CVE-2026-31976CRITICAL 9.8EPSS p38.6%

CVE-2026-31976CVE-2026-31976

Description

xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main branch. However, the attacker used the compromised GitHub App credentials to move the mutable v5 tag to point at the malicious commit (4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12) from one of the unmerged PRs. This commit remained in the repository's git object store, and any workflow referencing @v5 would fetch and execute it. This is a supply chain compromise via tag poisoning. Any GitHub Actions workflow referencing xygeni/xygeni-action@v5 during the affected window (approximately March 3–10, 2026) executed a C2 implant that granted the attacker arbitrary command execution on the CI runner for up to 180 seconds per workflow run.

Scoring

CVSS 3.19.8 (CRITICAL)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.50% probability of exploitation · percentile 38.6% · 2026-06-19T12:03:05Z
Published2026-03-11
Last modified2026-03-16

Underlying weaknesses· 1

CWE-506

References

  1. https://github.com/xygeni/xygeni-action/issues/54
  2. https://github.com/xygeni/xygeni-action/security/advisories/GHSA-f8q5-h5qh-33mh

1

TypeTargetConfidenceTier
WeaknessEmbedded Malicious Codecwe-5060%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
CVE
CVE-2026-3136
CVE
CVE-2026-22869
CVE
CVE-2026-35580
CVE
CVE-2026-26189
CVE
CVE-2026-33475
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.