter/security/advisories/GHSA-r79c-pqj3-577x

Restart Required: No

Instructions:

1. Update super-linter action in workflow YAML files to v8.3.1 or later. 2. Replace 'uses: github/super-linter@v8' with 'uses: github/super-linter@v8.3.1'. 3. Commit and push changes to all affected repositories.

🔧 Temporary Workarounds

Pin to safe version

all

Manually specify super-linter version 8.3.1 or later in workflow files

uses: github/super-linter@v8.3.1

Disable super-linter

all

Temporarily remove super-linter from workflows until patched

# Comment out or remove super-linter steps in .github/workflows/*.yml

🧯 If You Can't Patch

  • Restrict GITHUB_TOKEN permissions to minimum required in workflow files
  • Implement branch protection rules requiring review before pull request merge

🔍 How to Verify

Check if Vulnerable:

Check .github/workflows/*.yml files for super-linter references with versions between 6.0.0 and 8.3.0

Check Version:

grep -r 'super-linter@' .github/workflows/

Verify Fix Applied:

Confirm workflow files reference super-linter@v8.3.1 or later

📡 Detection & Monitoring

Log Indicators:

  • Unexpected command execution in GitHub Actions logs
  • Suspicious filenames containing $(...) patterns in pull requests

Network Indicators:

  • Unusual outbound connections from GitHub Actions runners

SIEM Query:

source="github-actions" AND (command_injection OR suspicious_filename OR unexpected_execution)

📊 Metadata

CVE ID: CVE-2026-25761
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-77
EPSS Score: 0.04% exploit probability (12.4th percentile)
Published: February 9, 2026
Last Updated: February 28, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-25761, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)