Lucene search
K

13 matches found

NVD
NVD
added 2026/06/26 6:17 p.m.7 views

CVE-2026-55448

mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credentialcommand from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a...

6.3CVSS0.00159EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 6:17 p.m.6 views

CVE-2026-55441

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/,...

8.6CVSS0.00184EPSS
Exploits0References1
NVD
NVD
added 2026/06/26 6:17 p.m.12 views

CVE-2026-54557

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlin...

5.5CVSS0.00175EPSS
Exploits0References1
OSV
OSV
added 2026/06/26 4:51 p.m.5 views

CVE-2026-33646 mise: Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass)

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not...

9.6CVSS6.2AI score0.00685EPSS
Exploits0References3
Cvelist
Cvelist
added 2026/06/26 4:48 p.m.38 views

CVE-2026-55441 mise: Arbitrary command execution via task-include files in an untrusted, config-less repository

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/,...

8.6CVSS0.00184EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/06/26 4:48 p.m.7 views

CVE-2026-55441

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/,...

8.6CVSS5.9AI score0.00184EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/26 4:46 p.m.2 views

CVE-2026-55448 mise: Local credential_command executes untrusted config

mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credentialcommand from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a...

6.3CVSS6.2AI score0.00159EPSS
Exploits0References3
ATTACKERKB
ATTACKERKB
added 2026/06/26 4:46 p.m.7 views

CVE-2026-55448

mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credentialcommand from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a...

6.3CVSS6AI score0.00159EPSS
Exploits0References2Affected Software1
CVE
CVE
added 2026/06/26 4:46 p.m.19 views

CVE-2026-55448

CVE-2026-55448 is confirmed across multiple sources as a local command-exécution vulnerability in the mise tool. An attacker who can place a repository-local .mise.toml can have mise load github.credential_command from local project config and execute its value via sh -c when resolving a GitHub t...

6.3CVSS6AI score0.00159EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/23 12:0 a.m.11 views

PT-2026-51641

Name of the Vulnerable Software and Affected Versions mise versions 2026.3.15 through 2026.6.3 Description mise loads the github.credential command setting from local project configuration files before any trust decision is made. When resolving a GitHub token, the software executes the value of...

6.3CVSS6.2AI score0.00159EPSS
Exploits0References6
OSV
OSV
added 2026/04/07 9:1 p.m.7 views

CVE-2026-35533 mise has a local settings bypass config trust checks

mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted a...

7.7CVSS6AI score0.00154EPSS
Exploits1References3
ATTACKERKB
ATTACKERKB
added 2026/04/07 9:1 p.m.3 views

CVE-2026-35533

mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted a...

7.7CVSS5.9AI score0.00154EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/04/07 9:1 p.m.16 views

CVE-2026-35533

The CVE-2026-35533 issue affects mise (dev tools manager). From 2026.2.18–2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can cause that file to be treated as trusted and reac...

7.8CVSS5.9AI score0.00154EPSS
Exploits1References1Affected Software1
Rows per page
Query Builder