CVE-2026-42603 - Vulnerability Analysis
HighCVSS: 8.8Last Updated: May 11, 2026
OWASP BLT - Remote Code Execution
Overview
OWASP BLT < 2.1.2 contains a remote code execution caused by use of pull_request_target with code checkout from attacker forks in .github/workflows/pre-commit-fix.yaml, letting attackers with write permissions execute arbitrary code remotely, exploit requires write access to repository.
Severity & Score
Impact
Attackers with write permissions can execute arbitrary code remotely, potentially compromising the CI environment and codebase.
Mitigation
Update to version 2.1.2 or later.
Social Media Activity(2 posts)
š CVE-2026-42603 - High (8.8) OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and exe... š https://www.thehackerwire.com/vulnerability/CVE-2026-42603/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original post
š CVE-2026-42603 - High (8.8) OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Prior to 2.1.2, .github/workflows/pre-commit-fix.yaml uses pull_request_target (privileged trigger) but checks out and exe... š https://www.thehackerwire.com/vulnerability/CVE-2026-42603/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack
View original postRelated Resources
Details
- CVE ID
- CVE-2026-42603
- Severity
- High
- CVSS Score
- 8.8
- Type
- remote_code_execution
- Status
- new
- EPSS
- 4.2%
- Social Posts
- 2
CWE
- CWE-94
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H