CVE-2026-42603
EUVD-2026-2912611.05.2026, 17:16
OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and executes code directly from the attacker's fork, enabling RCE with write permissions. This vulnerability is fixed in 2.1.2.
Awaiting analysis
This vulnerability is currently awaiting analysis.