CVE-2026-8767
vercel ai PR Branch Name Interpolation prettier-on-automerge.yml run os command injection
CVSS Score
5.0
EPSS Score
0.7%
EPSS Percentile
73th
A vulnerability has been found in vercel ai up to 3.0.97. Impacted is the function run of the file .github/workflows/prettier-on-automerge.yml of the component PR Branch Name Interpolation. The manipulation leads to os command injection. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
| CWE | CWE-78 CWE-77 |
| Vendor | vercel |
| Product | ai |
| Published | May 17, 2026 |
| Last Updated | May 18, 2026 |
Stay Ahead of the Next One
Get instant alerts for vercel ai
Be the first to know when new medium vulnerabilities affecting vercel ai are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality
Integrity
Availability
Affected Versions
vercel / ai
3.0.0 3.0.1 3.0.2 3.0.3 3.0.4 3.0.5 3.0.6 3.0.7 3.0.8 3.0.9 3.0.10 3.0.11 3.0.12 3.0.13 3.0.14 3.0.15 3.0.16 3.0.17 3.0.18 3.0.19 3.0.20 3.0.21 3.0.22 3.0.23 3.0.24 3.0.25 3.0.26 3.0.27 3.0.28 3.0.29 3.0.30 3.0.31 3.0.32 3.0.33 3.0.34 3.0.35 3.0.36 3.0.37 3.0.38 3.0.39 3.0.40 3.0.41 3.0.42 3.0.43 3.0.44 3.0.45 3.0.46 3.0.47 3.0.48 3.0.49 3.0.50 3.0.51 3.0.52 3.0.53 3.0.54 3.0.55 3.0.56 3.0.57 3.0.58 3.0.59 3.0.60 3.0.61 3.0.62 3.0.63 3.0.64 3.0.65 3.0.66 3.0.67 3.0.68 3.0.69 3.0.70 3.0.71 3.0.72 3.0.73 3.0.74 3.0.75 3.0.76 3.0.77 3.0.78 3.0.79 3.0.80 3.0.81 3.0.82 3.0.83 3.0.84 3.0.85 3.0.86 3.0.87 3.0.88 3.0.89 3.0.90 3.0.91 3.0.92 3.0.93 3.0.94 3.0.95 3.0.96 3.0.97
References
Credits
๐ Eric-d (VulDB User) VulDB CNA Team