What is GHSA-q58j-g3f4-h26h?

GHSA-q58j-g3f4-h26h is a security advisory published by GitHub Security Advisories with High severity. CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration

Which CVE IDs does GHSA-q58j-g3f4-h26h cover?

GHSA-q58j-g3f4-h26h covers the following CVE IDs: CVE-2026-41249. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-q58j-g3f4-h26h?

GHSA-q58j-g3f4-h26h has a CVSS v3 base score of 8.2, published by GitHub Security Advisories.

Which products are affected by GHSA-q58j-g3f4-h26h?

GHSA-q58j-g3f4-h26h affects 1 product, including: composer/coreshop/core-shop:= 5.0.0.

GHSA-q58j-g3f4-h26hHighCVSS 8.2

CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration

Vendor

GitHub Security Advisories

Published

May 14, 2026

Last Modified

June 9, 2026

🔗 CVE IDs covered (1)

CVE-2026-41249 →

📋 Description

Summary

The GitHub Actions workflow (.github/workflows/static.yml) uses the pull_request_target trigger but dangerously checks out the unverified code from the pull request head (ref: ${{ github.event.pull_request.head.ref }}). Subsequently, it executes a script (bin/console) from this untrusted checkout. This allows any external attacker to achieve Remote Code Execution (RCE) on the GitHub Actions runner simply by submitting a malicious Pull Request. Also known as a "Pwn Request" vulnerability.

Steps to Reproduce:

Fork the target repository.
In the forked repository, modify a file that satisfies the paths condition (e.g., src/dummy.php or composer.json) to trigger the workflow.
Modify the bin/console file (which is executed in the workflow steps) with the following malicious payload:

#!/bin/bash
echo "=== PWNED ==="
echo "whoami:"
whoami

Commit the changes and open a Pull Request against the 5.0 or next branch of the base repository.
The Static Tests workflow will trigger automatically. Navigate to the Actions tab and inspect the logs for the Validate YAML (or any step executing bin/console).
You will see the output of whoami (typically runner), proving that the arbitrary code was successfully executed in the runner's context.

Impact: Because pull_request_target runs in the context of the base repository, the runner has access to repository secrets (e.g., PIMCORE_SECRET, PIMCORE_PRODUCT_KEY) loaded in the environment. An attacker can exfiltrate these secrets, modify repository contents (if the token has write permissions), or abuse the runner's computing resources.

Recommended Mitigation: Do not checkout untrusted PR code (head.ref) when using pull_request_target if the code will be built or executed. Consider adopting a separated architecture using the workflow_run event:

Use the pull_request event to safely run the build/tests in an unprivileged sandbox and upload artifacts.
Use the workflow_run event (which is privileged) to download the artifacts and perform actions requiring secrets.

🎯 Affected products1

composer/coreshop/core-shop:= 5.0.0

🔗 CVE IDs covered (1)

📋 Description

Summary

🎯 Affected products1

🔗 References (5)