Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-q58j-g3f4-h26h | CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration |
Mon, 08 Jun 2026 20:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Thu, 04 Jun 2026 23:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Coreshop
Coreshop coreshop |
|
| Vendors & Products |
Coreshop
Coreshop coreshop |
Thu, 04 Jun 2026 20:15:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file. | |
| Title | CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration | |
| Weaknesses | CWE-94 | |
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-06-08T19:15:02.639Z
Reserved: 2026-04-18T03:47:03.136Z
Link: CVE-2026-41249
Updated: 2026-06-08T19:14:02.495Z
Status : Deferred
Published: 2026-06-04T20:16:57.797
Modified: 2026-06-08T20:17:00.970
Link: CVE-2026-41249
No data.
OpenCVE Enrichment
Updated: 2026-06-04T23:30:25Z
Github GHSA