PT-2026-60326 · Unknown · Maaassistantarknights

CVE-2026-55576

·

Published

2026-07-15

·

Updated

2026-07-15

CVSS v4.0

8.8

High

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Name of the Vulnerable Software and Affected Versions MaaAssistantArknights (affected versions not specified)
Description In the dev-v2 workflow, the .github/workflows/release-preparation.yml file inlines the attacker-controlled github.event.pull request.title variable into a shell command. This occurs during the pull request opened, reopened, and ready for review events. Consequently, a non-draft fork pull request with a title starting with "Release v" can execute arbitrary shell commands on the ubuntu-latest runner during the generate-changelog job.
Recommendations Apply the fix provided in commit cafc3946059e6337d2089d4fec8b6885ba17c332.

Exploit

Fix

Code Injection

OS Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-55576
GHSA-PQX2-5G66-F5W8

Affected Products

Maaassistantarknights