What is the CVSS score of CVE-2026-41414?

CVE-2026-41414 has a CVSS 3.1 base score of 7.4 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Skim are affected by CVE-2026-41414?

Skim's GitHub Actions CI pipeline contains a workflow injection vulnerability (CVE-2026-41414) that allows any GitHub user to execute arbitrary code with repository write access and bot credentials…

Skim CVE-2026-41414

EUVD-2026-25596 HIGH

Code Injection (CWE-94)

2026-04-24 GitHub_M

RCE Code Injection

7.4

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

None

Integrity

High

Availability

None

Lifecycle Timeline

Re-analysis Queued

Apr 24, 2026 - 19:22 vuln.today

cvss_changed

Analysis Generated

Apr 24, 2026 - 19:15 vuln.today

EUVD ID Assigned

Apr 24, 2026 - 19:00 euvd

EUVD-2026-25596

Analysis Generated

Apr 24, 2026 - 19:00 vuln.today

CVE Published

Apr 24, 2026 - 18:32 nvd

HIGH 7.4

DescriptionNVD

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.

AnalysisAI

GitHub Actions workflow injection in Skim's CI pipeline allows remote code execution with elevated privileges when any GitHub user opens a pull request from a fork. The vulnerable generate-files job automatically checks out and executes attacker-controlled Rust code (via cargo run) with access to SKIM_RS_BOT_PRIVATE_KEY secret and GITHUB_TOKEN with contents:write permissions, enabling repository compromise. …

RemediationAI

Within 24 hours: Identify all Skim instances used in your CI/CD pipelines and development workflows; immediately restrict external pull requests in affected repositories by disabling automatic CI triggers on forks (GitHub Settings > Actions > Fork pull request workflows > Require approval for all outside collaborators). Within 7 days: Apply commit bf63404 or later to your Skim deployment, review git history for suspicious commits or secret exfiltration, and rotate SKIM_RS_BOT_PRIVATE_KEY and any exposed GITHUB_TOKENs. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

Vendor StatusVendor

CVE-2026-41414 vulnerability details – vuln.today

Back

Skim CVE-2026-41414

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Vendor StatusVendor

Share

External POC / Exploit Code