CVE 8.8 HIGH

OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target_CVE-2026-42603

May 11, 2026 invoker category_cve

8.8 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

Description

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2.

AI Analysis

Remote Code Execution (RCE) vulnerability in OWASP BLT due to execution of untrusted fork code via pull_request_target

Basic Information

ID CVE-2026-42603

Source GitHub_M

Published May 11, 2026 at 16:11

Affected Product

Vendor OWASP-BLT

Product BLT

Version < 2.1.2

Affected Versions OWASP-BLT BLT < 2.1.2

CWE Classification

CWE-94 CWE-95

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor OWASP-BLT

Product BLT

Version < 2.1.2

References

github.com /OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh

{
    "lastseen": "",
    "description": "OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2.",
    "published": "2026-05-11T16:11:55.297Z",
    "modified": "2026-05-11T16:11:55.297Z",
    "type": "cve",
    "title": "OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target",
    "source": "GitHub_M",
    "references": "https://github.com/OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh",
    "id": "CVE-2026-42603",
    "bulletinFamily": "",
    "cwe": [
        "CWE-94",
        "CWE-95"
    ],
    "cvelist": null,
    "sourceData": "OWASP-BLT BLT < 2.1.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "BLT",
    "version": "< 2.1.2",
    "vendor": "OWASP-BLT",
    "ai_description": "Remote Code Execution (RCE) vulnerability in OWASP BLT due to execution of untrusted fork code via pull_request_target",
    "ai_severity": "High",
    "ai_vendor": "OWASP-BLT",
    "ai_product": "BLT",
    "ai_version": "< 2.1.2",
    "ai_score": 8.8
}

💭 Join the Security Discussion ❌ Cancel Reply