CVE-2026-45803

3.5 LOW

`gh` is GitHub’s official command line tool

Published: 2026-05-15 · Last updated: 2026-05-21

Severity and scoring

CVSS: 3.5 LOW
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
CWE: CWE-150

Affected products

Vendor	Product
github	cli

Description

`gh` is GitHub’s official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerability stems from the way GitHub CLI handles raw Actions log output. The gh run view --log and gh run view --log-failed commands stream workflow log lines to stdout or the configured pager without sanitizing terminal control sequences. An attacker who can influence GitHub Actions log content, for example via a PR triggered workflow, can embed escape sequences that are replayed in the user's terminal when they inspect the run. Depending on the victim's terminal emulator, injected sequences could change the window title, manipulate on screen content, or in some terminal emulators (such as screen) potentially execute arbitrary commands. This vulnerability is fixed in 2.92.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2026-45803
[Vendor advisory]https://github.com/cli/cli/security/advisories/GHSA-crc3-h8v6-qh57
[Vendor advisory]https://github.com/cli/cli/security/advisories/GHSA-crc3-h8v6-qh57

Related CVEs

Same vendor

CVE-2026-48501 — GitHub CLI (gh) is GitHub’s official command line tool (7.4 HIGH)
CVE-2026-9312 — A server-side request forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an unauthenticated attacker to... (8.2 HIGH)
CVE-2026-8606 — A Server-Side Request Forgery (SSRF) vulnerability was identified in GitHub Enterprise Server that allowed an attacker to cause the serve... (5.9 MEDIUM)
CVE-2026-45033 — GitHub Copilot CLI brings AI-powered coding assistance directly to your command line (7.8 HIGH)
CVE-2026-29783 — The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash ... (7.8 HIGH)

Same CWE

CVE-2026-9270 — DataDog::DogStatsd versions through 0.07 for Perl allow metric injections (9.1 CRITICAL)
CVE-2026-11362 — DataDog::DogStatsd versions through 0.07 for Perl allow metric injections from event tags (9.8 CRITICAL)
CVE-2026-47090 — Claude HUD through 0.0.12, patched in commit 234d9aa, constructs OSC 8 terminal hyperlink escape sequences using raw cwd and branchUrl va... (4.6 MEDIUM)
CVE-2026-45038 — Tabby (formerly Terminus) is a highly configurable terminal emulator (7.8 HIGH)
CVE-2026-6019 — http.cookies.Morsel.js_output() returns an inline <script> snippet and only escapes " for JavaScript string context (6.1 MEDIUM)