Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
CVE Vulnerability Details :
CVE-2026-7725
PUBLISHED
More InfoOfficial Page
Assigner-VulDB
Assigner Org ID-1af790b2-7ee1-4545-860a-a788eba489b5
View Known Exploited Vulnerability (KEV) details
Published At-04 May, 2026 | 03:00
Updated At-05 May, 2026 | 19:08
Rejected At-
▼CVE Numbering Authority (CNA)
PrefectHQ prefect GitRepository Pull storage.py argument injection

A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. Upgrading to version 3.6.25.dev7 can resolve this issue. The patch is identified as 6a9d9918716ce4ee0297b69f3046f7067ef1faae. It is advisable to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Affected Products
Vendor
PrefectHQ
Product
prefect
CPEs
  • cpe:2.3:a:prefect:prefect:*:*:*:*:*:*:*:*
Modules
  • GitRepository Pull Handler
Versions
Affected
  • 3.6.25.dev6
Unaffected
  • 3.6.25.dev7
Problem Types
TypeCWE IDDescription
CWECWE-88Argument Injection
CWECWE-74Injection
Type: CWE
CWE ID: CWE-88
Description: Argument Injection
Type: CWE
CWE ID: CWE-74
Description: Injection
Metrics
VersionBase scoreBase severityVector
4.05.3MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
3.16.3MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
3.06.3MEDIUM
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
2.06.5N/A
AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C
Version: 4.0
Base score: 5.3
Base severity: MEDIUM
Vector:
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P
Version: 3.1
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Version: 3.0
Base score: 6.3
Base severity: MEDIUM
Vector:
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C
Version: 2.0
Base score: 6.5
Base severity: N/A
Vector:
AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
reporter
nedlir (VulDB User)
coordinator
VulDB CNA Team
Timeline
EventDate
Advisory disclosed2026-05-03 00:00:00
VulDB entry created2026-05-03 02:00:00
VulDB entry last update2026-05-04 23:22:35
Event: Advisory disclosed
Date: 2026-05-03 00:00:00
Event: VulDB entry created
Date: 2026-05-03 02:00:00
Event: VulDB entry last update
Date: 2026-05-04 23:22:35
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/vuln/360901
vdb-entry
technical-description
https://vuldb.com/vuln/360901/cti
signature
permissions-required
https://vuldb.com/submit/807356
third-party-advisory
https://gist.github.com/nedlir/c37d90dda5f715790eafc970b2ef0c8a
exploit
https://github.com/PrefectHQ/prefect/pull/21384
issue-tracking
patch
https://github.com/PrefectHQ/prefect/commit/6a9d9918716ce4ee0297b69f3046f7067ef1faae
patch
https://github.com/PrefectHQ/prefect/releases/tag/3.6.25.dev7
patch
https://github.com/PrefectHQ/prefect/
product
Hyperlink: https://vuldb.com/vuln/360901
Resource:
vdb-entry
technical-description
Hyperlink: https://vuldb.com/vuln/360901/cti
Resource:
signature
permissions-required
Hyperlink: https://vuldb.com/submit/807356
Resource:
third-party-advisory
Hyperlink: https://gist.github.com/nedlir/c37d90dda5f715790eafc970b2ef0c8a
Resource:
exploit
Hyperlink: https://github.com/PrefectHQ/prefect/pull/21384
Resource:
issue-tracking
patch
Hyperlink: https://github.com/PrefectHQ/prefect/commit/6a9d9918716ce4ee0297b69f3046f7067ef1faae
Resource:
patch
Hyperlink: https://github.com/PrefectHQ/prefect/releases/tag/3.6.25.dev7
Resource:
patch
Hyperlink: https://github.com/PrefectHQ/prefect/
Resource:
product
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://vuldb.com/submit/807356
exploit
Hyperlink: https://vuldb.com/submit/807356
Resource:
exploit
Details not found