CVE-2026-48547 HIGH

CVE-2026-48547: KanaDojo < 0.1.18 Command Injection via patchNotesData.json in release.yml

Vendor Lingdojo
Product kana-dojo
Weakness CWE-78
Published June 11, 2026
Last update June 15, 2026

CVSS base score

8.5/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

01Description

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a child_process.execSync() call in the release.yml workflow. Attackers can have a malicious pull request merged to trigger the GitHub Actions runner with contents write permissions and access to GITHUB_TOKEN.

Key dates

02Disclosure timeline

June 11, 2026 CVE published
June 15, 2026 Record updated