Vulnerability Information
Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
mise: Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass)
Vulnerability Description
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec() function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode. This means an attacker can place a malicious .tool-versions file in a git repository, and when a victim with mise activated cds into the directory, arbitrary commands execute without any trust prompt. This vulnerability is fixed in 2026.3.10.
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Vulnerability Title
jdx mise 代码注入漏洞
Vulnerability Description
jdx mise是jdx个人开发者开源的一个多语言版本管理器。 jdx mise 2026.3.10之前版本存在代码注入漏洞,该漏洞源于解析.tool-versions文件时通过Tera模板引擎处理并注册了exec()函数,可能导致任意命令执行,攻击者可放置恶意文件在受害者切换目录时触发命令执行而无信任提示。
CVSS Information
N/A
Vulnerability Type
N/A