CVE-2026-31900

HIGH SEVERITY

CVSS Score & Metrics

Base Score

9.8 / 10

Vector String

                                        CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H                                    

Vulnerability Description

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

Vulnerability Details

Published Date

March 07, 2026

Last Modified

March 16, 2026

CWE ID

CWE-20

Source

GitHub

Vendor

actions

Product

psf/black

External References

https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm
https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611
https://github.com/advisories/GHSA-v53h-f6m7-xcgm

CVE-2026-31900

CVSS Score & Metrics

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment