PT-2026-40973 · Coreshop+2 · Coreshop+1
Smiotani-Aeyesec
·
Published
2026-05-14
·
Updated
2026-06-08
·
CVE-2026-41249
CVSS v3.1
8.2
High
| Vector | AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
Name of the Vulnerable Software and Affected Versions
CoreShop versions 5.0.1 through 5.1.0-beta.1
Description
The GitHub Actions workflow located at
.github/workflows/static.yml uses the pull request target trigger and checks out unverified code from the pull request head using the variable ref: ${{ github.event.pull request.head.ref }}. The workflow then executes the bin/console script from this untrusted checkout. This configuration allows an external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner by submitting a malicious Pull Request, a scenario known as a Pwn Request. Because the process runs in the context of the base repository, the runner has access to repository secrets, which could be exfiltrated by an attacker.Recommendations
For versions 5.0.1 through 5.1.0-beta.1, avoid checking out untrusted PR code (
head.ref) when using pull request target if the code is to be built or executed.
As a mitigation, implement a separated architecture using the workflow run event: use the pull request event to run builds and tests in an unprivileged sandbox and upload artifacts, then use the workflow run event to download those artifacts and perform actions requiring secrets.Exploit
Fix
RCE
Code Injection
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Coreshop
Coreshop/Core-Shop