CVE-2026-31900

CRITICAL

Black GitHub Action - Command Injection

Title source: llm

Description

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

Exploits (2)

nomisec WRITEUP
by Batosay1337Lab · poc
https://github.com/Batosay1337Lab/cve-2026-31900-lab
nomisec WORKING POC
by Batosay1337Lab · poc
https://github.com/Batosay1337Lab/CVE-2026-31900

References (2)

Scores

CVSS v3 9.8
EPSS 0.0008
EPSS Percentile 22.7%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Details

CWE
CWE-20
Status published
Products (1)
python/black < 26.3.0
Published Mar 11, 2026
Tracked Since Mar 12, 2026