Description

mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mise command and no higher-priority GitHub token environment variable is set. This vulnerability is fixed in 2026.6.4.

Severity (CVSS)

Base score6.3
SeverityMedium
VersionCVSS 3.1
VectorCVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
Provided byCNA

Weaknesses

  • CWE-78 — CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')

Affected products

VendorProductVersions
jdxmise< 2026.6.4

References

Authoritative sources

This page is a snapshot. For the latest enrichment and updates, view the record on CVE.org or the NVD.

Generated from the official CVE List on 27 Jun 2026 07:02 UTC.