Cyber Resilience

CVE-2026-55441

HighLPE

Published: 26 June 2026

Published
26 June 2026
Modified
26 June 2026
KEV Added
Patch
CVSS Score v3.1 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
EPSS Score 0.0018 8.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-55441 is a high-severity OS Command Injection (CWE-78) vulnerability. Its CVSS base score is 8.6 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Unix Shell (T1059.004); ranked at the 8.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files (mise.toml, .tool-versions) through trust_check, but task-include files are loaded on a path that never reaches it. When a directory has a…

more

task-include dir (mise-tasks/, .mise/tasks/, …) but no config file, mise falls back to the default includes and renders each task's tera fields — and that tera environment has exec() registered. A {{ exec(command='…') }} in any rendered field runs arbitrary commands the moment the tasks are merely listed. There's no config file to gate on, so no trust prompt ever appears. Read-only commands trigger it: mise tasks, mise task ls, mise run, mise tasks --usage (the query shell completion runs on Tab). The victim only has to cd into a cloned repo and list or tab-complete a task. This vulnerability is fixed in 2026.6.4.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
T1203 Exploitation for Client Execution Execution
Adversaries may exploit software vulnerabilities in client applications to execute code.
Why these techniques?

Direct OS command injection (CWE-78) via unsandboxed tera exec() in task rendering enables Unix shell command execution (T1059.004) on mere task listing; attack requires only cd + mise invocation, mapping to client-side exploitation for execution (T1203).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-58370Shared CWE-78
CVE-2026-25157Shared CWE-78
CVE-2026-24887Shared CWE-78, CWE-94
CVE-2025-1244Shared CWE-78
CVE-2025-57771Shared CWE-78
CVE-2026-27487Shared CWE-78
CVE-2026-24844Shared CWE-78
CVE-2026-3102Shared CWE-78
CVE-2023-47104Shared CWE-78
CVE-2025-57283Shared CWE-78, CWE-94

Affected Assets

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78 CWE-732

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-732 CWE-94

Overrides or renders irrelevant incorrect permission assignments on critical executable resources by using hardware-level immutability.

addresses: CWE-78 CWE-94

Validates inputs to block special elements that would alter OS command execution.

addresses: CWE-732

Procedures support proper permission assignment for critical resources through documented controls.

addresses: CWE-732

Attribute management for resources provides a mechanism to assign and maintain correct permissions based on security labels.

addresses: CWE-732

Prevents overly permissive assignments to critical resources by limiting to task needs.

addresses: CWE-732

Training policy covers correct permission assignment, reducing the ability to exploit incorrect permission assignments for critical resources.

addresses: CWE-732

Training on permission management reduces incorrect permission assignments for critical resources.

Hardening callouts derived

Configuration rules from DISA STIG baselines that reduce the attack surface for weaknesses of the type cited by this CVE. Derived transitively via CVE→CWE→STIG over `controls_xwalks` (authoritative rows only).

Oracle Linux 8 (1 rule)
  • V-248577 OL 8 must enable kernel parameters to enforce Discretionary Access Control (DAC) on symlinks. via CWE-732
Windows Server 2016 (2 rules)
  • V-224972 Active Directory Group Policy objects must have proper access control permissions. via CWE-732
  • V-224831 Local volumes must use a format that supports NTFS attributes. via CWE-732
Windows Server 2019 (2 rules)
  • V-205663 Windows Server 2019 local volumes must use a format that supports NTFS attributes. via CWE-732
  • V-205741 Windows Server 2019 Active Directory Group Policy objects must have proper access control permissions. via CWE-732
Windows Server 2022 (2 rules)
  • V-254393 Windows Server 2022 Active Directory Group Policy objects must have proper access control permissions. via CWE-732
  • V-254250 Windows Server 2022 local volumes must use a format that supports NTFS attributes. via CWE-732

References