CVE-2026-48547

Vulnerability

The vulnerability is a command injection in the release.yml GitHub Actions workflow of KanaDojo. The workflow reads the version and changes fields from patchNotesData.json and interpolates them unsanitized into a child_process.execSync() call. An attacker with pull request access can insert shell metacharacters into these fields. The affected versions are not explicitly stated in the available references.

Exploitation

An attacker must have pull request access to the repository. They create a pull request that modifies patchNotesData.json with malicious payloads in the version or changes fields. Once the pull request is merged, the release.yml workflow executes, passing the unsanitized values to execSync(), which runs arbitrary shell commands. The GitHub Actions runner has contents: write permissions and access to GITHUB_TOKEN.

Impact

Successful exploitation allows arbitrary command execution on the GitHub Actions runner. The attacker can leverage the GITHUB_TOKEN to modify repository contents, exfiltrate secrets, or perform other actions with the runner's permissions.

Mitigation

No fix has been disclosed in the available references [1]. Users should review the release.yml workflow and ensure that all inputs from patchNotesData.json are properly sanitized or validated before being passed to execSync(). The only reference provided is a release page [1] which does not mention a security fix.