mise uses the Tera template engine to parse .tool-versions files, and the exec() function was registered in the engine. Versions before 2026.3.10 therefore allow arbitrary command execution from within those files. An attacker can inject a malicious .tool-versions file into a git repository; when a user with mise activated cd's into that directory, the template is processed without any trust prompt and the embedded command runs with the user's privileges. The primary impact is remote code execution in the context of the local user who uses mise.

All installations of mise older than 2026.3.10 are vulnerable. The issue applies when the user runs mise in non‑paranoid mode and navigates into a repository that contains a malicious .tool-versions file. It does not affect files of type .mise.toml which are subject to trust verification.

The vulnerability has a CVSS score of 9.6, indicating critical severity. The EPSS score is not available, and the flaw is not listed in the CISA KEV catalog. Exploitation requires the attacker to supply a malicious .tool-versions file in a repository and the victim to have mise installed and to enable non‑paranoid mode when changing into that repository’s directory. Once the template is processed, the exec() function runs the attacker’s commands with the victim’s user privileges, making this a local privilege‑escalation–like attack that can be leveraged through supply‑chain vectors.