CVE-2026-31900

CRITICAL

Black GitHub Action - Command Injection

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2026-31900. PoCs published by Batosay1337Lab.

AI-analyzed exploit summary This repository provides a detailed technical analysis of CVE-2026-31900, a supply chain RCE vulnerability in the psf/black GitHub Action due to an insecure regex validation in version parsing. It includes a step-by-step breakdown of the attack vector, vulnerable regex, and mitigation steps.

Description

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

Exploits (2)

nomisec WRITEUP

by Batosay1337Lab · poc

https://github.com/Batosay1337Lab/cve-2026-31900-lab

View Code ZIP pw:eip

This repository provides a detailed technical analysis of CVE-2026-31900, a supply chain RCE vulnerability in the psf/black GitHub Action due to an insecure regex validation in version parsing. It includes a step-by-step breakdown of the attack vector, vulnerable regex, and mitigation steps.

Classification

Writeup 100%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: psf/black GitHub Action < v26.3.0

No auth needed

Prerequisites: Fork the repository · Modify pyproject.toml to include a malicious dependency · Open a Pull Request to trigger the workflow

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 11, 2026 Full analysis →

nomisec WORKING POC

by Batosay1337Lab · poc

https://github.com/Batosay1337Lab/CVE-2026-31900

View Code ZIP pw:eip

This repository demonstrates CVE-2026-31900, an RCE vulnerability in the psf/black GitHub Action via pyproject.toml URL injection. The workflow file intentionally uses a vulnerable version of the Black formatter with a configuration that exposes the flaw.

Classification

Working Poc 95%

Attack Type

Rce

Complexity

Moderate

Reliability

Reliable

Target: psf/black GitHub Action < 26.3.0

No auth needed

Prerequisites: GitHub repository with vulnerable workflow configuration · ability to trigger workflow execution

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1059 - Command and Scripting Interpreter T1203 - Exploitation for Client Execution

devstral-2 · analyzed Apr 09, 2026 Full analysis →

References (2)

Core 2

Core References

Vendor Advisory x_refsource_confirm

https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm

Patch x_refsource_misc

https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611

View Patch ZIP pw:eip

Scores

CVSS v3 9.8

EPSS 0.0009

EPSS Percentile 25.6%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-20

Status published

Products (1)

python/black < 26.3.0

Published Mar 11, 2026

Tracked Since Mar 12, 2026