CVE-2026-48547
Deferred Deferred - Pending Action

Command Injection in KanaDojo via Patch Notes

Vulnerability report for CVE-2026-48547, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-11

Last updated on: 2026-06-15

Assigner: VulnCheck

Description

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a child_process.execSync() call in the release.yml workflow. Attackers can have a malicious pull request merged to trigger the GitHub Actions runner with contents write permissions and access to GITHUB_TOKEN.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-11
Last Modified
2026-06-15
Generated
2026-07-02
AI Q&A
2026-06-12
EPSS Evaluated
2026-06-30
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
lingdojo kana_dojo 0.1.18

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands.

This is possible because the attacker can insert shell metacharacters into the version or changes fields of patchNotesData.json, which are then unsanitized and interpolated into a child_process.execSync() call within the release.yml workflow.

If a malicious pull request is merged, it triggers the GitHub Actions runner with write permissions and access to the GITHUB_TOKEN, enabling the execution of arbitrary commands.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary shell commands on the GitHub Actions runner.

This can lead to unauthorized code execution, potential compromise of the repository, unauthorized access to secrets such as the GITHUB_TOKEN, and possibly further attacks on connected systems or infrastructure.

Compliance Impact

The provided context does not include any information regarding the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability involves command injection through unsanitized inputs in the release.yml GitHub Actions workflow, specifically via the version or changes fields of patchNotesData.json.

Detection would involve inspecting pull requests for malicious shell metacharacters in these fields and monitoring GitHub Actions workflows for unexpected command executions triggered by pull request merges.

There are no specific commands or network detection methods provided in the available information.

Mitigation Strategies

Immediate mitigation steps include restricting pull request access to trusted users only, as the vulnerability requires pull request access to exploit.

Additionally, review and sanitize inputs in patchNotesData.json fields before they are used in any shell command execution within GitHub Actions workflows.

Consider disabling or restricting the release.yml workflow from running on pull request merges until the vulnerability is patched.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48547. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart