PT-2026-43300 · Unknown · Vowpal Wabbit
Datosh
·
Published
2026-05-26
·
Updated
2026-05-26
·
CVE-2026-44723
CVSS v3.1
9.9
Critical
| Vector | AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Vowpal Wabbit (affected versions not specified)
Description
The workflow
.github/workflows/python checks.yml embeds the github.event.pull request.title variable directly inside double-quoted bash strings across four separate steps and jobs. This variable is passed as a CLI argument to the run tests model gen and load.py Python test script. Because the shell interprets the expanded string before invoking Python, an attacker can break out of the quotes to execute arbitrary commands on the runner. The pull request trigger is active for PRs targeting any branch without additional access gates.Recommendations
Apply the fix provided in commit 998e390e80a7e8192d7849b7784bc113dbd190ad.
Exploit
Fix
OS Command Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Vowpal Wabbit