CVE-2026-25761

Name of the Vulnerable Software and Affected Versions Super-linter versions 6.0.0 through 8.3.0

Description Super-linter, a combination of multiple linters used as a GitHub Action or standalone, is susceptible to command injection through crafted filenames. When used in GitHub Actions workflows, an attacker can introduce a file with a name containing shell command substitution syntax, such as $(...), in a pull request. Affected versions of Super-linter may execute the embedded command during file discovery, leading to arbitrary command execution within the workflow runner context. This could potentially expose the job’s GITHUB TOKEN, depending on workflow permissions. The issue originates in the file scanning logic used to check for changes. An attacker needs the ability to run workflows without approval from the repository administrator to actively exploit this. The GITHUB TOKEN's level of access to repository resources also influences the potential impact.

Recommendations Update Super-linter to version 8.3.1 or later.