top of page
perceptive_background_267k.jpg

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invo…

Published:

27 mei 2026 om 22:00:00

Alert date:

28 mei 2026 om 17:06:19

Source:

nvd.nist.gov

Click to open the original link from this advisory

Supply Chain & Dependencies, Web Technologies

CVE-2026-44358 affects Espressif Shared GitHub DangerJS, a reusable GitHub Action CI workflow. Prior to version 1.0.1, the action's entrypoint.sh created an untrusted search path vulnerability by invoking DangerJS from the caller's workspace after copying fork checkouts. This allowed malicious fork pull requests processed by pull_request_target workflows to execute arbitrary code inside the action container. The vulnerability enables supply chain attacks through GitHub Actions and has been fixed in version 1.0.1.

Technical details

Mitigation steps:

Affected products:

Espressif Shared GitHub DangerJS
GitHub Actions

Related links:

https://nvd.nist.gov/vuln/detail/CVE-2026-44358
https://github.com/espressif/shared-github-dangerjs/commit/d742408028135ea200982b5b2e3e438dc4e5a25d
https://github.com/espressif/shared-github-dangerjs/security/advisories/GHSA-wm3p-pv54-6w73

Related CVE's:

Related threat actors:

IOC's:

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page