{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-23654", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "state": "PUBLISHED", "assignerShortName": "microsoft", "dateReserved": "2026-01-14T16:59:33.462Z", "datePublished": "2026-03-10T17:05:15.215Z", "dateUpdated": "2026-04-14T16:36:33.808Z"}, "containers": {"cna": {"title": "GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability", "datePublic": "2026-03-10T14:00:00.000Z", "cpeApplicability": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:microsoft:gihub_repo_zero_shot_scFoundation:*:*:*:*:*:*:*:*", "versionStartIncluding": "1.0.0", "versionEndExcluding": "0.1.1"}]}]}], "affected": [{"vendor": "Microsoft", "product": "GitHub Repo: Zero Shot scFoundation", "versions": [{"version": "1.0.0", "lessThan": "0.1.1", "versionType": "custom", "status": "affected"}]}], "descriptions": [{"value": "Dependency on vulnerable third-party component in GitHub Repo: zero-shot-scfoundation allows an unauthorized attacker to execute code over a network.", "lang": "en-US"}], "problemTypes": [{"descriptions": [{"description": "CWE-1395: Dependency on Vulnerable Third-Party Component", "lang": "en-US", "type": "CWE", "cweId": "CWE-1395"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:33.808Z"}, "references": [{"name": "GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23654"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en-US", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "baseSeverity": "HIGH", "baseScore": 8.8, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}}]}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T19:54:23.780093Z", "id": "CVE-2026-23654", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:54:35.402Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-23654", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T19:54:23.780093Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-10T19:54:27.774Z"}}], "cna": {"title": "GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability", "metrics": [{"format": "CVSS", "cvssV3_1": {"version": "3.1", "baseScore": 8.8, "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C"}, "scenarios": [{"lang": "en-US", "value": "GENERAL"}]}], "affected": [{"vendor": "Microsoft", "product": "GitHub Repo: Zero Shot scFoundation", "versions": [{"status": "affected", "version": "1.0.0", "lessThan": "0.1.1", "versionType": "custom"}]}], "datePublic": "2026-03-10T14:00:00.000Z", "references": [{"url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23654", "name": "GitHub: Zero Shot SCFoundation Remote Code Execution Vulnerability", "tags": ["vendor-advisory", "patch"]}], "descriptions": [{"lang": "en-US", "value": "Dependency on vulnerable third-party component in GitHub Repo: zero-shot-scfoundation allows an unauthorized attacker to execute code over a network."}], "problemTypes": [{"descriptions": [{"lang": "en-US", "type": "CWE", "cweId": "CWE-1395", "description": "CWE-1395: Dependency on Vulnerable Third-Party Component"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:gihub_repo_zero_shot_scFoundation:*:*:*:*:*:*:*:*", "vulnerable": true, "versionEndExcluding": "0.1.1", "versionStartIncluding": "1.0.0"}], "operator": "OR"}]}], "providerMetadata": {"orgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "shortName": "microsoft", "dateUpdated": "2026-04-14T16:36:33.808Z"}}}, "cveMetadata": {"cveId": "CVE-2026-23654", "state": "PUBLISHED", "dateUpdated": "2026-04-14T16:36:33.808Z", "dateReserved": "2026-01-14T16:59:33.462Z", "assignerOrgId": "f38d906d-7342-40ea-92c1-6c4a2c6478c8", "datePublished": "2026-03-10T17:05:15.215Z", "assignerShortName": "microsoft"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:microsoft:zero-shot-scfoundation:*:*:*:*:*:*:*:*", "matchCriteriaId": "0774CCE9-ADD0-4E77-B80F-96199E5D8B10", "versionEndExcluding": "0.1.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Dependency on vulnerable third-party component in GitHub Repo: zero-shot-scfoundation allows an unauthorized attacker to execute code over a network."}, {"lang": "es", "value": "Dependencia de un componente de terceros vulnerable en el repositorio de GitHub: zero-shot-scfoundation permite a un atacante no autorizado ejecutar c\u00f3digo a trav\u00e9s de una red."}], "id": "CVE-2026-23654", "lastModified": "2026-03-13T21:02:19.767", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "secure@microsoft.com", "type": "Primary"}]}, "published": "2026-03-10T18:18:13.743", "references": [{"source": "secure@microsoft.com", "tags": ["Vendor Advisory"], "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-23654"}], "sourceIdentifier": "secure@microsoft.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[1.0.0,0.1.1)"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "GitHub Repo: Zero Shot scFoundation", "source": "cna", "vendor": "Microsoft"}, "product": "gihub_repo_zero_shot_scfoundation", "vendor": "microsoft"}], "analysis": {"en": {"generated_at": "2026-03-16T23:17:10.986778+00:00", "value": {"mitigation_remediation": ["Apply the latest patch or update the GitHub repository to remove the vulnerable dependency.", "If an immediate patch is not available, isolate the repository or restrict network access to mitigate potential exploitation.", "Monitor system logs and network activity for signs of exploitation attempts."], "summary": {"action": "Immediate Patch", "impact": "Remote Code Execution"}, "threat_synthesis": {"affected_systems": "Affected systems are the Microsoft GitHub repository named \u2018zero\u2011shot\u2011scfoundation\u2019. No specific version information is provided, so all versions of the repository that depend on the vulnerable component are potentially impacted.", "description_and_impact": "A dependency on a vulnerable third\u2011party component within the GitHub repository \u2018zero\u2011shot\u2011scfoundation\u2019 allows an unauthorized attacker to execute code over the network. The primary impact is remote code execution, as identified by CWE\u20111395. The vulnerability could let an attacker run arbitrary code, compromising confidentiality, integrity, and availability of any systems that rely on this repository.", "risk_and_exploitability": "The CVSS base score is 8.8, indicating high severity. The EPSS score is less than 1%, suggesting a low probability of exploitation at the current time. The vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. The likely attack vector is network\u2011based, where an unauthorized attacker could exploit the dependency remotely. However, the exact method of execution is not detailed in the available data and is inferred from the description."}}}}, "created": "2026-03-11T11:45:28.917677+00:00", "updated": "2026-03-20T14:34:10.683939+00:00", "vendors": ["microsoft", "microsoft$PRODUCT$gihub_repo_zero_shot_scfoundation"]}