← Back to CVEs
CVE-2026-34243
CRITICAL9.8
Description
wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. At time of publication, there are no publicly available patches.
CVE Details
CVSS v3.1 Score9.8
SeverityCRITICAL
CVSS VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack VectorNETWORK
ComplexityLOW
Privileges RequiredNONE
User InteractionNONE
Published3/31/2026
Last Modified4/3/2026
Sourcenvd
Honeypot Sightings0
Affected Products
njzjz:wenxian
Weaknesses (CWE)
CWE-77CWE-78
References
https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88(security-advisories@github.com)
IOC Correlations
No correlations recorded
This product uses data from the NVD API but is not endorsed or certified by the NVD.