{"uuid": "02128a2a-0ead-4208-8e11-ee532ed27885", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-C3XH-98XP-6QHF", "type": "seen", "source": "https://gist.github.com/alon710/07ba754de3ce685dc022ade4d0592c92", "content": "# GHSA-C3XH-98XP-6QHF: GHSA-C3XH-98XP-6QHF: Command Injection via Issue Title in Discord Notification Workflow\n\n> **CVSS Score:** 7.1\n> **Published:** 2026-06-19\n> **Full Report:** https://cvereports.com/reports/GHSA-C3XH-98XP-6QHF\n\n## Summary\nA command injection vulnerability exists in the .github/workflows/discord-issue.yml workflow of the gouef/githubtoplanguages repository. By exploiting literal string interpolation of untrusted issue titles into an inline Bash script, an attacker can execute arbitrary code within the GitHub Actions runner environment. This exposure risks the theft of repository secrets such as the Discord webhook URL.\n\n## TL;DR\nUntrusted GitHub issue and pull request titles are directly interpolated into an inline Bash script within a GitHub Actions workflow, leading to arbitrary OS command injection.\n\n## Technical Details\n\n- **CWE ID**: CWE-74 / CWE-78 / CWE-94\n- **Attack Vector**: Network (AV:N)\n- **CVSS v4.0 Score**: 7.1 (High)\n- **Exploit Status**: PoC\n- **KEV Status**: Not Listed\n- **Affected Component**: GitHub Actions Workflow (.github/workflows/discord-issue.yml)\n- **Ephemeral Impact**: Arbitrary Command Execution in Runner Environment\n\n## Affected Systems\n\n- gouef/githubtoplanguages GitHub Actions Workflows\n- **githubtoplanguages**: < 1.1.4 (Fixed in: `1.1.4`)\n\n## Mitigation\n\n- Map user-controlled GitHub context variables directly to step-level environment variables.\n- Avoid literal string interpolation of '${{ github.event... }}' inside 'run' steps.\n- Use dedicated JSON processing utilities like 'jq' to serialize parameters securely instead of concatenating strings.\n\n**Remediation Steps:**\n1. Identify any workflows in '.github/workflows/' that use '${{ github.event.issue... }}' or similar within a shell command.\n2. Modify the workflow to assign these context expressions to step 'env' variables.\n3. Update the shell commands to reference standard process variables (e.g., '$ISSUE_TITLE') instead of double-bracket expressions.\n4. Deploy 'jq' to build JSON request payloads safely.\n\n## References\n\n- [https://github.com/gouef/githubtoplanguages/security/advisories/GHSA-c3xh-98xp-6qhf](https://github.com/gouef/githubtoplanguages/security/advisories/GHSA-c3xh-98xp-6qhf)\n- [https://github.com/gouef/githubtoplanguages/commit/157840482e592bd4f8e0617539e73cdbef26f1ac](https://github.com/gouef/githubtoplanguages/commit/157840482e592bd4f8e0617539e73cdbef26f1ac)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-C3XH-98XP-6QHF) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-06-21T19:52:11.000000Z"}