Platform
github-enterprise
Component
wenxian
Fixed in
0.3.2
CVE-2026-34243 describes a Command Injection vulnerability affecting wenxian versions 0.3.1 and earlier. The vulnerability stems from the GitHub Actions workflow using untrusted user input directly in shell commands, potentially leading to arbitrary code execution on the runner. This can compromise the system's integrity and availability. As of now, there are no publicly available patches to address this vulnerability.
CVE-2026-34243 in wenxian, a tool for generating BibTeX files, presents a critical risk due to arbitrary command execution. Versions 0.3.1 and prior utilize untrusted user input from the issue_comment.body directly within shell commands in a GitHub Actions workflow. This allows an attacker to inject malicious commands that will be executed on the GitHub Actions runner environment. With a CVSS score of 9.8, the severity is extremely high, meaning successful exploitation could result in full control of the runner, potentially compromising sensitive data or using the runner to launch further attacks. The lack of a publicly available patch exacerbates the situation, requiring immediate mitigation measures.
The vulnerability is exploited through manipulation of the body of a comment in a GitHub Issue. An attacker could create an Issue and, in the comment, include malicious commands designed to be executed by the GitHub Actions workflow. The workflow, by directly using this comment without validation, executes the injected commands on the runner's shell. This allows the attacker to execute arbitrary code in the runner environment, potentially gaining access to files, executing system commands, or even compromising the underlying infrastructure. The ease of exploitation, combined with the high severity, makes this vulnerability particularly concerning.
Exploit Status
EPSS
0.23% (46% percentile)
CISA SSVC
While there is no official patch for CVE-2026-34243, it is strongly recommended to avoid using wenxian in production environments until a solution is released. As a temporary mitigation, you can disable the affected GitHub Actions workflow or modify it to avoid directly using issuecomment.body in shell commands. An alternative is to implement rigorous validation and sanitization of the issuecomment.body input before using it in any command, although this can be complex and does not guarantee the elimination of all potential injections. Monitoring wenxian repositories for future updates and applying the patch as soon as it is available is crucial. Additionally, reviewing and auditing other GitHub Actions workflows for similar patterns of using untrusted input is a good security practice.
No hay una versión corregida disponible al momento de la publicación. Se recomienda evitar el uso de la acción de GitHub hasta que se publique una versión parcheada. Como medida de mitigación, se puede validar y limpiar la entrada `issue_comment.body` antes de usarla en un comando shell.
Vulnerability analysis and critical alerts directly to your inbox.
wenxian is a tool that generates BibTeX files from identifiers such as DOI, PMID, or article titles.
It allows for arbitrary command execution on the GitHub Actions runner, which could compromise the security of the runner and associated data.
Disable the affected workflow or implement strict input validation until a patch is released.
Currently, there is no publicly available patch.
Avoid directly using untrusted input in shell commands and perform rigorous validation and sanitization of any user input.
CVSS Vector
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.