Cyber Resilience

CVE-2026-25761

HighRCE

Published: 09 February 2026

Published
09 February 2026
Modified
28 February 2026
KEV Added
Patch
CVSS Score v3.1 8.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
EPSS Score 0.0132 67.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-25761 is a high-severity Command Injection (CWE-77) vulnerability in Super-Linter Project Super-Linter. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 32.7% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-25761 is a command injection vulnerability (CWE-77) affecting the Super-linter GitHub Action, a tool combining multiple linters for use in GitHub Actions workflows or standalone execution. Versions from 6.0.0 to 8.3.0 are vulnerable due to improper handling of filenames containing shell command substitution syntax, such as $(...). During file discovery processing in runtime scripts, these crafted filenames trigger execution of embedded commands. The issue carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H).

An attacker can exploit this vulnerability by submitting a pull request to a repository that uses the affected Super-linter Action in its workflows. No privileges are required beyond the ability to create a pull request, though user interaction is needed, such as a maintainer triggering the workflow (e.g., via approval or merge). Successful exploitation enables arbitrary command execution within the context of the GitHub Actions workflow runner. Depending on the workflow's permission configuration, this may allow disclosure of the job's GITHUB_TOKEN or other sensitive data.

The vulnerability is fixed in Super-linter version 8.3.1, as detailed in the project's release notes and security advisory. Security practitioners should update to 8.3.1 or later, review workflows using Super-linter for exposure, and consider limiting GITHUB_TOKEN permissions to reduce impact. Relevant resources include the release tag at https://github.com/super-linter/super-linter/releases/tag/v8.3.1 and the GitHub Security Advisory at https://github.com/super-linter/super-linter/security/advisories/GHSA-r79c-pqj3-577x.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Super-linter is a combination of multiple linters to run as a GitHub Action or standalone. From 6.0.0 to 8.3.0, the Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions…

more

workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $(...). In affected Super-linter versions, runtime scripts may execute the embedded command during file discovery processing, enabling arbitrary command execution in the workflow runner context. This can be used to disclose the job’s GITHUB_TOKEN depending on how the workflow configures permissions. This vulnerability is fixed in 8.3.1.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

CVE describes command injection via crafted filenames with shell metacharacters ($(...)) processed by Super-linter runtime scripts in GitHub Actions workflows; direct arbitrary command execution on the runner maps to T1059.004 (Unix Shell) and the public PR-based attack vector against a widely used CI component maps to T1190 (Exploit Public-Facing Application).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2024-57590Shared CWE-77
CVE-2025-64090Shared CWE-77
CVE-2024-57036Shared CWE-77
CVE-2024-39765Shared CWE-77
CVE-2025-29635Shared CWE-77
CVE-2024-39782Shared CWE-77
CVE-2024-13871Shared CWE-77
CVE-2025-50722Shared CWE-77
CVE-2024-39367Shared CWE-77
CVE-2026-22284Shared CWE-77

Affected Assets

super-linter project
super-linter
6.0.0 — 8.3.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires timely patching of the Super-linter GitHub Action to version 8.3.1 or later, directly remediating the command injection vulnerability in file discovery processing.

prevent

Enforces validation of information inputs such as filenames to block shell command substitution syntax like $(...), preventing arbitrary command execution during runtime processing.

prevent

Limits the impact of exploited command execution by enforcing least privilege on GitHub Actions workflow permissions, such as restricting GITHUB_TOKEN scope.

References