Description
CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file.
Published: 2026-06-04
Score: 8.2 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

CoreShop versions 5.0.1 through 5.1.0‑beta.1 contain a GitHub Actions workflow that is triggered by pull_request_target events. The workflow checks out the code from the pull request head and executes the bin/console script from that unverified checkout. This flaw is a classic instance of CWE‑94, reflected by the execution of arbitrary code supplied by an attacker. The result is that any external contributor or fork can submit a malicious pull request and cause the GitHub Actions runner to run attacker‑controlled commands, yielding full remote code execution on the runner environment.

Affected Systems

The affected system is the CoreShop eCommerce platform from the coreshop vendor. Installations running CoreShop versions 5.0.1 up to and including 5.1.0‑beta.1 are impacted because the vulnerable workflow is present in the repository for these releases.

Risk and Exploitability

The CVSS score of 8.2 classifies the issue as high severity. No EPSS score is available, and the vulnerability is not listed in CISA KEV, so the contemporary exploitation probability is uncertain. However, the straightforward attack path—creating or modifying a pull request—makes it an attractive vector for adversaries that target open‑source project pipelines. Until a vendor patch is applied or the workflow is corrected, the risk remains elevated for any repository using the unsafe trigger.

Generated by OpenCVE AI on June 4, 2026 at 21:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official CoreShop update that removes or fixes the insecure pull_request_target workflow, preferably the first release after 5.1.0‑beta.1.
  • If an immediate upgrade is not feasible, edit the .github/workflows/static.yml file to replace the pull_request_target trigger with the safer pull_request event or remove the trigger entirely, ensuring that only trusted code is executed on the runner.
  • Add a temporary condition to the workflow that skips execution for pull requests originating from forks or unfamiliar repositories, for example by checking github.event.pull_request.head.repo.full_name equals the primary repository name before running the checkout step.

Generated by OpenCVE AI on June 4, 2026 at 21:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-q58j-g3f4-h26h CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration
History

Thu, 04 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Coreshop
Coreshop coreshop
Vendors & Products Coreshop
Coreshop coreshop

Thu, 04 Jun 2026 20:15:00 +0000

Type Values Removed Values Added
Description CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file.
Title CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration
Weaknesses CWE-94
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Coreshop Coreshop
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-04T19:26:46.043Z

Reserved: 2026-04-18T03:47:03.136Z

Link: CVE-2026-41249

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-06-04T20:16:57.797

Modified: 2026-06-04T20:16:57.797

Link: CVE-2026-41249

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-04T23:30:25Z

Weaknesses