Vulnerability in Nektos Act

CVE-2026-34041

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks…

EPSS: 0.000 (8.1th percentile) — read the EPSS interpretation.

Affected products

Nektos Act — versions < 0.2.86

Weakness classification (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

References

https://github.com/nektos/act/security/advisories/GHSA-xmgr-9pqc-h5vw (x_refsource_CONFIRM)
https://github.com/nektos/act/commit/0c739c8e39c41aa5a07665f732da9cab6df0097a (x_refsource_MISC)
https://github.com/nektos/act/releases/tag/v0.2.86 (x_refsource_MISC)