Home

Description

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.

PUBLISHED Reserved 2026-04-20 | Published 2026-04-24 | Updated 2026-04-27 | Assigner GitHub_M




HIGH: 7.4CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Problem types

CWE-94: Improper Control of Generation of Code ('Code Injection')

Product status

< bf63404ad51985b00ed304690ba9d477860a5a75
affected

References

github.com/...s/skim/security/advisories/GHSA-9g93-rxr5-xhqw exploit

drive.google.com/...d/1Gj7ziTK42YWXYoQgTbis_rMitHR59J6F/view exploit

github.com/...s/skim/security/advisories/GHSA-9g93-rxr5-xhqw

github.com/...ommit/bf63404ad51985b00ed304690ba9d477860a5a75

cve.org (CVE-2026-41414)

nvd.nist.gov (CVE-2026-41414)

Download JSON