cvedb.io
CVE-2023-26493
HIGH · CVSS 8.1
EPSS exploitation probability: 0%
Published 2023-03-27T22:15:21.673 · Last modified 2026-06-17T05:43:27.577

Summary

Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the `web-interface-check.yml` was subject to command injection. The `web-interface-check.yml` was triggered when a pull request was opened or updated and contained the user controllable field `(${{ github.head_ref }} – the name of the fork’s branch)`. This would allow an attacker to take over the GitHub Runner and run custom commands (potentially stealing secrets such as GITHUB_TOKEN) and altering the repository. The workflow has since been removed for the repository. There are no actions required of users.

Affected products

cocos — cocos-engine

Does this affect you?

Add your gear to cvedb and we'll alert you only when cocos ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.