CVE-2026-24480

Name of the Vulnerable Software and Affected Versions QGIS versions prior to commit 76a693cd91650f9b4e83edac525e5e4f90d954e9

Description The QGIS repository contained a GitHub Actions workflow named "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was susceptible to remote code execution and potential repository compromise. The workflow utilized the pull request target trigger, which allowed it to check out and execute code from untrusted pull requests within a privileged context. This meant that workflows ran with the base repository's credentials and access to secrets. An attacker could potentially execute arbitrary commands with elevated privileges by controlling the code within a pull request. This pattern is recognized as a security risk by GitHub and security researchers.

Recommendations Update the QGIS repository to a version including commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 or later.