← Retour aux CVEs
CVE-2026-34243
CRITICAL9.8
Description
wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. At time of publication, there are no publicly available patches.
Details CVE
Score CVSS v3.19.8
SeveriteCRITICAL
Vecteur CVSSCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Vecteur d'attaqueNETWORK
ComplexiteLOW
Privileges requisNONE
Interaction utilisateurNONE
Publie3/31/2026
Derniere modification4/3/2026
Sourcenvd
Observations honeypot0
Produits affectes
njzjz:wenxian
Faiblesses (CWE)
CWE-77CWE-78
References
https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88(security-advisories@github.com)
Correlations IOC
Aucune correlation enregistree
This product uses data from the NVD API but is not endorsed or certified by the NVD.