CVE-2026-54344

Source
https://cve.org/CVERecord?id=CVE-2026-54344
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54344.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-54344
Aliases
  • GHSA-4pm2-w6g5-28mm
Published
2026-07-08T15:08:19.691Z
Modified
2026-07-15T01:48:58.861736383Z
Severity
  • 4.7 (Medium) CVSS_V3 - CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N CVSS Calculator
Summary
ToolJet GitHub Actions comment body shell injection exposes deployment secrets
Details

ToolJet is an open-source low-code platform for building internal tools. Prior to 3.20.180, ToolJet's render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, allowing any GitHub user who can comment on an open pull request with a deploy command to execute shell commands on the CI runner and exfiltrate deployment secrets. This issue is reported as fixed in version 3.20.180.

Database specific
{
    "cwe_ids": [
        "CWE-78"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/54xxx/CVE-2026-54344.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/tooljet/tooljet

Affected ranges

Type
GIT
Repo
https://github.com/tooljet/tooljet
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "3.20.180"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

CE-LTS-2.*
CE-LTS-2.50.0
Other
bump-version
develop-head-390e022
dummy-tag-for-release-notes-1
dummy-tag-for-release-notes-2
fix-csp
fix-dyn-vars
fix-ec2
fix-image
fix-k8s
fix-mongo
fix-pg-queries
fix-setup
fix-webpack
temp-latest-develop
dummy-v2.*
dummy-v2.6.1
v0.*
v0.10.0
v0.10.0-hotfix.1
v0.10.1
v0.10.1-hotfix.1
v0.11.0
v0.12.0
v0.12.1
v0.13.0
v0.5.0
v0.5.1
v0.5.10
v0.5.11
v0.5.12
v0.5.13
v0.5.14
v0.5.2
v0.5.3
v0.5.4
v0.5.5
v0.5.6
v0.5.7
v0.5.8
v0.5.9
v0.6.0
v0.6.1
v0.7.0
v0.7.1
v0.7.2
v0.7.3
v0.7.4
v0.8.0
v0.8.1
v0.8.1-ee.1.0.0
v0.9.0
v0.9.1
v0.9.2
v0.9.3
v0.9.3-hotfix.2
v1.*
v1.10.0
v1.14.0
v1.15.0
v1.16.0
v1.16.1
v1.17.0
v1.17.1
v1.17.2
v1.18.0
v1.19.0
v1.20.0
v1.20.1
v1.20.3
v1.20.4
v1.20.5
v1.21.0
v1.21.1
v1.22.0
v1.22.1
v1.22.2
v1.22.3
v1.22.4
v1.23.0
v1.23.2
v1.24.0
v1.27.0
v1.27.4
v1.27.5
v1.29.0
v1.30.0
v1.5.0
v1.5.1
v1.6.0
v2.*
v2.0.0
v2.0.1
v2.0.2
v2.0.3
v2.0.4
v2.1.0
v2.1.1
v2.1.3
v2.1.4
v2.1.5
v2.10.0
v2.10.1
v2.10.2
v2.11.0
v2.11.1
v2.12.0
v2.13.0
v2.13.1
v2.14.0
v2.14.1
v2.15.0
v2.15.1
v2.16.0
v2.16.1
v2.17.0
v2.17.1
v2.17.2
v2.17.3
v2.17.4
v2.17.5
v2.18.0
v2.19.0
v2.19.1
v2.19.2
v2.2.0
v2.2.1
v2.2.2
v2.20.0
v2.20.1
v2.20.2
v2.21.0
v2.21.1
v2.21.2
v2.22.0
v2.22.1
v2.22.2
v2.22.3
v2.23.0
v2.24.0
v2.24.1
v2.24.2
v2.24.3
v2.24.4
v2.24.5
v2.25.0
v2.26.0
v2.26.1
v2.26.2
v2.27.0
v2.27.1
v2.27.2
v2.27.3
v2.27.4
v2.27.5
v2.27.6
v2.27.7
v2.28.0
v2.28.1
v2.28.2
v2.28.3
v2.28.4
v2.29.0
v2.3.0
v2.3.1
v2.30.0
v2.30.1
v2.30.2
v2.30.3
v2.30.4
v2.32.0
v2.32.1
v2.32.2
v2.32.3
v2.32.4
v2.32.5
v2.33.0
v2.33.1
v2.33.3
v2.33.4
v2.33.5
v2.33.6
v2.34.0
v2.34.1
v2.34.2
v2.35.0
v2.35.1
v2.35.2
v2.35.3
v2.35.4
v2.36.0
v2.36.1
v2.37.0
v2.38.0
v2.39.0
v2.4.0
v2.4.1
v2.4.2
v2.4.3
v2.4.4
v2.4.5
v2.4.6
v2.4.7
v2.4.8
v2.4.9
v2.40.0
v2.41.0
v2.42.0
v2.43.0
v2.44.0
v2.45.0
v2.5.0
v2.6.0
v2.6.1
v2.6.2
v2.60.2
v2.60.3
v2.60.4
v2.61.0
v2.61.1
v2.61.2
v2.61.3
v2.62.0
v2.63.0
v2.64.0
v2.65.0
v2.65.1
v2.65.2
v2.66.1
v2.66.2
v2.67.0
v2.67.1
v2.67.2
v2.7.0
v2.8.0
v2.8.1
v2.9.0
v2.9.1
v2.9.2
v2.9.3
v2.9.4
v2.9.5
v2.9.6
v3.*
v3.0.0-ce-beta
v3.0.5-ce
v3.1.0-ce
v3.1.1-ce
v3.10.0
v3.11.0
v3.12.0
v3.12.1
v3.13.0
v3.15.0
v3.15.1
v3.16.0-lts
v3.16.1-lts
v3.16.10-lts
v3.16.11-lts
v3.16.12-lts
v3.16.13-lts
v3.16.14-lts
v3.16.15-lts
v3.16.16-lts
v3.16.17-lts
v3.16.18-lts
v3.16.19-lts
v3.16.2-lts
v3.16.20-lts
v3.16.21-lts
v3.16.22-lts
v3.16.23-lts
v3.16.24-lts
v3.16.25-lts
v3.16.26-lts
v3.16.27-lts
v3.16.28-lts
v3.16.29-lts
v3.16.3-lts
v3.16.30-lts
v3.16.31-lts
v3.16.32-lts
v3.16.33-lts
v3.16.4-lts
v3.16.6-lts
v3.16.7-lts
v3.16.8-lts
v3.16.9-lts
v3.2.0-ce
v3.2.1-ce
v3.2.2-ce
v3.20.0-lts
v3.20.1-lts
v3.20.10-lts
v3.20.100-lts
v3.20.101-lts
v3.20.102-lts
v3.20.103-lts
v3.20.104-lts
v3.20.105-lts
v3.20.106-lts
v3.20.107-lts
v3.20.108-lts
v3.20.109-lts
v3.20.11-lts
v3.20.110-lts
v3.20.111-lts
v3.20.112-lts
v3.20.113-lts
v3.20.114-lts
v3.20.115-lts
v3.20.116-lts
v3.20.117-lts
v3.20.118-lts
v3.20.119-lts
v3.20.12-lts
v3.20.120-lts
v3.20.121-lts
v3.20.122-lts
v3.20.123-lts
v3.20.124-lts
v3.20.125-lts
v3.20.126-lts
v3.20.127-lts
v3.20.128-lts
v3.20.129-lts
v3.20.13-lts
v3.20.130-lts
v3.20.131-lts
v3.20.132-lts
v3.20.133-lts
v3.20.134-lts
v3.20.135-lts
v3.20.136-lts
v3.20.137-lts
v3.20.138-lts
v3.20.139-lts
v3.20.14-lts
v3.20.140-lts
v3.20.141-lts
v3.20.142-lts
v3.20.143-lts
v3.20.144-lts
v3.20.145-lts
v3.20.146-lts
v3.20.147-lts
v3.20.148-lts
v3.20.149-lts
v3.20.15-lts
v3.20.150-lts
v3.20.151-lts
v3.20.152-lts
v3.20.153-lts
v3.20.154-lts
v3.20.155-lts
v3.20.156-lts
v3.20.157-lts
v3.20.158-lts
v3.20.159-lts
v3.20.16-lts
v3.20.160-lts
v3.20.161-lts
v3.20.162-lts
v3.20.163-lts
v3.20.164-lts
v3.20.165-lts
v3.20.166-lts
v3.20.167-lts
v3.20.168-lts
v3.20.169-lts
v3.20.17-lts
v3.20.170-lts
v3.20.171-lts
v3.20.172-lts
v3.20.173-lts
v3.20.174-lts
v3.20.175-lts
v3.20.176-lts
v3.20.177-lts
v3.20.178-lts
v3.20.179-lts
v3.20.18-lts
v3.20.19-lts
v3.20.2-lts
v3.20.20-lts
v3.20.21-lts
v3.20.22-lts
v3.20.23-lts
v3.20.24-lts
v3.20.25-lts
v3.20.26-lts
v3.20.27-lts
v3.20.28-lts
v3.20.29-lts
v3.20.3-lts
v3.20.30-lts
v3.20.31-lts
v3.20.32-lts
v3.20.33-lts
v3.20.34-lts
v3.20.35-lts
v3.20.36-lts
v3.20.37-lts
v3.20.38-lts
v3.20.39-lts
v3.20.4-lts
v3.20.40-lts
v3.20.41-lts
v3.20.42-lts
v3.20.43-lts
v3.20.44-lts
v3.20.45-lts
v3.20.46-lts
v3.20.47-lts
v3.20.48-lts
v3.20.49-lts
v3.20.5-lts
v3.20.50-lts
v3.20.51-lts
v3.20.52-lts
v3.20.53-lts
v3.20.54-lts
v3.20.55-lts
v3.20.56-lts
v3.20.57-lts
v3.20.58-lts
v3.20.59-lts
v3.20.6-lts
v3.20.60-lts
v3.20.61-lts
v3.20.62-lts
v3.20.63-lts
v3.20.64-lts
v3.20.65-lts
v3.20.66-lts
v3.20.67-lts
v3.20.68-lts
v3.20.69-lts
v3.20.7-lts
v3.20.70-lts
v3.20.71-lts
v3.20.72-lts
v3.20.73-lts
v3.20.74-lts
v3.20.75-lts
v3.20.77-lts
v3.20.78-lts
v3.20.79-lts
v3.20.8-lts
v3.20.80-lts
v3.20.81-lts
v3.20.82-lts
v3.20.83-lts
v3.20.84-lts
v3.20.85-lts
v3.20.86-lts
v3.20.87-lts
v3.20.88-lts
v3.20.89-lts
v3.20.9-lts
v3.20.90-lts
v3.20.91-lts
v3.20.92-lts
v3.20.93-lts
v3.20.94-lts
v3.20.95-lts
v3.20.96-lts
v3.20.97-lts
v3.20.98-lts
v3.20.99-lts
v3.8.0
v3.9.0

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-54344.json"