A vulnerability labeled as critical has been found in CoreShop up to 5.1.0-beta.1 . Impacted is an unknown function of the file github/workflows/static.yml of the component Pull Handler . The manipulation results in code injection. This vulnerability is identified as CVE-2026-41249 . The attack can be executed remotely. There is not any exploit available. It is best practice to apply a patch to resolve this issue.