[Pkg-rust-maintainers] Bug#1134887: skim: CVE-2026-41414
Moritz Mühlenhoff
jmm at inutil.org
Sat Apr 25 12:06:52 BST 2026
Source: skim
X-Debbugs-CC: team at security.debian.org
Severity: grave
Tags: security
Hi,
The following vulnerability was published for skim.
CVE-2026-41414[0]:
| Skim is a fuzzy finder designed to through files, lines, and
| commands. The generate-files job in .github/workflows/pr.yml checks
| out attacker-controlled fork code and executes it via cargo run,
| with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN
| (contents:write). No gates prevent exploitation - any GitHub user
| can trigger this by opening a pull request from a fork. This
| vulnerability is fixed with commit
| bf63404ad51985b00ed304690ba9d477860a5a75.
https://github.com/skim-rs/skim/security/advisories/GHSA-9g93-rxr5-xhqw
https://github.com/skim-rs/skim/commit/bf63404ad51985b00ed304690ba9d477860a5a75
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-41414
https://www.cve.org/CVERecord?id=CVE-2026-41414
Please adjust the affected versions in the BTS as needed.
More information about the Pkg-rust-maintainers
mailing list