Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-27701

CVE-2026-27701: LiveCode GitHub Actions RCE Vulnerability

CVE-2026-27701 is a JavaScript injection flaw in LiveCode's GitHub Actions workflow that allows attackers to execute arbitrary code with CI bot privileges. This post covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-27701 Overview

CVE-2026-27701 is a JavaScript injection vulnerability in LiveCode, an open-source, client-side code playground. The vulnerability exists in the i18n-update-pull GitHub Actions workflow, where the title of a Pull Request associated with a triggering issue comment is interpolated directly into an actions/github-script JavaScript block using a GitHub Actions template expression. This allows an attacker to inject arbitrary JavaScript code by crafting a malicious PR title.

Critical Impact

Successful exploitation enables execution of arbitrary JavaScript with the privileges of the CI bot token (CI_APP_ID / CI_APP_PRIVATE_KEY), allowing exfiltration of repository secrets and unauthorized GitHub API operations.

Affected Products

  • LiveCode (prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11)

Discovery Timeline

  • 2026-02-25 - CVE-2026-27701 published to NVD
  • 2026-02-25 - Last updated in NVD database

Technical Details for CVE-2026-27701

Vulnerability Analysis

This vulnerability falls under CWE-94 (Improper Control of Generation of Code - Code Injection). The flaw stems from unsafe handling of user-controlled input within GitHub Actions workflows. When the i18n-update-pull workflow processes pull request events, it directly interpolates the PR title into executable JavaScript code without proper sanitization.

GitHub Actions workflows commonly use template expressions (e.g., ${{ github.event.pull_request.title }}) to access context data. When this user-controlled data is placed directly into actions/github-script blocks, it creates a code injection vector. An attacker can craft a PR title containing JavaScript code that breaks out of the intended string context and executes arbitrary operations.

The attack requires network access and some user interaction, as the attacker must open a pull request that triggers the vulnerable workflow. Once triggered, the injected code runs with full access to the CI bot's credentials and permissions, potentially compromising the entire repository's CI/CD pipeline security.

Root Cause

The root cause is improper input sanitization in the GitHub Actions workflow definition. The i18n-update-pull workflow directly embedded the PR title from github.event.pull_request.title into a JavaScript execution context without escaping or validating the input. This allowed attackers to inject code by including JavaScript syntax in their PR titles.

Attack Vector

The attack is conducted over the network by an unauthenticated attacker who opens a pull request with a specially crafted title. The malicious title contains JavaScript code designed to escape the string interpolation context and execute arbitrary commands. When a maintainer or automated process triggers the vulnerable workflow (such as commenting on the PR), the injected JavaScript executes within the actions/github-script action.

The injected code runs with the permissions of the GitHub Actions bot, which typically includes access to repository secrets such as CI_APP_ID and CI_APP_PRIVATE_KEY. This enables attackers to exfiltrate sensitive credentials, modify repository contents, create releases, or perform other privileged GitHub API operations.

Detection Methods for CVE-2026-27701

Indicators of Compromise

  • Pull requests with unusual titles containing JavaScript syntax, special characters, or escape sequences
  • Unexpected GitHub API calls originating from CI workflows
  • Unauthorized modifications to repository secrets or settings
  • Anomalous workflow run logs showing execution of unintended code

Detection Strategies

  • Review GitHub Actions workflow logs for unexpected actions/github-script output or behavior
  • Monitor for pull requests with titles containing suspicious patterns like backticks, template literals, or function calls
  • Audit GitHub audit logs for API operations not associated with legitimate development activities
  • Implement workflow analysis tools to detect unsafe template expression usage in CI/CD configurations

Monitoring Recommendations

  • Enable GitHub audit logging and monitor for anomalous repository operations
  • Set up alerts for new pull requests from unknown contributors
  • Implement branch protection rules requiring workflow approval for external contributors
  • Regularly audit GitHub Actions workflows for unsafe interpolation patterns

How to Mitigate CVE-2026-27701

Immediate Actions Required

  • Update LiveCode to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 or later
  • Review recent pull requests for potential exploitation attempts
  • Rotate any secrets that may have been exposed, including CI_APP_ID and CI_APP_PRIVATE_KEY
  • Audit GitHub Actions workflow logs for suspicious activity

Patch Information

The vulnerability is fixed in commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11. Organizations using LiveCode should update to this commit or a later version that includes the fix. For detailed information about the fix, refer to the GitHub Commit Update and the GitHub Security Advisory GHSA-xh9w-5859-x97j.

Workarounds

  • Disable the i18n-update-pull workflow until the patch can be applied
  • Implement manual review requirements for all pull requests before workflow execution
  • Use environment-based secrets with restricted workflow permissions
  • Configure GitHub Actions to require approval for workflows triggered by external contributors

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne