Description
wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. At time of publication, there are no publicly available patches.
Published: 2026-03-31
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: Remote Code Execution
Action: Assess Impact
AI Analysis

Impact

A command‑injection flaw exists in the GitHub Actions workflow of the wenxian tool. The workflow incorporates untrusted input from the body of an issue comment directly into a shell command. An attacker able to create or modify an issue comment can inject arbitrary shell commands, leading to remote code execution on the GitHub Actions runner. The weakness falls under CWE‑77 and CWE‑78, allowing attackers to compromise confidentiality and integrity of the runner environment.

Affected Systems

The affected product is wenxian, maintained by njzjz, in all releases version 0.3.1 and earlier. These versions run the vulnerable workflow whenever an issue comment is created or updated in a GitHub repository that contains the workflow. No other products or vendors are listed as affected.

Risk and Exploitability

The base CVSS score is 9.8, indicating a critical severity. The EPSS score is not provided, but given the wide use of GitHub Actions and the lack of a public patch, the likelihood of exploitation is high. The vulnerability is not listed in CISA's KEV catalog. Exploitation requires only the ability to post or edit an issue comment in a repository that hosts the vulnerable workflow, making the attack vector readily available to publicly accessible projects.

Generated by OpenCVE AI on March 31, 2026 at 17:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review and modify the GitHub Actions workflow to eliminate the use of untrusted issue_comment.body in shell commands
  • If a newer, patched version of wenxian is released, upgrade to that version immediately
  • Disable or remove the vulnerable workflow if it is not essential to repository operations
  • Enable repository secret scanning and activity logs to detect suspicious comment activity
  • Contact the wenxian maintainers and request an official patch or workaround

Generated by OpenCVE AI on March 31, 2026 at 17:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-r4fj-r33x-8v88 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`
History

Wed, 01 Apr 2026 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Njzjz
Njzjz wenxian
Vendors & Products Njzjz
Njzjz wenxian

Tue, 31 Mar 2026 16:15:00 +0000

Type Values Removed Values Added
Description wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. At time of publication, there are no publicly available patches.
Title wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`
Weaknesses CWE-77
CWE-78
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Njzjz Wenxian
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-31T15:49:27.333Z

Reserved: 2026-03-26T16:22:29.034Z

Link: CVE-2026-34243

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-03-31T16:16:33.253

Modified: 2026-03-31T16:16:33.253

Link: CVE-2026-34243

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-31T20:37:59Z

Weaknesses