DEV Community

CVE Reports
CVE Reports

Posted on • Originally published at cvereports.com

GHSA-C3XH-98XP-6QHF: GHSA-C3XH-98XP-6QHF: Command Injection via Issue Title in Discord Notification Workflow

#security #cve #cybersecurity #ghsa

GHSA-C3XH-98XP-6QHF: Command Injection via Issue Title in Discord Notification Workflow

Vulnerability ID: GHSA-C3XH-98XP-6QHF
CVSS Score: 7.1
Published: 2026-06-19

A command injection vulnerability exists in the .github/workflows/discord-issue.yml workflow of the gouef/githubtoplanguages repository. By exploiting literal string interpolation of untrusted issue titles into an inline Bash script, an attacker can execute arbitrary code within the GitHub Actions runner environment. This exposure risks the theft of repository secrets such as the Discord webhook URL.

TL;DR

Untrusted GitHub issue and pull request titles are directly interpolated into an inline Bash script within a GitHub Actions workflow, leading to arbitrary OS command injection.

Technical Details

  • CWE ID: CWE-74 / CWE-78 / CWE-94
  • Attack Vector: Network (AV:N)
  • CVSS v4.0 Score: 7.1 (High)
  • Exploit Status: PoC
  • KEV Status: Not Listed
  • Affected Component: GitHub Actions Workflow (.github/workflows/discord-issue.yml)
  • Ephemeral Impact: Arbitrary Command Execution in Runner Environment

Affected Systems

  • gouef/githubtoplanguages GitHub Actions Workflows
  • githubtoplanguages: < 1.1.4 (Fixed in: 1.1.4)

Code Analysis

Commit: 1578404

Fix command injection in Discord issue workflow

Mitigation Strategies

  • Map user-controlled GitHub context variables directly to step-level environment variables.
  • Avoid literal string interpolation of '${{ github.event... }}' inside 'run' steps.
  • Use dedicated JSON processing utilities like 'jq' to serialize parameters securely instead of concatenating strings.

Remediation Steps:

  1. Identify any workflows in '.github/workflows/' that use '${{ github.event.issue... }}' or similar within a shell command.
  2. Modify the workflow to assign these context expressions to step 'env' variables.
  3. Update the shell commands to reference standard process variables (e.g., '$ISSUE_TITLE') instead of double-bracket expressions.
  4. Deploy 'jq' to build JSON request payloads safely.

References

Read the full report for GHSA-C3XH-98XP-6QHF on our website for more details including interactive diagrams and full exploit analysis.

Top comments (0)