CVE-2026-33646 in miseinfo

Summary

by MITRE • 06/26/2026

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise processes .tool-versions files through the Tera template engine during parsing, with the exec() function registered, enabling arbitrary command execution. Unlike .mise.toml files, .tool-versions files are not subject to trust verification in non-paranoid mode. This means an attacker can place a malicious .tool-versions file in a git repository, and when a victim with mise activated cds into the directory, arbitrary commands execute without any trust prompt. This vulnerability is fixed in 2026.3.10.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

🔬 Show More Details

An in-depth analysis is available in our curated vulnerability entry.

Responsible

GitHub M

Reservation

03/23/2026

Disclosure

06/26/2026

Moderation

accepted

Entry

VDB-374322

CPE

ready

CWE

CWE-94 (confirmed)

CVSS

9.6 (CNA)

EPSS

0.00000

KEV

Activities

very low

Sources

MITRE	https://www.cve.org/CVERecord?id=CVE-2026-33646
NVD	https://nvd.nist.gov/vuln/detail/CVE-2026-33646
CVE Details	https://www.cvedetails.com/cve/CVE-2026-33646/

◂ Previous Overview Next ▸

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!