PT-2026-43300 · Unknown · Vowpal Wabbit

Datosh

·

Published

2026-05-26

·

Updated

2026-05-26

·

CVE-2026-44723

CVSS v3.1

9.9

Critical

VectorAV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Name of the Vulnerable Software and Affected Versions Vowpal Wabbit (affected versions not specified)
Description The workflow .github/workflows/python checks.yml embeds the github.event.pull request.title variable directly inside double-quoted bash strings across four separate steps and jobs. This variable is passed as a CLI argument to the run tests model gen and load.py Python test script. Because the shell interprets the expanded string before invoking Python, an attacker can break out of the quotes to execute arbitrary commands on the runner. The pull request trigger is active for PRs targeting any branch without additional access gates.
Recommendations Apply the fix provided in commit 998e390e80a7e8192d7849b7784bc113dbd190ad.

Exploit

Fix

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44723
GHSA-CG2G-XGG7-3XXQ

Affected Products

Vowpal Wabbit