CVE-2026-41249 – CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration

CVE ID :CVE-2026-41249

Published : June 4, 2026, 8:16 p.m. | 16 minutes ago

Description :CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a “Pwn Request” vulnerability. As of time of publication, `pull_request_target` is still in the file.

Severity: 8.2 | HIGH

Visit the link for more details, such as CVSS details, affected products, timeline, and more… 

نوشته های مشابه

CVE-2026-5589 – Out-of-bounds write caused by an integer underflow in the Bluetooth Mesh subsystem.

CVE-2026-41522 – Iris has an Improper Authorization issue

CVE-2026-41518 – Chartbrew has a stored DOM XSS via Chart Tooltip innerHTML (ChartDatasetConfig.legend)

CVE-2026-21404 – NAVTOR NavBox Use of Hard-coded Credentials