CVE-2026-31900 HIGH

CVE-2026-31900: Black's vulnerable version parsing leads to RCE in GitHub Action

Vendor Psf
Product black
Weakness CWE-20 · Input validation
Published March 11, 2026
Last update March 13, 2026
View on NVD All CVEs

CVSS base score

8.7/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

Key dates

02Disclosure timeline

March 11, 2026 CVE published
March 13, 2026 Record updated

Related vulnerabilities

04Related CVE

CVE-2023-3955 Kubernetes - Windows nodes - Insufficient input sanitization leads to privilege escalation CVE-2024-20271 CVE-2020-3206 Cisco IOS XE Software Catalyst 9800 Series Wireless Controllers Denial of Service Vulnerability CVE-2021-0208 Junos OS and Junos OS Evolved: In bidirectional LSP configurations, on MPLS egress router RPD may core upon receipt of specific malformed RSVP packet. CVE-2024-1245 Concrete CMS version 9 before 9.2.5 is vulnerable to stored XSS in file tags and description attributes