CVE-2026-31900

High CVSS: 8.7

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

Vendor

Python

Product

Black

CWE

CWE-20

Yayın Tarihi

2026-03-11 20:16:15

Güncelleme

2026-03-16 20:02:12

Source Identifier

security-advisories@github.com

KEV Date Added

Kategoriler

CWE-20 Black HIGH Python 2026

Referanslar

https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611 https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm

Benzer Kayıtlar

Medium

CVE-2026-25645

Requests is a HTTP library. Prior to version 2.33.0, the `requests.utils.extract_zipped_paths()` utility function uses a…

High

CVE-2026-32274

Black is the uncompromising Python code formatter. Prior to 26.3.1, Black writes a cache file, the name of which is comp…

High

CVE-2026-25990

Pillow is a Python imaging library. From 10.3.0 to before 12.1.1, n out-of-bounds write may be triggered when loading a…

Medium

CVE-2025-12781

When passing data to the b64decode(), standard_b64decode(), and urlsafe_b64decode() functions in the "base64" module the…

High

CVE-2026-21441

urllib3 is an HTTP client library for Python. urllib3's streaming API is designed for the efficient handling of large HT…

High

CVE-2025-66471

urllib3 is a user-friendly HTTP client library for Python. Starting in version 1.0 and prior to 2.6.0, the Streaming API…