CVE-2026-31900

Name of the Vulnerable Software and Affected Versions Black versions prior to 26.3.0

Description Black is a Python code formatter that provides a GitHub action for code formatting. The action supports an option, use pyproject: true, to read the Black version from the repository's pyproject.toml file. A malicious pull request could modify pyproject.toml to reference a malicious repository directly. This could result in arbitrary code execution within the GitHub Action's context, potentially allowing attackers to access secrets or permissions available to the action.

Recommendations Versions prior to 26.3.0 should be updated to version 26.3.0 or later. Do not use the use pyproject: true option in the psf/black GitHub Action.