Yaronav

**Name of the Vulnerable Software and Affected Versions** Roo Code versions 3.26.6 and below **Description** Roo Code is an AI-powered autonomous coding agent. A Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to achieve Remote Code Execution (RCE) on the Actions runner. The workflow runs with broad permissions and access to repository secrets. An attacker could execute arbitrary commands on the runner, modify code in the repository, access secrets, and create malicious releases or packages, resulting in a complete compromise of the repository and its associated services. **Recommendations** Update Roo Code to version 3.26.7.