HIGH
prefecthq
CVE published 2026-05-24
CVE-2026-3515
A command injection vulnerability exists in the `prefect-github` integration for Prefect version 3.6.18. The `GitHubRepository` block's `reference` field is unsafely concatenated into a shell command string before parsing with `shlex.split()`, enabling arbitrary git option injection. Attackers with control over the `reference` parameter can inject flags such as `-c` to execute arbitrary commands, potentia [truncated]