Source: gh Version: 2.46.0-4 Severity: important Tags: security upstream X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi, The following vulnerability was published for gh. CVE-2026-45803[0]: | `gh` is GitHub’s official command line tool. From 1.6.0 to before | 2.92.0, a security vulnerability has been identified in GitHub CLI | that could allow terminal escape sequence injection when users view | GitHub Actions workflow logs using gh run view --log or gh run view | --log-failed. The vulnerability stems from the way GitHub CLI | handles raw Actions log output. The gh run view --log and gh run | view --log-failed commands stream workflow log lines to stdout or | the configured pager without sanitizing terminal control sequences. | An attacker who can influence GitHub Actions log content, for | example via a PR triggered workflow, can embed escape sequences that | are replayed in the user's terminal when they inspect the run. | Depending on the victim's terminal emulator, injected sequences | could change the window title, manipulate on screen content, or in | some terminal emulators (such as screen) potentially execute | arbitrary commands. This vulnerability is fixed in 2.92.0. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2026-45803 https://www.cve.org/CVERecord?id=CVE-2026-45803 [1] https://github.com/cli/cli/security/advisories/GHSA-crc3-h8v6-qh57 Regards, Salvatore
