CVE-2026-12567

LOW EPSS 0.6%
Published Jun 17, 20262w ago · Modified Jun 22, 20261w ago
2.2 CVSS 3.1
Low
Find Similar
Published Jun 17, 2026 2w ago
Last Modified Jun 22, 2026 1w ago

Description

The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.

CVSS Details

Base Score
2.2
Exploitability
0.8
Impact
1.4
Vector string
CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N
Attack Vector Local
Attack Complexity High
Privileges Required Low
User Interaction Required
Scope Unchanged
Confidentiality None
Integrity Low
Availability None

Threat Intelligence

EPSS Exploit Probability
0.6% percentile
Exploit & Patch Status
No Known Exploit
No Patch Available

Weaknesses 1

CWE-59

References 1

  • github.com https://github.com/blacklanternsecurity/bbot/commit/16d9c42b6

Remediation

No remediation data recorded yet

Check vendor advisories and the NVD entry for patch availability.