OWASP BLT: pre-commit-fix.yaml executes untrusted fork code via pull_request_target

Description

A vulnerability described as critical has been identified in OWASP-BLT BLT up to 2.1.1. Affected by this issue is the function pull_request_target of the file github/workflows/pre-commit-fix.yaml. The manipulation results in code injection. This vulnerability is reported as CVE-2026-42603. The attack can be launched remotely. No exploit exists. Upgrading the affected component is recommended.

Affected Products

Vendor	Product	Versions
owasp-blt	blt	< 2.1.2, 2.1.1

References

https://github.com/OWASP-BLT/BLT/security/advisories/GHSA-cgvj-qg2h-cqfh(x_refsource_CONFIRM)

Related News (1 articles)

Tier C

VulDB7h ago

CVE-2026-42603 | OWASP-BLT up to 2.1.1 pre-commit-fix.yaml pull_request_target code injection (GHSA-cgvj-qg2h-cqfh)

→ No new info (linked only)

CVSS 3.10.0 CRITICAL

VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

2.1.2

CWECWE-94, CWE-95

PublishedMay 11, 2026

Last enriched6h agov2

Trending Score61

Source articles1

Independent1

Info Completeness9/14

Missing: epss, kev, exploit, iocs, mitre_attack

Community Vote

Version History

Last enriched 6h ago

v2Tier C6h ago

Updated severity to CRITICAL, added affected version 2.1.1, and noted that no exploit exists.

descriptionaffectedVersionsseveritycvssEstimateactivelyExploitedpatchAvailable

via VulDB

v19h ago

Initial creation