Skip to main content

CoreShop EUVDEUVD-2026-34318

| CVE-2026-41249 HIGH
Code Injection (CWE-94)
2026-05-14 https://github.com/coreshop/CoreShop GHSA-q58j-g3f4-h26h
8.2
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 14:03 vuln.today
Analysis Generated
May 14, 2026 - 14:03 vuln.today
CVE Published
May 14, 2026 - 13:18 nvd
HIGH 8.2

DescriptionGitHub Advisory

Summary

The GitHub Actions workflow (.github/workflows/static.yml) uses the pull_request_target trigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull_request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability.

Steps to Reproduce:

  1. Fork the target repository.
  2. In the forked repository, modify a file that satisfies the paths condition (e.g., src/dummy.php or composer.json) to trigger the workflow.
  3. Modify the bin/console file (which is executed in the workflow steps) with the following malicious payload:
bash
#!/bin/bash
echo "=== PWNED ==="
echo "whoami:"
whoami
  1. Commit the changes and open a Pull Request against the 5.0 or next branch of the base repository.
  2. The Static Tests workflow will trigger automatically. Navigate to the Actions tab and inspect the logs for the Validate YAML (or any step executing bin/console).
  3. You will see the output of whoami (typically runner), proving that the arbitrary code was successfully executed in the runner's context.

<img width="490" height="87" alt="スクリーンショット 2026-04-14 11 14 56" src="https://github.com/user-attachments/assets/94276033-b989-46dc-b4a1-3dafa1603235" />

Impact: Because pull_request_target runs in the context of the base repository, the runner has access to repository secrets (e.g., PIMCORE_SECRET, PIMCORE_PRODUCT_KEY) loaded in the environment. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner's computing resources.

Recommended Mitigation: Do not checkout untrusted PR code (head.ref) when using pull_request_target if the code will be built or executed. Consider adopting a separated architecture using the workflow_run event:

  1. Use the pull_request event to safely run the build/tests in an unprivileged sandbox and upload artifacts.
  2. Use the workflow_run event (which is privileged) to download the artifacts and perform actions requiring secrets.

AnalysisAI

Remote code execution in CoreShop's GitHub Actions CI/CD pipeline allows unauthenticated attackers to compromise the build infrastructure and exfiltrate repository secrets by submitting a malicious pull request. The vulnerability stems from the dangerous combination of pull_request_target trigger with unverified code checkout, enabling attackers to execute arbitrary commands (bin/console) on GitHub-hosted runners with access to sensitive credentials including PIMCORE_SECRET and PIMCORE_PRODUCT_KEY. This 'Pwn Request' attack pattern (CWE-94: Code Injection) affects version 5.0.0 with no vendor patch currently released. The attack requires zero authentication (PR:N) and low complexity (AC:L), representing a critical supply chain security risk for organizations using CoreShop.

Technical ContextAI

This vulnerability exploits a fundamental GitHub Actions security anti-pattern involving the pull_request_target workflow trigger. Unlike the standard pull_request trigger which executes in an isolated context with limited permissions, pull_request_target runs workflows in the privileged context of the base repository with full access to secrets and write tokens. The CoreShop workflow (.github/workflows/static.yml) compounds this by explicitly checking out untrusted code from the PR head branch (ref: github.event.pull_request.head.ref) and then executing scripts (bin/console) from that checkout. The CPE identifier pkg:composer/coreshop_core-shop indicates this is a Composer-based PHP package, and the bin/console script is a standard PHP/Symfony console entry point. The vulnerability represents CWE-94 (Improper Control of Generation of Code), specifically in the CI/CD automation layer rather than the application code itself. This class of supply chain vulnerability has become increasingly prevalent as attackers target build infrastructure rather than production systems directly.

RemediationAI

No vendor-released patch is available at time of analysis (fixed in: None per advisory metadata). Organizations using CoreShop 5.0.0 must manually remediate the .github/workflows/static.yml workflow file. Primary fix: Remove the dangerous ref parameter from the actions/checkout step so it checks out the base repository's trusted code instead of the PR head, or replace pull_request_target trigger with pull_request for unprivileged execution. Vendor recommends implementing a two-stage workflow architecture: (1) Use pull_request trigger to run tests in an unprivileged sandbox and upload build artifacts, (2) Use workflow_run trigger in a separate privileged workflow to download artifacts and perform actions requiring secrets, ensuring untrusted code never executes in privileged context. Immediate compensating control: Require manual approval for all external contributor pull requests before workflow execution using GitHub's protected branches settings and workflow approval requirements (Settings → Environments → create protection rule requiring reviewer approval for pull_request_target workflows). This prevents automatic exploitation but adds operational friction. Side effect: Manual approval requirement will delay legitimate external contributions. Alternative workaround: Temporarily disable the Static Tests workflow entirely until manual remediation is completed, trading CI/CD automation for security. Organizations should audit all repository secrets (PIMCORE_SECRET, PIMCORE_PRODUCT_KEY) for potential compromise if external PRs were processed before remediation, and rotate credentials if suspicious activity is detected. Reference implementation guidance at https://securitylab.github.com/research/github-actions-preventing-pwn-requests/.

More in PHP

View all
CVE-2012-1823 CRITICAL POC
9.8 May 11

sapi/cgi/cgi_main.c in PHP before 5.3.12 and 5.4.x before 5.4.2, when configured as a CGI script (aka php-cgi), does not

CVE-2016-1555 CRITICAL POC
9.8 Apr 21

(1) boardData102.php, (2) boardData103.php, (3) boardDataJP.php, (4) boardDataNA.php, and (5) boardDataWW.php in Netgear

CVE-2024-11680 CRITICAL POC
9.8 Nov 26

ProjectSend versions prior to r1720 are affected by an improper authentication vulnerability. Rated critical severity (C

CVE-2025-49113 CRITICAL POC
9.9 Jun 02

Roundcube Webmail contains a critical PHP object deserialization vulnerability (CVE-2025-49113, CVSS 9.9) that allows au

CVE-2017-9841 CRITICAL POC
9.8 Jun 27

Util/PHP/eval-stdin.php in PHPUnit before 4.8.28 and 5.x before 5.6.3 allows remote attackers to execute arbitrary PHP c

CVE-2025-0108 HIGH POC
8.8 Feb 12

Palo Alto Networks PAN-OS management web interface contains an authentication bypass allowing unauthenticated attackers

CVE-2021-25298 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2021-25296 HIGH POC
8.8 Feb 15

Nagios XI version xi-5.7.5 is affected by OS command injection. Rated high severity (CVSS 8.8), this vulnerability is re

CVE-2013-4983 CRITICAL POC
10.0 Sep 10

The get_referers function in /opt/ws/bin/sblistpack in Sophos Web Appliance before 3.7.9.1 and 3.8 before 3.8.1.1 allows

CVE-2023-6553 CRITICAL POC
9.8 Dec 15

The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1

CVE-2024-46506 CRITICAL POC
10.0 May 13

NetAlertX (formerly PiAlert) versions 23.01.14 through 24.x before 24.10.12 allow unauthenticated command injection thro

CVE-2024-8353 CRITICAL POC
9.8 Sep 28

The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all

Share

EUVD-2026-34318 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy