CVE-2026-41249 (GCVE-0-2026-41249)
Vulnerability from cvelistv5 – Published: 2026-06-04 19:26 – Updated: 2026-06-04 19:26
VLAI
Title
CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration
Summary
CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file.
Severity
8.2 (High)
CWE
- CWE-94 - Improper Control of Generation of Code ('Code Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/coreshop/CoreShop/security/adv… | x_refsource_CONFIRM |
| https://github.com/coreshop/CoreShop/commit/cc1e3… | x_refsource_MISC |
| https://github.com/coreshop/CoreShop/blob/5.1.0-b… | x_refsource_MISC |
Impacted products
{
"containers": {
"cna": {
"affected": [
{
"product": "CoreShop",
"vendor": "coreshop",
"versions": [
{
"status": "affected",
"version": "\u003e= 5.0.1, \u003c= 5.1.0-beta.1"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a \"Pwn Request\" vulnerability. As of time of publication, `pull_request_target` is still in the file."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "CWE-94: Improper Control of Generation of Code (\u0027Code Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-06-04T19:26:46.043Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/coreshop/CoreShop/security/advisories/GHSA-q58j-g3f4-h26h",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/coreshop/CoreShop/security/advisories/GHSA-q58j-g3f4-h26h"
},
{
"name": "https://github.com/coreshop/CoreShop/commit/cc1e3f547228ec5ebfc1dc0472f9a3cc5f4137a4",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coreshop/CoreShop/commit/cc1e3f547228ec5ebfc1dc0472f9a3cc5f4137a4"
},
{
"name": "https://github.com/coreshop/CoreShop/blob/5.1.0-beta.1/.github/workflows/static.yml#L14",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/coreshop/CoreShop/blob/5.1.0-beta.1/.github/workflows/static.yml#L14"
}
],
"source": {
"advisory": "GHSA-q58j-g3f4-h26h",
"discovery": "UNKNOWN"
},
"title": "CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-41249",
"datePublished": "2026-06-04T19:26:46.043Z",
"dateReserved": "2026-04-18T03:47:03.136Z",
"dateUpdated": "2026-06-04T19:26:46.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2026-41249\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-06-04T20:16:57.797\",\"lastModified\":\"2026-06-04T20:16:57.797\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a \\\"Pwn Request\\\" vulnerability. As of time of publication, `pull_request_target` is still in the file.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-94\"}]}],\"references\":[{\"url\":\"https://github.com/coreshop/CoreShop/blob/5.1.0-beta.1/.github/workflows/static.yml#L14\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/coreshop/CoreShop/commit/cc1e3f547228ec5ebfc1dc0472f9a3cc5f4137a4\",\"source\":\"security-advisories@github.com\"},{\"url\":\"https://github.com/coreshop/CoreShop/security/advisories/GHSA-q58j-g3f4-h26h\",\"source\":\"security-advisories@github.com\"}]}}"
}
}
FKIE_CVE-2026-41249
Vulnerability from fkie_nvd - Published: 2026-06-04 20:16 - Updated: 2026-06-04 20:16
Severity
Summary
CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file.
References
Impacted products
| Vendor | Product | Version |
|---|
{
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a \"Pwn Request\" vulnerability. As of time of publication, `pull_request_target` is still in the file."
}
],
"id": "CVE-2026-41249",
"lastModified": "2026-06-04T20:16:57.797",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 4.2,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-06-04T20:16:57.797",
"references": [
{
"source": "security-advisories@github.com",
"url": "https://github.com/coreshop/CoreShop/blob/5.1.0-beta.1/.github/workflows/static.yml#L14"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/coreshop/CoreShop/commit/cc1e3f547228ec5ebfc1dc0472f9a3cc5f4137a4"
},
{
"source": "security-advisories@github.com",
"url": "https://github.com/coreshop/CoreShop/security/advisories/GHSA-q58j-g3f4-h26h"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Received",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-94"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-Q58J-G3F4-H26H
Vulnerability from github – Published: 2026-05-14 13:18 – Updated: 2026-05-14 13:18
VLAI
Summary
CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration
Details
Summary
The GitHub Actions workflow (.github/workflows/static.yml) uses the pull_request_target trigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull_request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout.
