Product
CoreShop is vulnerable to remote code execution (RCE) via insecure `pull_request_target` configuration, allowing attackers to execute arbitrary code on the GitHub Actions runner by submitting a malicious pull request and potentially exfiltrate secrets or modify repository contents; tracked as CVE-2026-41249.