Description
Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1.
Published: 2026-02-09
Score: 8.8 High
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Super‑linter, the multi‑linter GitHub Action, contains a command injection flaw in its file discovery logic. Versions 6.0.0 through 8.3.0 of the action will execute shell command substitution strings embedded in filenames. When an attacker submits a pull request that introduces a file whose name contains syntax such as $(...), the action’s runtime scripts may run the embedded command during discovery, enabling arbitrary code execution in the workflow runner environment. This results in a full compromise of the job’s context and can expose secrets such as the GITHUB_TOKEN. Based on the description, it is inferred that the attacker, after gaining execution, could read, modify, or delete any resource within the runner’s execution scope.

Affected Systems

All users employing the Super‑linter GitHub Action in their workflows with versions 6.0.0 through 8.3.0 are affected. The issue resides in the open‑source action itself, not in individual repositories, so any project that declares the action as a dependency is at risk. Projects that include unversioned or outdated references to Super‑linter must update to a fixed release.

Risk and Exploitability

The flaw carries a CVSS score of 8.8, indicating a high severity, and an EPSS score of 1% suggesting a low likelihood of widespread exploitation at present. The vulnerability is not listed in CISA KEV. Based on the description, the likely attack vector involves a pull request that introduces a file whose name contains command‑substitution syntax such as $(...), which the action processes during file discovery and can execute in the workflow runner context. The impact is limited to the workflow runner if the job’s GITHUB_TOKEN is granted broad permissions; if restricted, the attacker could still gain execution within that constrained environment.

Generated by OpenCVE AI on June 18, 2026 at 13:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Super‑linter to version 8.3.1 or later in every workflow that uses the action.
  • Ensure the action reference uses a fixed tag or version constraint that excludes the vulnerable releases.
  • Review incoming pull requests for suspicious file names and consider tightening file‑discovery rules or disabling the feature for untrusted code.
  • Restrict GITHUB_TOKEN permissions for jobs that invoke Super‑linter to the minimum needed.

Generated by OpenCVE AI on June 18, 2026 at 13:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r79c-pqj3-577x Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action
History

Sat, 28 Feb 2026 00:30:00 +0000

Type Values Removed Values Added
First Time appeared Super-linter Project
Super-linter Project super-linter
CPEs cpe:2.3:a:super-linter_project:super-linter:*:*:*:*:*:*:*:*
Vendors & Products Super-linter Project
Super-linter Project super-linter

Tue, 10 Feb 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Super-linter
Super-linter super-linter
Vendors & Products Super-linter
Super-linter super-linter

Tue, 10 Feb 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 09 Feb 2026 20:45:00 +0000

Type Values Removed Values Added
Description Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1.
Title Command injection via crafted filenames in Super-linter Action
Weaknesses CWE-77
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}


Subscriptions

Super-linter Super-linter
Super-linter Project Super-linter
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-02-10T15:59:33.745Z

Reserved: 2026-02-05T18:35:52.358Z

Link: CVE-2026-25761

cve-icon Vulnrichment

Updated: 2026-02-10T15:32:08.337Z

cve-icon NVD

Status : Analyzed

Published: 2026-02-09T21:15:49.323

Modified: 2026-06-17T10:25:11.233

Link: CVE-2026-25761

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T13:45:05Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')