Perceptive Security
SOC/SIEM Consultancy
Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invo…
Published:
27 May 2026 at 22:00:00
Alert date:
28 May 2026 at 17:06:19
Source:
nvd.nist.gov
Supply Chain & Dependencies, Web Technologies
CVE-2026-44358 affects Espressif Shared GitHub DangerJS, a reusable GitHub Action CI workflow. Prior to version 1.0.1, the action's entrypoint.sh created an untrusted search path vulnerability by invoking DangerJS from the caller's workspace after copying fork checkouts. This allowed malicious fork pull requests processed by pull_request_target workflows to execute arbitrary code inside the action container. The vulnerability enables supply chain attacks through GitHub Actions and has been fixed in version 1.0.1.
Technical details
Mitigation steps:
Affected products:
Espressif Shared GitHub DangerJS
GitHub Actions
Related links:
https://nvd.nist.gov/vuln/detail/CVE-2026-44358
https://github.com/espressif/shared-github-dangerjs/commit/d742408028135ea200982b5b2e3e438dc4e5a25d
https://github.com/espressif/shared-github-dangerjs/security/advisories/GHSA-wm3p-pv54-6w73
Related CVE's:
Related threat actors:
IOC's:
This article was created with the assistance of AI technology by Perceptive.