216.73.217.80

CVE-2026-48546

· Published 11/06/2026 20:16 · Modified 11/06/2026 20:59 · Author: The MITRE Corporation

Labels: CVE-2026-48546 2026-06-11CVE-2026-48546CWE-693[email protected]

Essential information

Published
11/06/2026 20:16
Modified
11/06/2026 20:59
Author
The MITRE Corporation
Creator
The MITRE Corporation
CVSS
7.3 HIGH (v3.1) 8.5 HIGH (v4.0)
CISA KEV
No
CWE
CWE-693
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N

CVSS metrics

Description

KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox restrictions and achieving remote code execution with full GitHub Actions runner privileges including access to AUTOMATION_PR_TOKEN.

NVD status

Status
Deferred — CVE has been recently published to the CVE List and has been received by the NVD.
Source
[email protected]
NVD
View on NVD

Affected products (CPE)

ProductCPE
kanadojo / kanadojo cpe:2.3:a:kanadojo:kanadojo:<0.1.18:*:*:*:*:*:*:*

References