CVE-2026-41414

Skim: Arbitrary code execution via pull_request_target fork checkout in pr.yml

CVSS 7.4 HIGHEPSS 0.3%CWE-94

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIM_RS_BOT_PRIVATE_KEY and GITHUB_TOKEN (contents:write). No gates prevent exploitation - any GitHub user can trigger this by opening a pull request from a fork. This vulnerability is fixed with commit bf63404ad51985b00ed304690ba9d477860a5a75.

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:H/A:N

Affected products

skim-rs · skim

public PoCs found — 1

cve_referencedrive.google.com/file/d/1Gj7ziTK42YWXYoQgTbis_rMitHR59J6F/viewunverified

⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://drive.google.com/file/d/1Gj7ziTK42YWXYoQgTbis_rMitHR59J6F/view https://github.com/skim-rs/skim/commit/bf63404ad51985b00ed304690ba9d477860a5a75 https://github.com/skim-rs/skim/security/advisories/GHSA-9g93-rxr5-xhqw