PT-2026-44387 · Espressif · Dangerjs

Avivdon

·

Published

2026-05-28

·

Updated

2026-05-28

·

CVE-2026-44358

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
Name of the Vulnerable Software and Affected Versions Espressif Shared GitHub DangerJS versions prior to 1.0.1
Description The entrypoint.sh script invokes DangerJS from the caller's workspace after copying a fork's checkout into it. This creates an untrusted search path for binary and Node.js module resolution. Consequently, a fork pull request processed by a pull request target workflow can lead to the execution of arbitrary code supplied by the fork within the action container, replacing the action's intended code.
Recommendations Update to version 1.0.1.

Exploit

Fix

Uncontrolled Search Path Element

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-44358
GHSA-WM3P-PV54-6W73

Affected Products

Dangerjs