CVE-2026-41414 PUBLISHED

Skim: Arbitrary code execution via pull_request_target fork checkout in pr.yml

Assigner: GitHub_M
Reserved: 20.04.2026 Published: 24.04.2026 Updated: 24.04.2026

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.

Metrics

CVSS 3.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N
CVSS Score: 7.4

Attack Vector	Network	Scope	Changed
Attack Complexity	Low	Confidentiality Impact	None
Privileges Required	None	Integrity Impact	High
User Interaction	Required	Availability Impact	None

CVSS 3.1

Product Status

Vendor	skim-rs
Product	skim
Versions	Version < bf63404ad51985b00ed304690ba9d477860a5a75 is affected

References

Problem Types

CWE-94: Improper Control of Generation of Code ('Code Injection') CWE