{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-22T00:52:06.506","vulnerabilities":[{"cve":{"id":"CVE-2026-25761","sourceIdentifier":"security-advisories@github.com","published":"2026-02-09T21:15:49.323","lastModified":"2026-02-28T00:21:30.757","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1."},{"lang":"es","value":"Super-linter es una combinación de múltiples linters para ejecutar como una Acción de GitHub o de forma independiente. Desde la 6.0.0 hasta la 8.3.0, la Acción de GitHub Super-linter es vulnerable a inyección de comandos a través de nombres de archivo manipulados. Cuando esta acción se utiliza en flujos de trabajo de GitHub Actions posteriores, un atacante puede enviar una solicitud de extracción que introduce un archivo cuyo nombre contiene sintaxis de sustitución de comandos de shell, como $(...). En las versiones afectadas de Super-linter, los scripts en tiempo de ejecución pueden ejecutar el comando incrustado durante el procesamiento de descubrimiento de archivos, lo que permite la ejecución arbitraria de comandos en el contexto del ejecutor del flujo de trabajo. Esto puede usarse para divulgar el GITHUB_TOKEN del trabajo dependiendo de cómo el flujo de trabajo configure los permisos. Esta vulnerabilidad se corrige en la 8.3.1."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H","baseScore":8.8,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"REQUIRED","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":2.8,"impactScore":5.9}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-77"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:super-linter_project:super-linter:*:*:*:*:*:*:*:*","versionStartIncluding":"6.0.0","versionEndExcluding":"8.3.1","matchCriteriaId":"8793631B-2725-45CA-BB01-D0D6D2EDC1EE"}]}]}],"references":[{"url":"https://github.com/super-linter/super-linter/releases/tag/v8.3.1","source":"security-advisories@github.com","tags":["Product","Release Notes"]},{"url":"https://github.com/super-linter/super-linter/security/advisories/GHSA-r79c-pqj3-577x","source":"security-advisories@github.com","tags":["Vendor Advisory"]}]}}]}