CVE-2026-12567
LOW EPSS 0.6%
Published Jun 17, 20262w ago · Modified Jun 22, 20261w ago
2.2 CVSS 3.1
Published Jun 17, 2026 2w ago
Last Modified Jun 22, 2026 1w ago
Description
The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Low
Availability None
Threat Intelligence
EPSS Exploit Probability
0.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available
Weaknesses 1
CWE-59
References 1
- github.com https://github.com/blacklanternsecurity/bbot/commit/16d9c42b6
Remediation
No remediation data recorded yet
Check vendor advisories and the NVD entry for patch availability.