This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability.
Steps to Reproduce:
1. Fork the target repository.
2. In the forked repository, modify a file that satisfies the paths condition (e.g., src/dummy.php or composer.json) to trigger the workflow.
3. Modify the bin/console file (which is executed in the workflow steps) with the following malicious payload:
#!/bin/bash
echo "=== PWNED ==="
echo "whoami:"
whoami
- Commit the changes and open a Pull Request against the
5.0ornextbranch of the base repository. - The
Static Testsworkflow will trigger automatically. Navigate to the Actions tab and inspect the logs for theValidate YAML(or any step executingbin/console). - You will see the output of
whoami(typicallyrunner), proving that the arbitrary code was successfully executed in the runner's context.
Impact:
Because pull_request_target runs in the context of the base repository, the runner has access to repository secrets (e.g., PIMCORE_SECRET, PIMCORE_PRODUCT_KEY) loaded in the environment. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner's computing resources.
Recommended Mitigation:
Do not checkout untrusted PR code (head.ref) when using pull_request_target if the code will be built or executed.
Consider adopting a separated architecture using the workflow_run event:
1. Use the pull_request event to safely run the build/tests in an unprivileged sandbox and upload artifacts.
2. Use the workflow_run event (which is privileged) to download the artifacts and perform actions requiring secrets.
Severity
8.2 (High)
{
"affected": [
{
"package": {
"ecosystem": "Packagist",
"name": "coreshop/core-shop"
},
"versions": [
"5.0.0"
]
}
],
"aliases": [
"CVE-2026-41249"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-14T13:18:16Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\n\nThe GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout.\nThis allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a \"Pwn Request\" vulnerability.\n\n**Steps to Reproduce:**\n1. Fork the target repository.\n2. In the forked repository, modify a file that satisfies the `paths` condition (e.g., `src/dummy.php` or `composer.json`) to trigger the workflow.\n3. Modify the `bin/console` file (which is executed in the workflow steps) with the following malicious payload:\n```bash\n#!/bin/bash\necho \"=== PWNED ===\"\necho \"whoami:\"\nwhoami\n```\n4. Commit the changes and open a Pull Request against the `5.0` or `next` branch of the base repository.\n5. The `Static Tests` workflow will trigger automatically. Navigate to the Actions tab and inspect the logs for the `Validate YAML` (or any step executing `bin/console`).\n6. You will see the output of `whoami` (typically `runner`), proving that the arbitrary code was successfully executed in the runner\u0027s context.\n\n\u003cimg width=\"490\" height=\"87\" alt=\"\u30b9\u30af\u30ea\u30fc\u30f3\u30b7\u30e7\u30c3\u30c8 2026-04-14 11 14 56\" src=\"https://github.com/user-attachments/assets/94276033-b989-46dc-b4a1-3dafa1603235\" /\u003e\n\n\n**Impact:**\nBecause `pull_request_target` runs in the context of the base repository, the runner has access to repository secrets (e.g., `PIMCORE_SECRET`, `PIMCORE_PRODUCT_KEY`) loaded in the environment. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner\u0027s computing resources.\n\n**Recommended Mitigation:**\nDo not checkout untrusted PR code (`head.ref`) when using `pull_request_target` if the code will be built or executed.\nConsider adopting a separated architecture using the `workflow_run` event:\n1. Use the `pull_request` event to safely run the build/tests in an unprivileged sandbox and upload artifacts.\n2. Use the `workflow_run` event (which is privileged) to download the artifacts and perform actions requiring secrets.",
"id": "GHSA-q58j-g3f4-h26h",
"modified": "2026-05-14T13:18:16Z",
"published": "2026-05-14T13:18:16Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/coreshop/CoreShop/security/advisories/GHSA-q58j-g3f4-h26h"
},
{
"type": "PACKAGE",
"url": "https://github.com/coreshop/CoreShop"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration"
}
Loading…
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…