CVE-2026-41249

Published: Jun 4, 2026Modified: Jun 5, 2026Deferred

8.2

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Exploitability: 3.9 / Impact: 4.2

Source: security-advisories@github.com (Secondary)

Description

CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file.

Related CWEs

CWE-94

Improper Control of Generation of Code ('Code Injection')

The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

References (3)

https://github.com/coreshop/CoreShop/blob/5.1.0-beta.1/.github/workflows/static.yml#L14

Source: security-advisories@github.com

https://github.com/coreshop/CoreShop/commit/cc1e3f547228ec5ebfc1dc0472f9a3cc5f4137a4

Source: security-advisories@github.com

https://github.com/coreshop/CoreShop/security/advisories/GHSA-q58j-g3f4-h26h

Source: security-advisories@github.com

Timeline

No history available yet.