CSIRTS // UNIFIED SECURITY ADVISORY FEEDSYS ● ONLINE · POWERED BY INTELFUSIONS.COM

CVE-2026-14967

lowCVSS 3.1covered by 1 sourcefirst seen 2026-07-08
BBOT's github_workflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODE_REPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the output location and its target is determined by the operator's configuration, not the attacker.

⚡ Watch CVE-2026-14967

Get an email if CVE-2026-14967 is added to CISA KEV, gains public exploit code, or a new advisory cites it — max one per day, one-click unsubscribe.

Exploitation outlook

Advisory coverage (1)

External references

NVD record for CVE-2026-14967

CVE.org record

Embed the live status

CVE-2026-14967 live status badge — this badge updates automatically when the KEV or exploit status changes. How to embed it →

[![CVE-2026-14967 status](https://www.csirts.com/badge/CVE-2026-14967)](https://www.csirts.com/cve/CVE-2026-14967)