CVE Catalog

CVE-2026-48546

HighCVSS 7.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.08%

24th percentile - higher than 24% of all known CVEs

Summary

KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code. This is exploited by passing the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow.

Risk Assessment

Attackers can modify files to import arbitrary Node.js modules, leading to remote code execution with full GitHub Actions runner privileges, including access to AUTOMATION_PR_TOKEN.

Recommendation

It is recommended to update KanaDojo to version 0.1.18 or later to mitigate this vulnerability. Additionally, review and restrict access to workflows to minimize risk.

Original NVD description (English source)

KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox restrictions and achieving remote code execution with full GitHub Actions runner privileges including access to AUTOMATION_PR_TOKEN.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS