Vulnerability Management , Supply chain , DevSecOps Flaw in Microsoft-owned GitHub repository allowed RCE via issue submission April 22, 2026 Share By Laura French (Credit: Photo Agency – stock.adobe.com) Microsoft fixed a critical flaw in one of its public GitHub repositories that enabled anyone with a GitHub account to achieve remote code execution (RCE) by opening an issue on the repo, Tenable reported in an advisory Tuesday. The issue affected the Windows-driver-samples repository, which has about 7,700 stars and 5,000 forks on GitHub. An attacker could have executed arbitrary Python code in the context of the GitHub runner, potentially extracting the GITHUB_TOKEN secret for the repo, Tenable Staff Research Engineer Rémy Marot explained in a statement provided to SC Media. A GitHub Actions workflow caused the body of any issue created on the repo to be directly inserted into a Python here-doc without sanitization, Tenable said. An attacker could have used triple-quote string terminators to escape the string literal, injecting Python code to be executed. This could have allowed exfiltration of the temporary GITHUB_TOKEN secret, which at minimum could have enabled issue creation on behalf of Microsoft. While Microsoft did not confirm the exact token permissions, Tenable researchers noted the default configuration of tokens on repos created before 2023 allowed for read and write operations. Tenable assessed the flaw at a CVSS base score of 9.3, with Marot saying exploitation would have been “trivial” as anyone with a free registered GitHub account could have submitted a malicious issue. The flaw was reported by Tenable in February 2026 and fixed by Microsoft on March 13, 2026. Tenable says the incident highlights the importance of securing continuous integration and continuous delivery (CI/CD) pipelines to prevent supply chain compromise, including by auditing workflows such as GitHub Actions for vulnerabilities ormisconfigurations, and reviewing permissions for secrets such as GITHUB_TOKEN to avoid unnecessary read/write permissions. “The CI/CD infrastructure is part of an organization’s attack surface and software supply chain, requiring strict security controls to protect source code and build integrity,” Marot said. OpenAI recently reported that a misconfiguration in a GitHub Actions workflow resulted in the installation and execution of a malicious axios version, potentially affecting OpenAI’s macOS app-signing process. In this case, a floating tag and lack of a configured minimumReleaseAge caused the malicious version to be automatically installed when the package was temporarily compromised in a North Korea-linked attack. Laura French Related Vulnerability Management Several flaws found in serial-to-IP converters used in critical sectors SC Staff April 21, 2026 SecurityWeek reports that Forescout Technologies identified 20 new vulnerabilities in Sliex and Lantronix serial-to-IP converters, or serial device servers, that can be exploited without authentication, potentially exposing healthcare, operational technology, and other systems to remote attacks. Vulnerability Management Another Cisco Catalyst SD-WAN Manager bug added to CISA list Steve Zurier April 21, 2026 CISA flags new Cisco SD-WAN flaw amid active exploit chains, urging rapid patching. Data Security Lovable AI coding platform faces scrutiny over data exposure SC Staff April 21, 2026 A security researcher, operating under the handle @weezerOSINT, reported that a simple free account on Lovable provided access to other users' source code and database credentials. Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Banner Browser Buffer Overflow Cache Cramming Client Common Gateway Interface (CGI) Cookie DLL Injection Dynamic Link Library Fuzzing You can skip this ad in 5 seconds