CVE-2026-31900

HIGH EPSS 36.5%
Published Mar 11, 20263mo ago · Modified Jun 17, 20261w ago
8.7 CVSS 4.0
High
Find Similar
Published Mar 11, 2026 3mo ago
Last Modified Jun 17, 2026 1w ago

Description

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

CVSS Details

Base Score
8.7
Exploitability
Impact
Vector string
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector Network
Attack Complexity Low
Privileges Required Low
User Interaction None
Scope X

Threat Intelligence

EPSS Exploit Probability
36.5% percentile
Exploit & Patch Status
No Known Exploit
Patch Available

Weaknesses 1

CWE-20 Improper Input Validation Validation

Affected Products 1

VendorProductVersionRange
pythonblack* <26.3.0

References 2

  • github.com https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611
    Patch
  • github.com https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm
    MitigationVendor Advisory

Remediation

  • github.com https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611
    Patch