High severityNVD Advisory· Published Mar 11, 2026· Updated Mar 13, 2026
Black's vulnerable version parsing leads to RCE in GitHub Action
CVE-2026-31900
Description
Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
psf/blackGitHub Actions | < 26.3.0 | 26.3.0 |
Affected products
6- ghsa-coords5 versionspkg:github/psf/blackpkg:rpm/opensuse/python-black&distro=openSUSE%20Leap%2016.0pkg:rpm/opensuse/python-black&distro=openSUSE%20Tumbleweedpkg:rpm/suse/python-black&distro=SUSE%20Linux%20Enterprise%20Server%2016.0pkg:rpm/suse/python-black&distro=SUSE%20Linux%20Enterprise%20Server%20for%20SAP%20applications%2016.0
< 26.3.0+ 4 more
- (no CPE)range: < 26.3.0
- (no CPE)range: < 25.1.0-160000.3.1
- (no CPE)range: < 26.3.1-1.1
- (no CPE)range: < 25.1.0-160000.3.1
- (no CPE)range: < 25.1.0-160000.3.1
Patches
Vulnerability mechanics
References
4- github.com/advisories/GHSA-v53h-f6m7-xcgmghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-31900ghsaADVISORY
- github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611ghsax_refsource_MISCWEB
- github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgmghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.