CVE Catalog

CVE-2026-33646

CriticalCVSS 9.6
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.69%

48th percentile — higher than 48% of all known CVEs

Summary

The mise tool prior to version 2026.3.10 processes .tool-versions files through the Tera template engine with the exec() function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode, allowing an attacker to place a malicious file in a git repository and execute commands without a trust prompt.

Risk Assessment

The risk is that a victim with mise activated, upon entering a directory with a git repository containing a malicious .tool-versions file, may unknowingly execute arbitrary commands, leading to system compromise or data theft.

Recommendation

Immediately update mise to version 2026.3.10 or later. Additionally, consider enabling paranoid mode for all configuration files to enforce trust verification.

Original NVD description (English source)

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec() function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode. This means an attacker can place a malicious .tool-versions file in a git repository, and when a victim with mise activated cds into the directory, arbitrary commands execute without any trust prompt. This vulnerability is fixed in 2026.3.10.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS