{"data":{"id":"7a9181a5-74cf-49b1-8f62-280e02364c82","title":"CVE-2026-44723: Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pul","summary":"Vowpal Wabbit, a machine learning system, has a vulnerability in its GitHub workflow file where pull request titles are inserted directly into bash commands without proper protection. An attacker can craft a malicious pull request title with shell commands that will execute on the build system before Python runs, since the shell processes the string first. Since pull requests can be opened on any branch without special permission, anyone can trigger this attack.","solution":"This vulnerability is fixed by commit 998e390e80a7e8192d7849b7784bc113dbd190ad.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-44723","publishedAt":"2026-05-26T17:16:46.680Z","cveId":"CVE-2026-44723","cweIds":["CWE-78","CWE-1336"],"cvssScore":"5","cvssSeverity":"medium","severity":"medium","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":[],"affectedVendorsRaw":["Vowpal Wabbit"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N","attackVector":"network","attackComplexity":"low","privilegesRequired":"low","userInteraction":"none","exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-05-26T17:16:46.680Z","capecIds":["CAPEC-88"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["integrity","confidentiality","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.85,"researchCategory":null,"atlasIds":["AML.T0010"]}}