प्लेटफ़ॉर्म
javascript
घटक
mise
में ठीक किया गया
2026.2.19
CVE-2026-35533 is a high-severity vulnerability affecting Mise, a dev tool manager for Node, Python, CMake, and Terraform. This vulnerability arises from Mise loading trust-control settings from local project .mise.toml files before performing trust checks. An attacker can exploit this by placing a malicious .mise.toml file in a repository, potentially leading to arbitrary code execution. Affected versions include those between 2026.2.18 and 2026.4.5, inclusive; a fix is available in a patched version.
The impact of CVE-2026-35533 is significant. An attacker who can inject a malicious .mise.toml file into a repository used by developers can gain control over the execution environment. This could allow them to execute arbitrary commands, steal sensitive data (API keys, credentials), or even compromise the entire development pipeline. The [env] _.source, templates, hooks, or tasks directives within the .mise.toml file provide avenues for malicious code injection. This vulnerability resembles supply chain attacks where malicious code is introduced through trusted dependencies or configuration files.
CVE-2026-35533 was publicly disclosed on 2026-04-07. The vulnerability's CVSS score of 7.8 (HIGH) indicates a significant risk. There are currently no publicly available proof-of-concept exploits, but the ease of injecting a malicious .mise.toml file suggests that exploitation is likely. It is not currently listed on CISA KEV. Active campaigns are not yet confirmed, but the vulnerability's nature makes it a potential target for supply chain attacks.
Developers using Mise to manage their dev tools are at risk, particularly those working in environments where they regularly clone repositories from external sources. Teams relying on shared repositories or automated build processes are especially vulnerable, as a malicious .mise.toml file could be silently introduced into their workflow. Users of older Mise versions who haven't implemented strict code review practices are also at increased risk.
• javascript / supply-chain:
Get-ChildItem -Path $env:USERPROFILE\Documents\*.mise.toml -Recurse | Select-String -Pattern '_.source = ' -ErrorAction SilentlyContinue• javascript / supply-chain:
Get-ScheduledTask | Where-Object {$_.TaskName -like '*mise*'} | Format-List TaskName, Actions• generic web:
curl -I https://your-mise-installation/ | grep -i 'Content-Type: application/toml'disclosure
patch
एक्सप्लॉइट स्थिति
EPSS
0.01% (2% शतमक)
CISA SSVC
CVSS वेक्टर
The primary mitigation for CVE-2026-35533 is to upgrade to a patched version of Mise. Until an upgrade is possible, carefully scrutinize .mise.toml files from untrusted sources before incorporating them into your projects. Consider implementing a code review process specifically for these configuration files. If you are using a version control system, implement checks to prevent unauthorized modifications to .mise.toml files. As a temporary workaround, you could restrict the directories from which Mise loads .mise.toml files, though this may impact functionality. After upgrading, verify the fix by attempting to load a known malicious .mise.toml file and confirming that it is rejected.
Actualice a una versión de mise posterior a 2026.4.5. Esta actualización corrige la vulnerabilidad al reforzar los controles de confianza para evitar la carga de configuraciones maliciosas desde archivos .mise.toml locales.
भेद्यता विश्लेषण और गंभीर अलर्ट सीधे आपके ईमेल में।
CVE-2026-35533 is a high-severity vulnerability in Mise, a dev tool manager, allowing attackers to inject malicious TOML code via .mise.toml files, potentially leading to arbitrary code execution.
You are affected if you are using Mise versions 2026.2.18 through 2026.4.5 and have not upgraded to a patched version.
Upgrade to a patched version of Mise. Until then, carefully review .mise.toml files from untrusted sources.
While no public exploits are currently known, the vulnerability's nature makes it a potential target for supply chain attacks.
Refer to the official Mise project's security advisories for the most up-to-date information and patch details.
अपनी डिपेंडेंसी फ़ाइल अपलोड करें और तुरंत जानें कि यह CVE और अन्य आपको प्रभावित करती हैं या नहीं।