Jdx Mise vulnerabilities
5 known vulnerabilities affecting jdx/mise.
Total CVEs
5
CISA KEV
0
Public exploits
0
Exploited in wild
0
Severity breakdown
CRITICAL1HIGH2MEDIUM2
Vulnerabilities
Page 1 of 1
CVE-2026-33646P2CRITICALCVSS 9.6fixed in 2026.3.102026-06-26
CVE-2026-33646 [CRITICAL] CWE-94 CVE-2026-33646: mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec() function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode.
nvd
CVE-2026-55441P3HIGHCVSS 8.6fixed in 2026.6.42026-06-26
CVE-2026-55441 [HIGH] CWE-78 CVE-2026-55441: mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feat
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files (mise.toml, .tool-versions) through trust_check, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir (mise-tasks/, .mise/tasks/, …) but no config file, mise falls back to the d
nvd
CVE-2026-35533P3HIGHCVSS 7.8≥ 2026.2.18, ≤ 2026.4.5v>= 2026.2.18, <= 2026.4.52026-04-07
CVE-2026-35533 [HIGH] CWE-284 CVE-2026-35533: mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mis
mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as [env] _.sourc
ghsanvdosv
CVE-2026-55448P3MEDIUMCVSS 6.3fixed in 2026.6.42026-06-26
CVE-2026-55448 [MEDIUM] CWE-78 CVE-2026-55448: mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise
mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the
nvd
CVE-2026-54557P4MEDIUMCVSS 5.5fixed in 2026.6.12026-06-26
CVE-2026-54557 [MEDIUM] CWE-22 CVE-2026-54557: mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP bac
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if tha
nvd