Cyber Posture

CVE-2026-42298

CriticalRCE
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 08 May 2026

Published
08 May 2026
Modified
13 May 2026
KEV Added
Patch
CVSS Score 10.0 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
EPSS Score 0.0018 39.5th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42298 is a critical-severity Code Injection (CWE-94) vulnerability. Its CVSS base score is 10.0 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Poisoned Pipeline Execution (T1677); ranked at the 39.5th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

This vulnerability is AI-related — categorised as Machine Learning Libraries.

Threat & Defense at a Glance

What attackers do: exploitation maps to Poisoned Pipeline Execution (T1677).
Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

SC-34 Non-modifiable Executable Programs
addresses: CWE-94

Makes persistent code injection into loaded programs impossible when the executable image itself resides on hardware-protected read-only media.

SC-44 Detonation Chambers
addresses: CWE-94

Dynamically generated code can be produced and executed inside the isolated chamber, preventing host compromise from code-injection payloads.

SI-10 Information Input Validation
addresses: CWE-94

Validates inputs used in dynamic code generation to block injected directives.

SI-16 Memory Protection
addresses: CWE-94

Directly prevents execution of attacker-supplied code written into data memory regions.

MITRE ATT&CK Enterprise TechniquesAI

T1677 Poisoned Pipeline Execution Execution
Adversaries may manipulate continuous integration / continuous development (CI/CD) processes by injecting malicious code into the build process.
attack.mitre.org →
Why these techniques?

Vulnerability directly enables Poisoned Pipeline Execution via malicious PR injecting code into GitHub Actions Docker build workflow, allowing arbitrary execution and credential exfiltration.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Postiz is an AI social media scheduling tool. Prior to commit da44801, a "Pwn Request" vulnerability in the Build and Publish PR Docker Image workflow (.github/workflows/pr-docker-build.yml) allows any unauthenticated user to execute arbitrary code during the Docker build process and…

more

exfiltrate a highly privileged GITHUB_TOKEN (write-all permissions). This can be achieved simply by opening a Pull Request from a fork with a maliciously modified Dockerfile.dev. This issue has been patched via commit da44801.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-94

AI Security AnalysisAI

AI Category
Machine Learning Libraries
Risk Domain
N/A
OWASP Top 10 for LLMs 2025
None mapped
Classification Reason
Matched keywords: ai

CVEs Like This One

CVE-2026-41414Shared CWE-94
CVE-2026-33744Shared CWE-94
CVE-2026-29075Shared CWE-94
CVE-2025-42950Shared CWE-94
CVE-2026-26056Shared CWE-94
CVE-2025-25944Shared CWE-94
CVE-2026-26045Shared CWE-94
CVE-2026-35178Shared CWE-94
CVE-2024-1490Shared CWE-94
CVE-2024-7419Shared CWE-94

References