CVE-2026-25761
Awaiting Analysis Awaiting Analysis - Queue
Command Injection in Super-linter GitHub Action Enables Code Execution

Publication date: 2026-02-09

Last updated on: 2026-02-28

Assigner: GitHub, Inc.

Description
Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-09
Last Modified
2026-02-28
Generated
2026-06-16
AI Q&A
2026-02-09
EPSS Evaluated
2026-06-15
NVD
CVE-2026-25761
EUVD
EUVD-2026-6849
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
super-linter_project super-linter From 6.0.0 (inc) to 8.3.1 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-77 The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in the Super-linter GitHub Action versions from 6.0.0 to 8.3.0. It allows command injection through crafted filenames that contain shell command substitution syntax, such as $(...). When these specially crafted filenames are processed during file discovery, the embedded commands can be executed in the workflow runner context.

This happens because the runtime scripts in the affected versions do not properly sanitize filenames, leading to arbitrary command execution.

An attacker can exploit this by submitting a pull request with a malicious filename, causing commands to run when the Super-linter action processes the files.

Impact Analysis

This vulnerability can lead to arbitrary command execution within the GitHub Actions workflow runner environment.

An attacker exploiting this can potentially disclose sensitive information such as the job’s GITHUB_TOKEN, depending on the workflow's permission configuration.

This can result in unauthorized access, data leakage, or further compromise of the CI/CD pipeline and associated resources.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

To mitigate this vulnerability, update the Super-linter GitHub Action to version 8.3.1 or later, where the issue is fixed.

Avoid using vulnerable versions (6.0.0 to 8.3.0) in your workflows to prevent command injection via crafted filenames.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-25761. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart