{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-34243", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-26T16:22:29.034Z", "datePublished": "2026-03-31T15:49:27.333Z", "dateUpdated": "2026-04-02T15:21:36.168Z"}, "containers": {"cna": {"title": "wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`", "problemTypes": [{"descriptions": [{"cweId": "CWE-77", "lang": "en", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88"}], "affected": [{"vendor": "njzjz", "product": "wenxian", "versions": [{"version": "<= 0.3.1", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:49:27.333Z"}, "descriptions": [{"lang": "en", "value": "wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-r4fj-r33x-8v88", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-02T15:21:25.262697Z", "id": "CVE-2026-34243", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:21:36.168Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-34243", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-02T15:21:25.262697Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-02T15:21:32.144Z"}}], "cna": {"title": "wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`", "source": {"advisory": "GHSA-r4fj-r33x-8v88", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 9.8, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "njzjz", "product": "wenxian", "versions": [{"status": "affected", "version": "<= 0.3.1"}]}], "references": [{"url": "https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88", "name": "https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. At time of publication, there are no publicly available patches."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-77", "description": "CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection')"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-31T15:49:27.333Z"}}}, "cveMetadata": {"cveId": "CVE-2026-34243", "state": "PUBLISHED", "dateUpdated": "2026-04-02T15:21:36.168Z", "dateReserved": "2026-03-26T16:22:29.034Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-31T15:49:27.333Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:njzjz:wenxian:*:*:*:*:*:python:*:*", "matchCriteriaId": "E1B409F9-C4BD-4C59-8278-66ED698B4EB8", "versionEndIncluding": "0.3.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "wenxian is a tool to generate BIBTEX files from given identifiers (DOI, PMID, arXiv ID, or paper title). In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issue_comment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. At time of publication, there are no publicly available patches."}], "id": "CVE-2026-34243", "lastModified": "2026-04-03T14:38:17.593", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-03-31T16:16:33.253", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Mitigation", "Vendor Advisory"], "url": "https://github.com/njzjz/wenxian/security/advisories/GHSA-r4fj-r33x-8v88"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-77"}, {"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.3.1]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "wenxian", "source": "cna", "vendor": "njzjz"}, "product": "wenxian", "vendor": "njzjz"}], "analysis": {"en": {"generated_at": "2026-04-03T17:51:11.742672+00:00", "value": {"mitigation_remediation": ["Identify and disable all GitHub Actions workflows that invoke wenxian until a fix is available", "Remove the direct use of issue_comment.body in shell commands or apply strict sanitization before execution", "Monitor repository issue comments for suspicious content and block malicious comments", "Check the project\u2019s repository for a newer release of wenxian that addresses the issue and upgrade immediately", "If no patch is forthcoming, consider replacing wenxian with an alternative tool that does not expose a command injection vector"], "summary": {"action": "Disable workflow", "impact": "Remote code execution on GitHub Actions runners"}, "threat_synthesis": {"affected_systems": "The affected product is wenxian, a BibTeX generation tool developed by njzjz. Versions 0.3.1 and all earlier releases contain the flaw. The tool is hosted on GitHub and its workflow runs in the context of the repository\u2019s GitHub Actions runners.", "description_and_impact": "Untrusted content from issue_comment.body is used directly in a shell command in the GitHub Actions workflow of wenxian. The flaw permits an attacker to inject arbitrary shell commands that run on the workflow runner, leading to remote code execution. This vulnerability aligns with CWE\u201177 and CWE\u201178.", "risk_and_exploitability": "The CVSS score is 9.8, indicating a high severity for remote execution. The EPSS score is below 1%, so the overall probability of exploitation in the wild appears low, yet the public nature of the workflow and the minimal requirement of an issue comment mean an attacker can readily trigger it. The vulnerability is not yet listed in CISA\u2019s KEV catalog. The likely attack vector is any user able to post or modify an issue comment in the repository, which the workflow then processes without validation."}}}}, "created": "2026-03-31T19:54:01.442931+00:00", "updated": "2026-04-03T21:17:33.409525+00:00", "vendors": ["njzjz", "njzjz$PRODUCT$wenxian"]}