CVE-2026-31900

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, use_pyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action. Version 26.3.0 fixes this vulnerability.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611	Patch
https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm	Mitigation Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:python:black:*:*:*:*:*:*:*:*

History

16 Mar 2026, 20:02

Type	Values Removed	Values Added
References	~~() https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611 -~~	() https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611 - Patch
References	~~() https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm -~~	() https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm - Mitigation, Vendor Advisory
CPE		cpe:2.3:a:python:black::::::::
Summary		(es) Black es el formateador de código Python intransigente. Black proporciona una acción de GitHub para formatear código. Esta acción admite una opción, use_pyproject: true, para leer la versión de Black a utilizar desde el archivo pyproject.toml del repositorio. Una solicitud de extracción maliciosa podría editar pyproject.toml para usar una referencia de URL directa a un repositorio malicioso. Esto podría conducir a la ejecución de código arbitrario en el contexto de la Acción de GitHub. Los atacantes podrían entonces obtener acceso a secretos o permisos disponibles en el contexto de la acción. La versión 26.3.0 corrige esta vulnerabilidad.
CWE		NVD-CWE-noinfo
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Python Python black

11 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 20:16

Updated : 2026-03-16 20:02

NVD link : CVE-2026-31900

Mitre link : CVE-2026-31900

CVE.ORG link : CVE-2026-31900

JSON object : View

Products Affected

python

black

CWE

CWE-20

Improper Input Validation

NVD-CWE-noinfo

9.8 /10