CVE-2026-34243

Name of the Vulnerable Software and Affected Versions njzjz/wenxian (affected versions not specified)

Description A command injection flaw exists in a GitHub Actions workflow due to the direct use of untrusted user input from issue comment.body within a shell command. The workflow is triggered by issue comment, which is controllable by external users. The vulnerable step interpolates the value of github.event.comment.body directly into a shell command without sanitization, creating a command injection risk. Specifically, the following command is vulnerable: echo identifiers=$(echo "${{ github.event.comment.body }}" | grep -oE '@njzjz-bot .*' | head -n1 | cut -c12- | xargs) >> $GITHUB OUTPUT. The extracted value is also reused in another step, potentially propagating unsafe content. A proof of concept demonstrates that an attacker can inject arbitrary shell commands via issue comments, such as using the payload @njzjz-bot paper123" ) ; whoami ; #. Successful injection allows for the execution of arbitrary commands in the GitHub Actions runner, potentially leading to access to the GITHUB TOKEN, exfiltration of repository data, and compromise of the CI/CD pipeline.

Recommendations Avoid directly interpolating untrusted user input into shell commands. Instead, pass github.event.comment.body through an environment variable and reference it safely within the script.