GHSA-rvp7-w75q-9fv2LowCVSS 2.2

BBOT: Symlink-Following Arbitrary Write via github_workflows Module

Published
June 18, 2026
Last Modified
June 18, 2026

🔗 CVE IDs covered (1)

📋 Description

The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.

🎯 Affected products1

  • pip/bbot:>= 2.0.0, <= 2.8.4

🔗 References (4)