Super‑linter, the multi‑linter GitHub Action, contains a command injection flaw in its file discovery logic. A vendor supplied action running from versions 6.0.0 to 8.3.0 will execute shell command substitution strings embedded in filenames. If an attacker submits a pull request that introduces a file whose name includes syntax such as $(…​), the action’s runtime scripts may run the embedded command during discovery, allowing the attacker to execute arbitrary code in the workflow runner environment. The result is a full compromise of the job’s context, potentially exposing secrets such as the GITHUB_TOKEN. In the worst case, the attacker can read, modify, or delete any resource the runner has access to.

All users employing the Super‑linter GitHub Action in their workflows with versions 6.0.0 through 8.3.0 are affected. The issue resides in the open‑source action itself, not in individual repositories, so any project that declares the action as a dependency is at risk. Projects that include unversioned or outdated references to Super‑linter must update to a fixed release.

The flaw carries a CVSS score of 8.8, indicating a high severity. The EPSS score of less than 1% suggests a low likelihood of widespread exploitation so far, and the vulnerability is not listed in the CISA KEV catalog. Nevertheless, the attack vector is readily available via a public GitHub pull request, so any collaborator or open‑source contributor could potentially trigger an exploit. The impact is limited to the workflow runner if the workflow token is granted broad permissions; however, even with restricted tokens, the attacker can cause denial of service or alter the linter’s behavior.