CVE-2026-48546
HighCVSS 7.3Exploitation Probability (EPSS)
Low risk24th percentile - higher than 24% of all known CVEs
Summary
KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code. This is exploited by passing the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow.
Risk Assessment
Attackers can modify files to import arbitrary Node.js modules, leading to remote code execution with full GitHub Actions runner privileges, including access to AUTOMATION_PR_TOKEN.
Recommendation
It is recommended to update KanaDojo to version 0.1.18 or later to mitigate this vulnerability. Additionally, review and restrict access to workflows to minimize risk.
Original NVD description (English source)
KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox restrictions and achieving remote code execution with full GitHub Actions runner privileges including access to AUTOMATION_PR_TOKEN.

