CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration
CVE-2026-41249

8.2HIGH

Key Information:

Vendor

Coreshop

Status
Coreshop
Vendor
CVE Published:
4 June 2026

What is CVE-2026-41249?

CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (.github/workflows/static.yml) uses the pull_request_target trigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull_request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, pull_request_target is still in the file.

Affected Version(s)

CoreShop >= 5.0.1, <= 5.1.0-beta.1

References

https://github.com/coreshop/CoreShop/security/advisories/...
x_refsource_CONFIRM
https://github.com/coreshop/CoreShop/commit/cc1e3f547228e...
x_refsource_MISC
https://github.com/coreshop/CoreShop/blob/5.1.0-beta.1/.g...
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.