CVE-2026-12567 — BBOT: Symlink-Following Arbitrary Write via github_workflows Module

Description

The `github_workflows` module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location.

How to fix CVE-2026-12567

To remediate CVE-2026-12567, upgrade the affected package to a fixed version below.

PyPI/bbot—upgrade to 2.8.5 or later

Is CVE-2026-12567 being exploited?

No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-12567.

Affected packages (1)

>= 2.0.0, < 2.8.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW2.2	CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:L/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-12567
PATCHgithub.com/blacklanternsecurity/bbot
WEBgithub.com/blacklanternsecurity/bbot/commit/16d9c42b6
WEBgithub.com/blacklanternsecurity/bbot/security/advisories/GHSA-rvp7-w75q-9fv2