CVE-2026-55441

Name of the Vulnerable Software and Affected Versions mise versions prior to 2026.6.4

Description A flaw in the trust mechanism allows arbitrary command execution when a directory contains task-include directories (such as mise-tasks/, .mise/tasks/, etc.) but lacks a configuration file. In this scenario, the software falls back to default includes and renders task fields using the Tera template engine, which has the exec() function registered. An attacker can place a {{ exec(command='...') }} sequence in any rendered field of a task file, which will execute automatically when the tasks are listed or accessed. This occurs without triggering a trust prompt because the loading path bypasses the trust check function. The issue can be triggered by read-only commands such as mise tasks, mise task ls, mise run, and mise tasks --usage, or via shell completion when pressing Tab.

Recommendations Update mise to version 2026.6.4 or later.