CVE-2026-24480

HIGH

QGIS GitHub Actions pre-commit checks - Privileged Pull Request Code Execution

Title source: manual

Description

QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it used the `pull_request_target` trigger and then checked out and executed untrusted pull request code in a privileged context. Workflows triggered by `pull_request_target` ran with the base repository's credentials and access to secrets. If these workflows then checked out and executed code from the head of an external pull request (which could have been attacker controlled), the attacker could have executed arbitrary commands with elevated privileges. This insecure pattern has been documented as a security risk by GitHub and security researchers. Commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 removed the vulnerable code.

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/qgis/QGIS/security/advisories/GHSA-7h99-4f97-h6rw

Patch x_refsource_misc

https://github.com/qgis/QGIS/commit/76a693cd91650f9b4e83edac525e5e4f90d954e9

View Patch ZIP pw:eip

Scores

CVSS v4 8.7

EPSS 0.0041

EPSS Percentile 32.9%

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-863

Status published

Products (1)

qgis/QGIS < 76a693cd91650f9b4e83edac525e5e4f90d954e9

Published Jan 27, 2026

Tracked Since Feb 18, 2026