CVE-2026-42603 HIGH

CVE-2026-42603: OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target

Vendor Owasp-Blt
Product BLT
Weakness CWE-94 · Code injection
Published May 11, 2026
Last update May 11, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction Required
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2.

Key dates

02Disclosure timeline

May 11, 2026 CVE published
May 11, 2026 Record updated