CVE-2026-41249

HIGH 8.2

CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration

CVSS Score

8.2

EPSS Score

0.1%

EPSS Percentile

25th

CoreShop is a Pimcore enhanced eCommerce solution. In versions 5.0.1 through 5.1.0-beta.1,, the GitHub Actions workflow (`.github/workflows/static.yml`) uses the `pull_request_target` trigger but dangerously checks out the unverified code from the pull request head (`ref: ${{ github.event.pull_request.head.ref }}`). Subsequently, it executes a script (`bin/console`) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability. As of time of publication, `pull_request_target` is still in the file.

CWE	CWE-94
Vendor	coreshop
Product	coreshop
Published	Jun 4, 2026
Last Updated	Jun 8, 2026

Stay Ahead of the Next One

Get instant alerts for coreshop coreshop

Be the first to know when new high vulnerabilities affecting coreshop coreshop are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

Low

Availability

None

Affected Versions

coreshop / CoreShop

>= 5.0.1, <= 5.1.0-beta.1

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/coreshop/CoreShop/security/advisories/GHSA-q58j-g3f4-h26h github.com: https://github.com/coreshop/CoreShop/commit/cc1e3f547228ec5ebfc1dc0472f9a3cc5f4137a4 github.com: https://github.com/coreshop/CoreShop/blob/5.1.0-beta.1/.github/workflows/static.yml#L14