CVE-2026-55448
🔶 mediumSummary
mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credential_command from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mise command and no higher-priority GitHub token environment variable is set. This vulnerability is fixed in 2026.6.4.
CVSS Score
6.3
Medium
EPSS Score
-
Published Date
2026-06-26
First Seen: 2026-06-27
📊 Relative Risk Intelligence
This CVE is Lower Risk - more severe than 39.2% of all 330,193 vulnerabilities in our database.
#200,736
Below average severity
Severity Percentile
Last Modified
2026-06-26
Source
NVD 🔗
CVSS Vector 3.1
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N
CWE IDs (Weakness Types)