CVE-2026-34243
Published: 31 March 2026
Description
Adversaries may abuse Unix shell commands and scripts for execution.
Security Summary
CVE-2026-34243 is a command injection vulnerability (CWE-77, CWE-78) in the wenxian tool, which generates BIBTEX files from identifiers such as DOI, PMID, arXiv ID, or paper title. It affects versions 0.3.1 and prior, specifically within a GitHub Actions workflow that incorporates untrusted user input from issue_comment.body directly into a shell command. This flaw enables potential arbitrary code execution on the GitHub Actions runner, earning a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Any unauthenticated attacker with network access can exploit this vulnerability by posting a specially crafted comment on a GitHub issue in the repository, as it requires no privileges or user interaction beyond low-complexity payload construction. Successful exploitation grants arbitrary code execution on the runner environment, potentially compromising the confidentiality, integrity, and availability of the runner's resources.
The GitHub security advisory (GHSA-r4fj-r33x-8v88) notes that, at the time of publication on 2026-03-31, no publicly available patches exist for this issue.
Details
- CWE(s)
Affected Products
MITRE ATT&CK Enterprise Techniques
Why these techniques?
Command injection in GitHub Actions workflow via unauthenticated issue comments enables poisoned pipeline execution (T1677), exploitation of public-facing application (T1190), and Unix shell command execution (T1059.004).