CVE-2026-44358EPSS p7.9%

CVE-2026-44358CVE-2026-44358

Description

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary resolution and Node.js module resolution. A fork pull request processed by a pull_request_target workflow could therefore cause fork-supplied code to execute inside the action container in place of the action's own code. This vulnerability is fixed in 1.0.1.

Scoring

CVSS 8.2 ()
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
EPSS0.18% probability of exploitation · percentile 7.9% · 2026-06-18T12:00:27Z
Last modified2026-06-01

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-35580
CVE
reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
CVE
tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
CVE
CVE-2026-22869
CVE
CVE-2025-54416
CVE
CVE-2026-33475
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.