CVE-2026-31900CRITICAL 9.8EPSS p36.3%

CVE-2026-31900CVE-2026-31900

Description

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.46% probability of exploitation · percentile 36.3% · 2026-06-18T12:00:27Z
Published2026-03-11
Last modified2026-03-16

Underlying weaknesses· 1

CWE-20

References

  1. https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611
  2. https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm

1

TypeTargetConfidenceTier
WeaknessImproper Input Validationcwe-200%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
CVE
CVE-2026-1699
CVE
CVE-2026-27941
CVE
CVE-2025-58371
CVE
CVE-2026-42603
CVE
CVE-2026-34041
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.