CVE-2026-31900

NameCVE-2026-31900
DescriptionBlack is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
black (PTS)bullseye20.8b1-4vulnerable
bookworm23.1.0-1vulnerable
trixie25.1.0-3vulnerable
forky25.12.0-2vulnerable
sid26.1.0-1vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
blacksource(unstable)(unfixed)unimportant

Notes

https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm
Fixed by: https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611 (26.3.0)
GitHub action code from action/main.py not provided in the Debian built binay packages
Search for package or bug name: Reporting problems