KanaDojo < 0.1.18 Command Injection via patchNotesData.json in release.yml
CVE-2026-48547

8.5HIGH

Key Information:

Vendor: Lingdojo
Status: Kana-dojo
Vendor: CVE Published:; 11 June 2026

What is CVE-2026-48547?

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a child_process.execSync() call in the release.yml workflow. Attackers can have a malicious pull request merged to trigger the GitHub Actions runner with contents write permissions and access to GITHUB_TOKEN.

Affected Version(s)

kana-dojo 0

References

https://github.com/lingdojo/kana-dojo/releases/tag/v0.1.18

release-notes

CVSS V4

Score:

8.5

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 11, 2026
Vulnerability Reserved
May 21, 2026

Credit

Katriel Moses

VulnCheck

CVE-2026-48547 Data

JSON