HackerTrans
TopNewTrendsCommentsPastAskShowJobs

ParzivalHack

no profile record

Submissions

CVE-2026-31900, my 0-click RCE in the psf/black GitHub Action

medium.com
3 points·by ParzivalHack·il y a 4 mois·1 comments

Show HN: Aegis.rs, the first open source Rust-based LLM security proxy

github.com
2 points·by ParzivalHack·il y a 5 mois·2 comments

Show HN: PySpector – a hybrid Python SAST with a Rust core, looking4contributors

github.com
1 points·by ParzivalHack·il y a 6 mois·0 comments

comments

ParzivalHack
·il y a 4 mois·discuss
Hi HN, I’m Tommy, the researcher who reported this vulnerability.

While looking at the psf/black GitHub Action I noticed that when the action reads the version from pyproject.toml, it accepts values that are not strictly version strings. This makes it possible to reference a remote package and have it executed during the workflow run.

In a PR scenario, this ofc leads to arbitrary code execution on GitHub Actions runners, with no maintainer interaction.

It's my first CVE, so i wrote a writeup, and i would love to get some feedbacks on it, from people who actually work in CI security/DevSecOps :)
ParzivalHack
·il y a 5 mois·discuss
Yoo that's crazy man. Same name, same language and similar purpose. I swear it's the 1st time i see your project lmao