HIGH
OWASP-BLT
CVE published 2026-04-15
CVE-2026-40316
CVE-2026-40316 describes a high-severity remote code execution issue in OWASP BLT’s .github/workflows/regenerate-migrations.yml workflow. The workflow is triggered with pull_request_target, runs with write-capable GITHUB_TOKEN permissions, and copies attacker-controlled content from an untrusted pull request into the trusted runner workspace before invoking Django migration generation. Because makemigrati [truncated]