Vulnerability Description
xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main branch. However, the attacker used the compromised GitHub App credentials to move the mutable v5 tag to point at the malicious commit (4bf1d4e19ad81a3e8d4063755ae0f482dd3baf12) from one of the unmerged PRs. This commit remained in the repository's git object store, and any workflow referencing @v5 would fetch and execute it. This is a supply chain compromise via tag poisoning. Any GitHub Actions workflow referencing xygeni/xygeni-action@v5 during the affected window (approximately March 3–10, 2026) executed a C2 implant that granted the attacker arbitrary command execution on the CI runner for up to 180 seconds per workflow run.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Xygeni | Xygeni-Action | >= 5.38.0, <= 6.4.0 |
Related Weaknesses (CWE)
References
- https://github.com/xygeni/xygeni-action/issues/54Issue Tracking
- https://github.com/xygeni/xygeni-action/security/advisories/GHSA-f8q5-h5qh-33mhVendor AdvisoryPatch
FAQ
What is CVE-2026-31976?
CVE-2026-31976 is a vulnerability with a CVSS score of 9.8 (CRITICAL). xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests (#46, #47, #48) injecting obfuscated shell...
How severe is CVE-2026-31976?
CVE-2026-31976 has been rated CRITICAL with a CVSS base score of 9.8/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-31976?
Check the references section above for vendor advisories and patch information. Affected products include: Xygeni Xygeni-Action.