CVE-2026-41414

Name of the Vulnerable Software and Affected Versions Skim (affected versions not specified)

Description The generate-files job in the '.github/workflows/pr.yml' file checks out code from an attacker-controlled fork and executes it via the cargo run command. This process allows access to the SKIM RS BOT PRIVATE KEY and GITHUB TOKEN (contents:write) variables. Any GitHub user can trigger this action by opening a pull request from a fork, as there are no gates to prevent exploitation.

Recommendations Apply the fix provided in commit bf63404ad51985b00ed304690ba9d477860a5a75.