What is GHSA-w8vj-qcv3-4w36?

GHSA-w8vj-qcv3-4w36 is a security advisory published by GitHub Security Advisories with High severity. OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability...

Which CVE IDs does GHSA-w8vj-qcv3-4w36 cover?

GHSA-w8vj-qcv3-4w36 covers the following CVE IDs: CVE-2026-25856. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-w8vj-qcv3-4w36?

GHSA-w8vj-qcv3-4w36 has a CVSS v3 base score of 8.8, published by GitHub Security Advisories.

GHSA-w8vj-qcv3-4w36HighCVSS 8.8

OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability...

Vendor

GitHub Security Advisories

Published

June 8, 2026

Last Modified

June 8, 2026

🔗 CVE IDs covered (1)

CVE-2026-25856 →

📋 Description

OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C# code on the server host by creating or modifying job configurations. Attackers can leverage the plain C# execution mode, which lacks reference filtering or API restrictions, to access the file system, spawn processes, and invoke arbitrary .NET APIs as the process user.

🔗 References (4)

https://nvd.nist.gov/vuln/detail/CVE-2026-25856
https://hackernoon.com/one-empty-header-to-admin-how-an-auth-bypass-breaks-openbullet2
https://www.vulncheck.com/advisories/openbullet2-authenticated-rce-via-job-configuration-interface
https://github.com/advisories/GHSA-w8vj-qcv3-4w36