Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

CVE-2026-33646— mise: Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass)

CVSS 9.6 · Critical EPSS 0.69% · P48

Affected Version Matrix 1

VendorProductVersion RangeStatus
jdxmise< 2026.3.10affected
Get alerts for future matching vulnerabilitiesLog in to subscribe

I. Basic Information for CVE-2026-33646

Vulnerability Information

Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗

Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.

Vulnerability Title
mise: Arbitrary Code Execution via Tera Templates in .tool-versions Files (Trust Bypass)
Source: NVD (National Vulnerability Database)
Vulnerability Description
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec() function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode. This means an attacker can place a malicious .tool-versions file in a git repository, and when a victim with mise activated cds into the directory, arbitrary commands execute without any trust prompt. This vulnerability is fixed in 2026.3.10.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Source: NVD (National Vulnerability Database)
Vulnerability Type
对生成代码的控制不恰当(代码注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
jdx mise 代码注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
jdx mise是jdx个人开发者开源的一个多语言版本管理器。 jdx mise 2026.3.10之前版本存在代码注入漏洞,该漏洞源于解析.tool-versions文件时通过Tera模板引擎处理并注册了exec()函数,可能导致任意命令执行,攻击者可放置恶意文件在受害者切换目录时触发命令执行而无信任提示。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)

Affected Products

VendorProductAffected VersionsCPESubscribe
jdxmise < 2026.3.10 -

II. Public POCs for CVE-2026-33646

#POC DescriptionSource LinkShenlong Link
AI-Generated POCPremium

No public POC found.

Login to generate AI POC

III. Intelligence Information for CVE-2026-33646

登录查看更多情报信息。

Vendor Advisories for CVE-2026-33646 (1)

Same Patch Batch · jdx · 2026-06-26 · 4 CVEs total

CVE-2026-554418.6 HIGHmise: Arbitrary command execution via task-include files in an untrusted, config-less repo
CVE-2026-554486.3 MEDIUMmise: Local credential_command executes untrusted config
CVE-2026-545575.5 MEDIUMmise HTTP backend uses raw version path for install symlink destination

IV. Related Vulnerabilities

V. Comments for CVE-2026-33646

No comments yet


Leave a comment