PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-41249 coreshop CVE debrief

CVE-2026-41249 is a high-severity vulnerability in CoreShop, a Pimcore enhanced eCommerce solution. The vulnerability allows for Remote Code Execution (RCE) via a malicious Pull Request. CoreShop versions 5.0.1 through 5.1.0-beta.1 are affected. The GitHub Actions workflow (.github/workflows/static.yml) uses the pull_request_target trigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull_request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request.

Vendor
coreshop
Product
Unknown
CVSS
HIGH 8.2
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-04
Original CVE updated
2026-06-08
Advisory published
2026-06-04
Advisory updated
2026-06-08

Who should care

Users of CoreShop versions 5.0.1 through 5.1.0-beta.1, administrators of GitHub Actions workflows, and security teams monitoring for RCE vulnerabilities in eCommerce solutions.

Technical summary

The vulnerability is caused by the use of the pull_request_target trigger in the GitHub Actions workflow (.github/workflows/static.yml) which checks out unverified code from the pull request head and executes a script (bin/console) from this untrusted checkout. This allows an external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner by submitting a malicious Pull Request.

Defensive priority

High

Recommended defensive actions

  • Update CoreShop to a version that fixes the vulnerability.
  • Review and modify the GitHub Actions workflow (.github/workflows/static.yml) to safely handle pull requests.
  • Implement additional security measures to monitor and restrict execution of scripts from untrusted sources.

Evidence notes

CVE-2026-41249 has a CVSS score of 8.2 and is classified as HIGH severity. The vulnerability is exploitable remotely with low attack complexity and requires no user interaction.

Official resources

CVE-2026-41249 was published on 2026-06-04T20:16:57.797Z and modified on 2026-06-08T20:17:00.970Z.