CVE-2026-55441
published 2026-06-26CVE-2026-55441: mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files (mise.toml, .tool-versions) through…
PriorityP347high8.6CVSS 3.1
AVLACLPRNUIRSCCHIHAH
EPSS
0.18%
8.2th percentile
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files (mise.toml, .tool-versions) through trust_check, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir (mise-tasks/, .mise/tasks/, …) but no config file, mise falls back to the default includes and renders each task's tera fields — and that tera environment has exec() registered. A {{ exec(command='…') }} in any rendered field runs arbitrary commands the moment the tasks are merely listed. There's no config file to gate on, so no trust prompt ever appears. Read-only commands trigger it: mise tasks, mise task ls, mise run, mise tasks --usage (the query shell completion runs on Tab). The victim only has to cd into a cloned repo and list or tab-complete a task. This vulnerability is fixed in 2026.6.4.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| jdx | mise | < 2026.6.4 | 2026.6.4 |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
VulDB
jdx mise up to 2026.6.3 Config File mise.toml exec os command injection
vuldb·2026-06-26·CVSS 8.6
CVE-2026-55441 [HIGH] jdx mise up to 2026.6.3 Config File mise.toml exec os command injection
A vulnerability was found in jdx mise up to 2026.6.3. It has been classified as critical. This issue affects the function exec of the file mise.toml of the component Config File Handler. This manipulation causes os command injection.
This vulnerability appears as CVE-2026-55441. The attack requires local access. There is no available exploit.
Upgrading the affected component is recommended.
GHSA
Mise vulnerable to arbitrary command execution via task-include files in an untrusted, config-less repository
ghsa·2026-06-23
CVE-2026-55441 [HIGH] CWE-732 Mise vulnerable to arbitrary command execution via task-include files in an untrusted, config-less repository
Mise vulnerable to arbitrary command execution via task-include files in an untrusted, config-less repository
### Summary
mise's trust feature gates config files (`mise.toml`, `.tool-versions`) through `trust_check`, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir (`mise-tasks/`, `.mise/tasks/`, …) but no config file, mise falls back to the default includes and renders each task's tera fields — and that tera environment has `exec()` registered. A `{{ exec(command='…') }}` in any rendered field runs arbitrary commands the moment the tasks are merely listed. There's no config file to gate on, so no trust prompt ever appears. Read-only commands trigger it: `mise tasks`, `mise task ls`, `mise run`, `mise tasks --usage` (the query she
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2026-06-26
Published