Souragc

**Name of the Vulnerable Software and Affected Versions** taosdata/grafanaplugin (affected versions not specified) **Description** The issue concerns a command injection vulnerability in the `Release PR Merged` workflow. This vulnerability allows for arbitrary code execution within the GitHub action context due to the insecure usage of `${{ github.event.pull request.title }}` in a bash command. Attackers can inject malicious commands, potentially gaining access to secrets or making use of compute resources. **Recommendations** As a temporary workaround, consider restricting the use of the `Release PR Merged` workflow until a patch is available. Avoid directly passing `${{ github.event.pull request.title }}` to bash commands in the workflow to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.