CVE-2026-41414
🟡 Monitoruj
Wykonanie złośliwego kodu w Skim umożliwia atakującemu dostęp do kluczy i tokenów.
CVSS
7.4
EPSS
0.0%
Exploit
poc
Vendor
skim-rs
Opis źródłowy (NVD)
Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.
exploit
Brak patcha
Źródła i daty
| Źródło | Wartość |
|---|---|
| NVD – CVSS | 7.4 |
| CISA KEV (aktywnie wykorzystywane) | Nie |
| FIRST EPSS (prawdopodobieństwo exploita) | 0.0% |
| Opublikowano (NVD) | 2026-04-24 19:17:13 UTC |
| Ostatnia modyfikacja (NVD) | 2026-05-01 19:03:15 UTC |
Referencje
- https://github.com/skim-rs/skim/commit/bf63404ad51985b00ed304690ba9d477860a5a75 (security-advisories@github.com) [Patch]
- https://github.com/skim-rs/skim/security/advisories/GHSA-9g93-rxr5-xhqw (security-advisories@github.com) [Third Party Advisory]
- https://drive.google.com/file/d/1Gj7ziTK42YWXYoQgTbis_rMitHR59J6F/view (134c704f-9b21-4f2e-91b3-4a467353bcc0) [Exploit]