diff --git a/.github/workflows/automerge-for-humans-merging.yml b/.github/workflows/automerge-for-humans-merging.yml
index 482c83d7..c85d9baa 100644
--- a/.github/workflows/automerge-for-humans-merging.yml
+++ b/.github/workflows/automerge-for-humans-merging.yml
@@ -77,13 +77,30 @@ jobs:
               return '';
             }
 
+            // Sanitize author data to prevent injection in commit messages
+            function sanitizeCommitField(field) {
+              if (!field) return '';
+              // Remove newlines, control characters, and limit length
+              return String(field)
+                .replace(/[\r\n]/g, ' ')
+                .replace(/[\x00-\x1F\x7F]/g, '')
+                .substring(0, 100)
+                .trim();
+            }
+
             // Create a string of the form "Co-authored-by: Name <email>"
             // ref: https://docs.github.com/en/pull-requests/committing-changes-to-your-project/creating-and-editing-commits/creating-a-commit-with-multiple-authors
             const coAuthors = Object.values(authors).map(author => {
-              return `Co-authored-by: ${author.name} <${author.email}>`;
-            }).join('\n');
+              const name = sanitizeCommitField(author.name);
+              const email = sanitizeCommitField(author.email);
+              // Validate email format (basic check)
+              const emailRegex = /^[^\s@]+@[^\s@]+\.[^\s@]+$/;
+              const safeEmail = emailRegex.test(email) ? email : '';
+              if (!name || !safeEmail) return '';
+              return `Co-authored-by: ${name} <${safeEmail}>`;
+            }).filter(line => line !== '').join('\n');
 
-            core.debug(coAuthors);;
+            core.debug(coAuthors);
 
             return coAuthors;
 
diff --git a/.github/workflows/issues-prs-notifications.yml b/.github/workflows/issues-prs-notifications.yml
index ce136286..3e4fbdcb 100644
--- a/.github/workflows/issues-prs-notifications.yml
+++ b/.github/workflows/issues-prs-notifications.yml
@@ -43,14 +43,31 @@ jobs:
     name: Notify slack on every new pull request
     runs-on: ubuntu-latest
     steps:
+      - name: Sanitize PR data
+        id: sanitize
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const titleRaw = context.payload.pull_request?.title ?? '';
+            const bodyRaw = context.payload.pull_request?.body ?? '';
+
+            const sanitize = (v, maxLen) =>
+              String(v)
+                .replace(/[\r\n]/g, ' ')
+                .replace(/[\x00-\x1F\x7F]/g, '')
+                .slice(0, maxLen)
+                .trim();
+
+            core.setOutput('title', sanitize(titleRaw, 200));
+            core.setOutput('body', sanitize(bodyRaw, 1000));
       - name: Convert markdown to slack markdown for pull request
         # This workflow is from our own org repo and safe to reference by 'master'.
         uses: asyncapi/.github/.github/actions/slackify-markdown@master # //NOSONAR
         id: prmarkdown
         env:
-          PR_TITLE: ${{github.event.pull_request.title}}
-          PR_URL: ${{github.event.pull_request.html_url}}
-          PR_BODY: ${{github.event.pull_request.body}}
+          PR_TITLE: ${{ steps.sanitize.outputs.title }}
+          PR_URL: ${{ github.event.pull_request.html_url }}
+          PR_BODY: ${{ steps.sanitize.outputs.body }}
         with:
           markdown: "[${{ env.PR_TITLE }}](${{ env.PR_URL }}) \n ${{ env.PR_BODY }}"
       - name: Send info about pull request
diff --git a/.github/workflows/notify-tsc-members-mention.yml b/.github/workflows/notify-tsc-members-mention.yml
index ffa39bbc..1eea4440 100644
--- a/.github/workflows/notify-tsc-members-mention.yml
+++ b/.github/workflows/notify-tsc-members-mention.yml
@@ -80,6 +80,25 @@ jobs:
     steps:
       - name: Checkout repository
         uses: actions/checkout@v4
+        with:
+          ref: ${{ github.event.pull_request.base.ref }}
+      - name: Sanitize PR data
+        id: sanitize
+        uses: actions/github-script@v7
+        with:
+          script: |
+            const titleRaw = context.payload.pull_request?.title ?? '';
+            const bodyRaw = context.payload.pull_request?.body ?? '';
+
+            const sanitize = (v, maxLen) =>
+              String(v)
+                .replace(/[\r\n]/g, ' ')
+                .replace(/[\x00-\x1F\x7F]/g, '')
+                .slice(0, maxLen)
+                .trim();
+
+            core.setOutput('title', sanitize(titleRaw, 200));
+            core.setOutput('body', sanitize(bodyRaw, 1000));
       - name: Setup Node.js
         uses: actions/setup-node@v4
         with:
@@ -94,7 +113,7 @@ jobs:
         uses: asyncapi/.github/.github/actions/slackify-markdown@master # //NOSONAR
         id: prmarkdown
         with:
-          markdown: "[${{github.event.pull_request.title}}](${{github.event.pull_request.html_url}}) \n ${{github.event.pull_request.body}}"
+          markdown: "[${{ steps.sanitize.outputs.title }}](${{ github.event.pull_request.html_url }}) \n ${{ steps.sanitize.outputs.body }}"
       - name: Send info about pull request
         uses: rtCamp/action-slack-notify@c33737706dea87cd7784c687dadc9adf1be59990 # Using v2.3.2
         env:
@@ -114,7 +133,7 @@ jobs:
           CALENDAR_ID: ${{ secrets.CALENDAR_ID }}
           CALENDAR_SERVICE_ACCOUNT: ${{ secrets.CALENDAR_SERVICE_ACCOUNT }}
           MAILCHIMP_API_KEY: ${{ secrets.MAILCHIMP_API_KEY }}
-          TITLE: ${{ github.event.pull_request.title }}
+          TITLE: ${{ steps.sanitize.outputs.title }}
         with:
           script: |
             const sendEmail = require('./.github/workflows/scripts/mailchimp/index.js');