CVE-2026-55448

EPSS -
Veröffentlicht 26.06.2026 16:46:17
Zuletzt bearbeitet 26.06.2026 18:17:01
Quelle security-advisories@github.com
CVE-Watchlists
Login
Unerledigt
Login

mise: Local credential_command executes untrusted config

mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mise command and no higher-priority GitHub token environment variable is set. This vulnerability is fixed in 2026.6.4.

Betroffene Produkte Warnungen 0 Metriken 1 CWE 1 Referenzen 4

CNA 1 VulnDex Vulnerability Enrichment 1

Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).

Herstellerjdx

≫

Produkt mise

Version < 2026.6.4

Status affected

VulnDex Vulnerability Enrichment

Diese Information steht angemeldeten Benutzern zur Verfügung.

Zu dieser CVE wurde keine Warnung gefunden.

CVSS Metriken
Quelle	Base Score	Exploit Score	Impact Score	Vector String
security-advisories@github.com	6.3	1	5.2	CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N

CWE-78 Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

https://github.com/jdx/mise/security/advisories/GHSA-29hf-rm4x-xxph

https://nvd.nist.gov/vuln/detail/CVE-2026-55448

CVE Source (NVD)

https://cveawg.mitre.org/api/cve/CVE-2026-55448

CVE Source (JSON)

https://euvd.enisa.europa.eu/vulnerability/CVE-2026-55448

EUVD

Team-orientierte Vulnerability Management Plattform

Features der Plattform

CVE-2026-55448