CVE-2026-8767 | vercel ai up to 3.0.97 PR Branch Name Interpolation prettier-on-automerge.yml run os command injection

May 17, 2026 Yanac

A vulnerability classified as critical has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection.

This vulnerability is documented as CVE-2026-8767. The attack can be initiated remotely. Additionally, an exploit exists.

The vendor was contacted early about this disclosure but did not respond in any way.VulDB Recent EntriesRead More