PatchSiren cyber security CVE debrief
CVE-2026-48546 lingdojo CVE debrief
CVE-2026-48546 is a high-severity vulnerability in KanaDojo, a linguistic tool, which allows attackers to execute arbitrary code. The vulnerability exists due to the explicit passing of the global require function into a Node.js vm.runInNewContext() sandbox context in the issue-auto-respond.yml workflow. This enables attackers to submit a pull request modifying messages.cjs to import arbitrary Node.js modules, bypassing sandbox restrictions and achieving remote code execution with full GitHub Actions runner privileges, including access to AUTOMATION_PR_TOKEN.
- Vendor
- lingdojo
- Product
- kana-dojo
- CVSS
- HIGH 8.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-11
- Original CVE updated
- 2026-06-11
- Advisory published
- 2026-06-11
- Advisory updated
- 2026-06-11
Who should care
Users of KanaDojo before version 0.1.18, GitHub Actions users with AUTOMATION_PR_TOKEN access, and security teams monitoring for potential remote code execution vulnerabilities.
Technical summary
The vulnerability is caused by the insecure use of Node.js vm.runInNewContext() in KanaDojo's issue-auto-respond.yml workflow. This allows an attacker to execute arbitrary code by modifying messages.cjs to import malicious Node.js modules.
Defensive priority
High
Recommended defensive actions
- Update KanaDojo to version 0.1.18 or later.
- Review and restrict the use of AUTOMATION_PR_TOKEN in GitHub Actions workflows.
- Monitor for suspicious pull requests and code modifications in KanaDojo.
Evidence notes
The CVE record and NVD detail provide official information on the vulnerability. Additional sources include the GitHub commit and release notes for the patched version.
Official resources
CVE-2026-48546 was published on 2026-06-11T18:16:26.390Z and modified on 2026-06-11T20:59:55.650Z.