CVE-2026-55441

EPSS -
Veröffentlicht 26.06.2026 16:48:23
Zuletzt bearbeitet 26.06.2026 19:16:44
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

mise: Arbitrary command execution via task-include files in an untrusted, config-less repository

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files (mise.toml, .tool-versions) through trust_check, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir (mise-tasks/, .mise/tasks/, …) but no config file, mise falls back to the default includes and renders each task's tera fields — and that tera environment has exec() registered. A {{ exec(command='…') }} in any rendered field runs arbitrary commands the moment the tasks are merely listed. There's no config file to gate on, so no trust prompt ever appears. Read-only commands trigger it: mise tasks, mise task ls, mise run, mise tasks --usage (the query shell completion runs on Tab). The victim only has to cd into a cloned repo and list or tab-complete a task. This vulnerability is fixed in 2026.6.4.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 3 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerjdx

≫

Produkt mise

Version < 2026.6.4

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	8.6	1.8	6	CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE-732 Incorrect Permission Assignment for Critical Resource

The product specifies permissions for a security-critical resource in a way that allows that resource to be read or modified by unintended actors.

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

CWE-94 Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

https://github.com/jdx/mise/security/advisories/GHSA-77g9-363w-rccq

https://nvd.nist.gov/vuln/detail/CVE-2026-55441

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-55441

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-55441

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-55441