Arbitrary Command Execution in Mise Development Tool by JDX
CVE-2026-33646

9.6CRITICAL

Key Information:

Vendor: Jdx
Status: Mise
Vendor: CVE Published:; 26 June 2026

What is CVE-2026-33646?

Mise, a development tooling management platform by JDX, is susceptible to a vulnerability that allows arbitrary command execution via improperly secured .tool-versions files. Prior to the release of version 2026.3.10, the Tera template engine used during the parsing process inadvertently registered the exec() function without stringent trust verification for these files in non-paranoid mode. An attacker could exploit this by placing a malicious .tool-versions file within a git repository. When a user activates Mise and navigates to the corresponding directory, the system executes arbitrary commands without prompting for trust verification. This significant oversight highlights the importance of secure file handling in development environments and has been addressed in the updated version.

Affected Version(s)

mise < 2026.3.10

References

https://github.com/jdx/mise/security/advisories/GHSA-fjj5...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.6

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2026
Vulnerability Reserved
Mar 23, 2026

CVE-2026-33646 Data

JSON

Jdx

What is CVE-2026-33646?

Affected Version(s)

References

CVSS V3.1

Timeline