From 4066006ec54a31931b9b1fddfd38f2fdf2d27143 Mon Sep 17 00:00:00 2001
From: Jonas Bushart <jonas@bushart.org>
Date: Sun, 14 Dec 2025 20:52:54 +0100
Subject: [PATCH] Update changelog

---
 CHANGELOG.md | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 04af258..85cbd28 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -7,6 +7,19 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+## [1.1.2] - 2025-12-14
+
+### Fixed
+
+* Fixed a command injection vulnerability via the `manifest-path` input parameter.
+
+    The code was using GitHub action templates to inject the value directly into the shell command, which does not perform the necessary escaping.
+    For fixing the issue, the value is passed via an environment variable, which performs the proper escaping.
+    This is only an issue if the `manifest-path` parameter was set from some other untrusted source.
+    Using a static string to call the action is safe.
+
+    Thanks to @mleblebici for reporting and fixing the issue.
+
 ## [1.1.1] - 2024-10-01
 
 ### Fixed