PatchSiren cyber security CVE debrief
CVE-2026-47174 duck-organization CVE debrief
CVE-2026-47174 is a critical vulnerability in Duck Site, a software product with an unknown vendor. The vulnerability has a CVSS score of 9.5 and a severity of CRITICAL. The issue arises from the deploy workflow in Duck Site, which runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. An attacker can exploit this vulnerability by making a pull request build satisfy the deploy workflow's main branch condition, allowing attacker-controlled pull request code to become the deployed production site image without being merged.
- Vendor
- duck-organization
- Product
- duck-site
- CVSS
- CRITICAL 9.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of Duck Site before version 1.0.1 should be aware of this vulnerability and take immediate action to patch their systems.
Technical summary
The vulnerability is caused by the deploy workflow in Duck Site, which runs with elevated permissions and allows an attacker to deploy malicious code to production without merging it. The issue has been patched in version 1.0.1.
Defensive priority
high
Recommended defensive actions
- Upgrade to Duck Site version 1.0.1 or later.
- Review and restrict deploy workflow permissions.
- Monitor for suspicious pull requests and deployments.
Evidence notes
The vulnerability was patched in version 1.0.1 of Duck Site.
Official resources
-
CVE-2026-47174 CVE record
CVE.org
-
CVE-2026-47174 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-47174 was published on 2026-06-11T19:16:45.557Z and modified on 2026-06-11T21:16:22.033Z.