Vendor
A command injection vulnerability, identified as CVE-2026-44590, exists in the `validate_modified_targets.yml` GitHub Actions workflow of sherlock-project/sherlock. A malicious pull request can trigger arbitrary command execution in the privileged CI context, allowing attackers to exfiltrate the GITHUB_TOKEN and auto-approve the malicious PR without human interaction, effectively leading to a supply chain compromise.