CVE-2026-34041 | nektos act prior 0.2.86 set-env/add-path injection

VDB-354077 · CVE-2026-34041 · GCVE-0-2026-34041 NEKTOS ACT PRIOR 0.2.86 SET-ENV/ADD-PATH INJECTION HISTORYDIFFRELATEJSONXMLCTI CVSS Meta Temp Score Current Exploit Price (≈) CTI Interest Score 6.0 $0-$5k 3.13 Summaryinfo A vulnerability has been found in nektos act and classified as critical. This impacts the function set-env/add-path. The manipulation leads to injection. This vulnerability is uniquely identified as CVE-2026-34041. The attack is possible to be carried out remotely. No exploit exists. The affected component should be upgraded. Detailsinfo A vulnerability was found in nektos act. It has been rated as critical. This issue affects the function set-env/add-path. The manipulation with an unknown input leads to a injection vulnerability. Using CWE to declare the problem leads to CWE-74. The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. Impacted is confidentiality, integrity, and availability. The advisory is shared at github.com. The identification of this vulnerability is CVE-2026-34041. The exploitation is known to be easy. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. It demands that the victim is doing some kind of user interaction. Technical details are known, but no exploit is available. MITRE ATT&CK project uses the attack technique T1055 for this issue. Upgrading to version 0.2.86 eliminates this vulnerability. Productinfo Vendor nektos Name act CPE 2.3info 🔒 CPE 2.2info 🔒 CVSSv4info VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv3info VulDB Meta Base Score: 6.3 VulDB Meta Temp Score: 6.0 VulDB Base Score: 6.3 VulDB Temp Score: 6.0 VulDB Vector: 🔒 VulDB Reliability: 🔍 CVSSv2info Vector Complexity Authentication Confidentiality Integrity Availability Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock Unlock VulDB Base Score: 🔒 VulDB Temp Score: 🔒 VulDB Reliability: 🔍 Exploitinginfo Class: Injection CWE: CWE-74 / CWE-707 / CWE-20 CAPEC: 🔒 ATT&CK: 🔒 Physical: No Local: No Remote: Yes Availability: 🔒 Status: Not defined Price Prediction: 🔍 Current Price Estimation: 🔒 0-Day Unlock Unlock Unlock Unlock Today Unlock Unlock Unlock Unlock Threat Intelligenceinfo Interest: 🔍 Active Actors: 🔍 Active APT Groups: 🔍 Countermeasuresinfo Recommended: Upgrade Status: 🔍 0-Day Time: 🔒 Upgrade: act 0.2.86 Timelineinfo 03/28/2026 Advisory disclosed 03/28/2026 +0 days VulDB entry created 03/28/2026 +0 days VulDB entry last update Sourcesinfo Advisory: github.com Status: Confirmed CVE: CVE-2026-34041 (🔒) GCVE (CVE): GCVE-0-2026-34041 GCVE (VulDB): GCVE-100-354077 Entryinfo Created: 03/28/2026 13:07 Changes: 03/28/2026 13:07 (51) Complete: 🔍 Cache ID: 99:E42:101 Discussion No comments yet. Languages: en. Please log in to comment. ◂ PreviousOverviewNext ▸