CVE-2026-44723: Vowpal Wabbit is a machine learning system. The workflow .github/workflows/python_checks.yml embeds ${{ github.event.pul
Summary
Vowpal Wabbit, a machine learning system, has a vulnerability in its GitHub workflow file where pull request titles are inserted directly into bash commands without proper protection. An attacker can craft a malicious pull request title with shell commands that will execute on the build system before Python runs, since the shell processes the string first. Since pull requests can be opened on any branch without special permission, anyone can trigger this attack.
Solution / Mitigation
This vulnerability is fixed by commit 998e390e80a7e8192d7849b7784bc113dbd190ad.
Vulnerability Details
5(medium)
EPSS: 0.0%
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
network
low
low
none
May 26, 2026
Classification
Taxonomy References
Affected Vendors
Related Issues
Original source: https://nvd.nist.gov/vuln/detail/CVE-2026-44723
First tracked: May 26, 2026 at 08:12 PM
Classified by LLM (prompt v3) · confidence: 85%