CVE-2026-41249
HighCVSS 8.2Summary
CoreShop, an enhanced eCommerce solution for Pimcore, in versions 5.0.1 through 5.1.0-beta.1, has a vulnerability that allows Remote Code Execution (RCE) through unsafe checking of code from pull requests. It utilizes a GitHub Actions workflow that executes a script from untrusted checkout.
Risk Assessment
An attacker can remotely execute arbitrary code on the GitHub Actions runner, posing a significant threat to the security of the application and the organization's data.
Recommendation
It is recommended to update to the latest version of CoreShop and review and modify the GitHub Actions workflow to avoid using `pull_request_target` in the context of untrusted code.
Original NVD description (English source)
CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file.

