LeakyCreds
NewInstant webhook alerts now available ā€” notified within seconds of any credential detection.Learn more ā†’
Home / Vulnerability Intelligence / CVE-2026-34243

CVE-2026-34243 - Vulnerability Analysis

CriticalCVSS: 9.8

Last Updated: March 31, 2026

wenxian - Command Injection

Published: March 31, 2026Updated: March 31, 2026Remote Exploitable

Overview

wenxian <= 0.3.1 contains a command injection caused by untrusted user input from issue_comment.body used directly in a shell command in GitHub Actions workflow, letting attackers execute arbitrary code on the runner, exploit requires crafted issue comment.

Severity & Score

Severity: Critical
CVSS Score: 9.8
EPSS Score: 0.0%(Probability of exploitation in next 30 days)

Impact

Attackers can execute arbitrary code on the GitHub Actions runner, potentially compromising the CI environment.

Mitigation

Update to the latest version once a patch is available or apply mitigations to sanitize inputs in the workflow.

References

Social Media Activity(4 posts)

TheHackerWire
TheHackerWire
@thehackerwire
Mar 31, 2026

šŸ”“ CVE-2026-34243 - Critical (9.8) wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allo... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-34243/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 31, 2026

šŸ”“ CVE-2026-34243 - Critical (9.8) wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allo... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-34243/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 31, 2026

šŸ”“ CVE-2026-34243 - Critical (9.8) wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allo... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-34243/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post
TheHackerWire
TheHackerWire
@thehackerwire
Mar 31, 2026

šŸ”“ CVE-2026-34243 - Critical (9.8) wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allo... šŸ”— https://www.thehackerwire.com/vulnerability/CVE-2026-34243/ #CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

View original post

Related Resources

Details

CVE ID
CVE-2026-34243
Severity
Critical
CVSS Score
9.8
Type
command_injection
Status
new
EPSS
0.0%
Social Posts
4

CWE

  • CWE-77

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score

0.0%Probability of exploitation in the next 30 days