Moderatechrispat

**Name of the Vulnerable Software and Affected Versions** @actions/core versions prior to 1.2.6 **Description** The issue arises from the `addPath` and `exportVariable` functions in the `@actions/core` npm module, which communicate with the Actions Runner over stdout by generating a string in a specific format. This can lead to unintended modification of paths or environment variables when workflows log untrusted data to stdout. The problem is caused by the way commands are exchanged between the Action runner process and the executed action through the standard output stream (STDOUT), where the Actions Runner parses the standard output and identifies command markers. **Recommendations** For versions prior to 1.2.6, upgrade to `@actions/core v1.2.6` or later, and replace any instance of the `set-env` or `add-path` commands in workflows with the new Environment File Syntax. As a temporary workaround, consider restricting the use of the `addPath` and `exportVariable` functions until the update is applied.