CVE-2026-48054

描述

## Summary The OpenZeppelin Contracts Wizard generated Hardhat (`test/test.ts`) and Foundry (`test/<Name>.t.sol`) example test files that interpolated user-supplied strings (`opts.name`, `opts.uri`) into the test source without escaping. A crafted input could produce a generated test file in which the input string broke out of its surrounding literal and was parsed as code, executing when a developer ran `npm test` or `forge test` on the downloaded project. ## Impact - **Users of the hosted Wizard at https://wizard.openzeppelin.com:** no action required. The site has been redeployed with the fix. - **Users of `@openzeppelin/wizard` via the documented public API:** not affected. The vulnerable functions (`zipHardhat`, `zipFoundry`) are not part of the package's documented public exports. - **Callers of `zipHardhat` / `zipFoundry` who forward externally-controlled strings into `opts.name` / `opts.uri`:** upgrade to `0.10.9`. ## Patches Fixed in `@openzeppelin/[email protected]`.

如何修補 CVE-2026-48054

要修補 CVE-2026-48054,請將受影響套件升級到下列已修補版本。

• —升級至 0.10.9 或更新版本

CVE-2026-48054 正在被利用嗎?

目前沒有被利用訊號。CVE-2026-48054 既不在 CISA KEV 也沒有最新的 EPSS 分數。

受影響套件(1)

• from 0, < 0.10.9

CVSS 分數

參考連結(4)

• PATCHgithub.com/OpenZeppelin/contracts-wizard
• WEBgithub.com/OpenZeppelin/contracts-wizard/commit/ec12c44f8d9e0491eba31037f95b36e98ec58b5f
• WEBgithub.com/OpenZeppelin/contracts-wizard/releases/tag/%40openzeppelin%2Fwizard%400.10.9
• WEBgithub.com/OpenZeppelin/contracts-wizard/security/advisories/GHSA-4x76-22x2-rx8v