High severity7.7NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026

CVE-2026-35533

Description

mise manages dev tools like node, python, cmake, and terraform. From 2026.2.18 through 2026.4.5, mise loads trust-control settings from a local project .mise.toml before the trust check runs. An attacker who can place a malicious .mise.toml in a repository can make that same file appear trusted and then reach dangerous directives such as [env] _.source, templates, hooks, or tasks.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
misecrates.io	>= 2026.2.18, <= 2026.4.5	—

Affected products

Jdx/Mise
cpe:2.3:a:jdx:mise:*:*:*:*:*:rust:*:*
Range: >=2026.2.18,<=2026.4.5

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/advisories/GHSA-436v-8fw5-4mj8ghsaADVISORY
github.com/jdx/mise/security/advisories/GHSA-436v-8fw5-4mj8nvdVendor AdvisoryExploitWEB
nvd.nist.gov/vuln/detail/CVE-2026-35533ghsaADVISORY

News mentions

No linked articles in our index yet.

cvss	0.501
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000