CVE-2026-25761HIGH 8.8EPSS p67.3%

CVE-2026-25761CVE-2026-25761

Description

Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1.

Scoring

CVSS 3.18.8 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS1.32% probability of exploitation · percentile 67.3% · 2026-06-18T12:00:27Z
Published2026-02-09
Last modified2026-02-28

Underlying weaknesses· 1

CWE-77

References

  1. https://github.com/super-linter/super-linter/releases/tag/v8.3.1
  2. https://github.com/super-linter/super-linter/security/advisories/GHSA-r79c-pqj3-577x

1

TypeTargetConfidenceTier
WeaknessImproper Neutralization of Special Elements used in a Command ('Command Injection')cwe-770%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-31479
CVE
CVE-2026-21518
CVE
CVE-2026-35580
CVE
CVE-2026-21257
CVE
CVE-2025-54416
CVE
tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.