CVE-2026-54557: mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string
mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.1, the mise HTTP backend builds its install symlink destination from the raw resolved version string for non-latest versions. Normal tool install paths use the sanitized version pathname, but the HTTP backend's symlink path uses the raw value. On Unix-like systems, if that version is an absolute path, PathBuf::join discards the intended mise installs root. A repository-controlled .tool-versions file can therefore make mise install create a symlink outside the mise install tree. With bin_path, the same issue can place an executable symlink under an attacker-selected absolute prefix, such as a developer-tool prefix that is later added to PATH. This vulnerability is fixed in 2026.6.1.
Details
Original advisory: https://nvd.nist.gov/vuln/detail/CVE-2026-54557
Exploitation outlook
EPSS (FIRST.org) estimates each CVE’s probability of exploitation in the next 30 days — here is the CSIRTS.com read on those numbers.
- Low exploitation riskCVE-2026-545570.18% 30-day exploitation probability — currently an unlikely target, but scores change as exploit code circulates. Riskier than 7% of all scored CVEs.
Referenced CVEs
| CVE | CSIRTS overview | External |
|---|---|---|
| CVE-2026-54557 | coverage & exploitation status | NVD · CVE.org |
Recent advisories for mise manages dev
A cluster of recent advisories against the same product widens the attack surface — attackers routinely chain freshly published CVEs on one product, so review these together.
- mediumCVE-2026-55448: mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4,…nvd · 2026-06-26
- highCVE-2026-55441: mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trus…nvd · 2026-06-26
- criticalCVE-2026-33646: mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.3.10, mise proce…nvd · 2026-06-26
More from NVD Recent CVEs
- mediumCVE-2026-15485: A flaw has been found in TRENDnet TEW-821DAP 1.11B03. The impacted element is the function sub…2026-07-12
- highCVE-2026-15484: A vulnerability was detected in TRENDnet TEW-821DAP 1.12B01. The affected element is the funct…2026-07-12
- highCVE-2026-15483: A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the fun…2026-07-12
- highCVE-2026-15482: A weakness has been identified in Aster Telecom Azcall 10/11. This issue affects some unknown …2026-07-12
- highCVE-2026-15481: A security flaw has been discovered in Trendnet TEW-635BRM up to 1.00.03. This vulnerability a…2026-07-12