PT-2026-40973 · Coreshop+2 · Coreshop+1

Smiotani-Aeyesec

·

Published

2026-05-14

·

Updated

2026-06-08

·

CVE-2026-41249

CVSS v3.1

8.2

High

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Name of the Vulnerable Software and Affected Versions CoreShop versions 5.0.1 through 5.1.0-beta.1
Description The GitHub Actions workflow located at .github/workflows/static.yml uses the pull request target trigger and checks out unverified code from the pull request head using the variable ref: ${{ github.event.pull request.head.ref }}. The workflow then executes the bin/console script from this untrusted checkout. This configuration allows an external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner by submitting a malicious Pull Request, a scenario known as a Pwn Request. Because the process runs in the context of the base repository, the runner has access to repository secrets, which could be exfiltrated by an attacker.
Recommendations For versions 5.0.1 through 5.1.0-beta.1, avoid checking out untrusted PR code (head.ref) when using pull request target if the code is to be built or executed. As a mitigation, implement a separated architecture using the workflow run event: use the pull request event to run builds and tests in an unprivileged sandbox and upload artifacts, then use the workflow run event to download those artifacts and perform actions requiring secrets.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-41249
GHSA-Q58J-G3F4-H26H

Affected Products

Coreshop
Coreshop/Core-Shop