Description
KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a child_process.execSync() call in the release.yml workflow. Attackers can have a malicious pull request merged to trigger the GitHub Actions runner with contents write permissions and access to GITHUB_TOKEN.
Published: 2026-06-11
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

KanaDojo contains a command injection flaw that lets an attacker with pull request access insert shell metacharacters into the version or changes fields of patchNotesData.json. These fields are unsanitized interpolation into a child_process.execSync() call within the release.yml workflow, allowing execution of arbitrary shell commands. If a malicious pull request is merged, the GitHub Actions runner triggers with the repository permissions and the GITHUB_TOKEN, effectively giving the attacker full control of the runner environment and potential compromise of the repository and host infrastructure.

Affected Systems

The vulnerable products are versions of KanaDojo from the vendor lingdojo that are below 0.1.18. The flaw resides in the release.yml workflow that processes patchNotesData.json, affecting any repository using KanaDojo without an up‑to‑date version.

Risk and Exploitability

The CVSS score of 8.5 reflects high severity. While the EPSS score is not listed, the vulnerability requires only pull‑request rights, which many contributors possess. An attacker can exploit the flaw by crafting a PR that injects malicious shell commands, merging it, and executing arbitrary code during the CI run. The issue is not currently listed in CISA KEV, but its impact and the low effort required to trigger mean the risk remains high if the CI workflow runs with write permissions and an unrestricted GITHUB_TOKEN.

Generated by OpenCVE AI on June 11, 2026 at 22:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply KanaDojo version 0.1.18 or later to eliminate the unsanitized shell interpolation.
  • If upgrading cannot occur immediately, restrict the GITHUB_TOKEN in the Actions workflow to read‑only or replace it with a token lacking write scope to reduce the impact of a merged PR.
  • Review all user‑supplied fields that are passed to execSync and sanitize or replace them with safer APIs that do not expand shell metacharacters.
  • Enforce branch protection rules that require code review and successful CI checks before merging pull requests.

Generated by OpenCVE AI on June 11, 2026 at 22:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 15 Jun 2026 21:45:00 +0000


Fri, 12 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
First Time appeared Lingdojo
Lingdojo kana-dojo
Vendors & Products Lingdojo
Lingdojo kana-dojo

Thu, 11 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 11 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Description KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a child_process.execSync() call in the release.yml workflow. Attackers can have a malicious pull request merged to trigger the GitHub Actions runner with contents write permissions and access to GITHUB_TOKEN.
Title KanaDojo < 0.1.18 Command Injection via patchNotesData.json in release.yml
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Lingdojo Kana-dojo
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-15T21:15:10.700Z

Reserved: 2026-05-21T18:34:46.418Z

Link: CVE-2026-48547

cve-icon Vulnrichment

Updated: 2026-06-11T19:39:17.568Z

cve-icon NVD

Status : Deferred

Published: 2026-06-11T19:16:46.983

Modified: 2026-06-15T22:16:17.243

Link: CVE-2026-48547

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-12T20:21:54Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')