MEDIUM
VowpalWabbit
CVE published 2026-05-26
CVE-2026-44723
Vowpal Wabbit's GitHub Actions workflow contains a command injection vulnerability in .github/workflows/python_checks.yml. The workflow embeds `${{ github.event.pull_request.title }}` directly within double-quoted bash strings across four separate steps in four jobs, passing the value as a CLI argument to run_tests_model_gen_and_load.py. Because the shell expands this string before Python receives it, an [truncated]