CVE Catalog

CVE-2026-41249

HighCVSS 8.2
Published: Updated: Translated: NVD NIST

Summary

CoreShop, an enhanced eCommerce solution for Pimcore, in versions 5.0.1 through 5.1.0-beta.1, has a vulnerability that allows Remote Code Execution (RCE) through unsafe checking of code from pull requests. It utilizes a GitHub Actions workflow that executes a script from untrusted checkout.

Risk Assessment

An attacker can remotely execute arbitrary code on the GitHub Actions runner, posing a significant threat to the security of the application and the organization's data.

Recommendation

It is recommended to update to the latest version of CoreShop and review and modify the GitHub Actions workflow to avoid using `pull_request_target` in the context of untrusted code.

Original NVD description (English source)

CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS