A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
References
| Link | Resource |
|---|---|
| https://gist.github.com/YLChen-007/870bd6966cd84703d91ce54dfea3bdd0 | Exploit Third Party Advisory |
| https://vuldb.com/submit/811402 | Third Party Advisory VDB Entry |
| https://vuldb.com/vuln/364392 | Third Party Advisory VDB Entry |
| https://vuldb.com/vuln/364392/cti | Permissions Required VDB Entry |
Configurations
History
19 May 2026, 14:29
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://gist.github.com/YLChen-007/870bd6966cd84703d91ce54dfea3bdd0 - Exploit, Third Party Advisory | |
| References | () https://vuldb.com/submit/811402 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/vuln/364392 - Third Party Advisory, VDB Entry | |
| References | () https://vuldb.com/vuln/364392/cti - Permissions Required, VDB Entry | |
| CPE | cpe:2.3:a:vercel:ai:*:*:*:*:*:*:*:* | |
| First Time |
Vercel ai
Vercel |
17 May 2026, 23:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-05-17 23:17
Updated : 2026-05-19 14:29
NVD link : CVE-2026-8767
Mitre link : CVE-2026-8767
CVE.ORG link : CVE-2026-8767
JSON object : View
Products Affected
vercel
- ai