CVE-2026-31976

xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main branch. However, the attacker used the compromised GitHub App credentials to move the mutable v5 tag to point at the malicious commit (4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12) from one of the unmerged PRs. This commit remained in the repository's git object store, and any workflow referencing @v5 would fetch and execute it. This is a supply chain compromise via tag poisoning. Any GitHub Actions workflow referencing xygeni/xygeni-action@v5 during the affected window (approximately March 3–10, 2026) executed a C2 implant that granted the attacker arbitrary command execution on the CI runner for up to 180 seconds per workflow run.

CVSS v3 9.8 CRITICAL

9.8^/10

CVSS v3 : CRITICAL

V3 Legend

Vector :

Exploitability : 3.9 / Impact : 5.9

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required NONE

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact HIGH

Scope UNCHANGED

References

Link	Resource
https://github.com/xygeni/xygeni-action/issues/54	Issue Tracking
https://github.com/xygeni/xygeni-action/security/advisories/GHSA-f8q5-h5qh-33mh	Vendor Advisory Patch

Configurations

Configuration 1 (hide)

cpe:2.3:a:xygeni:xygeni-action:*:*:*:*:*:*:*:*

History

16 Mar 2026, 19:02

Type	Values Removed	Values Added
Summary		(es) xygeni-action es la Acción de GitHub para Xygeni Scanner. El 3 de marzo de 2026, un atacante con acceso a credenciales comprometidas creó una serie de solicitudes de extracción (#46, #47, #48) inyectando código shell ofuscado en action.yml. Las solicitudes de extracción fueron bloqueadas por las reglas de protección de rama y nunca se fusionaron en la rama principal. Sin embargo, el atacante utilizó las credenciales comprometidas de la aplicación de GitHub para mover la etiqueta mutable v5 para que apuntara al commit malicioso (4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12) de una de las solicitudes de extracción no fusionadas. Este commit permaneció en el almacén de objetos git del repositorio, y cualquier flujo de trabajo que hiciera referencia a @v5 lo recuperaría y ejecutaría. Esto es un compromiso de la cadena de suministro mediante envenenamiento de etiquetas. Cualquier flujo de trabajo de GitHub Actions que hiciera referencia a xygeni/xygeni-action@v5 durante la ventana afectada (aproximadamente del 3 al 10 de marzo de 2026) ejecutó un implante C2 que otorgó al atacante ejecución arbitraria de comandos en el ejecutor de CI por hasta 180 segundos por ejecución de flujo de trabajo.
CVSS	v2 : ~~unknown~~ v3 : ~~unknown~~	v2 : unknown v3 : 9.8
First Time		Xygeni Xygeni xygeni-action
CPE		cpe:2.3:a:xygeni:xygeni-action::::::::
References	~~() https://github.com/xygeni/xygeni-action/issues/54 -~~	() https://github.com/xygeni/xygeni-action/issues/54 - Issue Tracking
References	~~() https://github.com/xygeni/xygeni-action/security/advisories/GHSA-f8q5-h5qh-33mh -~~	() https://github.com/xygeni/xygeni-action/security/advisories/GHSA-f8q5-h5qh-33mh - Vendor Advisory, Patch

11 Mar 2026, 20:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-03-11 20:16

Updated : 2026-03-16 19:02

NVD link : CVE-2026-31976

Mitre link : CVE-2026-31976

CVE.ORG link : CVE-2026-31976

JSON object : View

Products Affected

xygeni

xygeni-action

CWE

CWE-506

Embedded Malicious Code

9.8 /10