CVE-2026-48054
OpenZeppelin Contracts Wizard has Code Injection in Generated Hardhat and Foundry Tests via Unsanitized opts.name / opts.uri
Description
## Summary The OpenZeppelin Contracts Wizard generated Hardhat (`test/test.ts`) and Foundry (`test/<Name>.t.sol`) example test files that interpolated user-supplied strings (`opts.name`, `opts.uri`) into the test source without escaping. A crafted input could produce a generated test file in which the input string broke out of its surrounding literal and was parsed as code, executing when a developer ran `npm test` or `forge test` on the downloaded project. ## Impact - **Users of the hosted Wizard at https://wizard.openzeppelin.com:** no action required. The site has been redeployed with the fix. - **Users of `@openzeppelin/wizard` via the documented public API:** not affected. The vulnerable functions (`zipHardhat`, `zipFoundry`) are not part of the package's documented public exports. - **Callers of `zipHardhat` / `zipFoundry` who forward externally-controlled strings into `opts.name` / `opts.uri`:** upgrade to `0.10.9`. ## Patches Fixed in `@openzeppelin/[email protected]`.
How to fix CVE-2026-48054
To remediate CVE-2026-48054, upgrade the affected package to a fixed version below.
- —upgrade to 0.10.9 or later
Is CVE-2026-48054 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-48054.
Affected packages (1)
- from 0, < 0.10.9
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | HIGH8.8 | CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
References (4)
- PATCHgithub.com/OpenZeppelin/contracts-wizard
- WEBgithub.com/OpenZeppelin/contracts-wizard/commit/ec12c44f8d9e0491eba31037f95b36e98ec58b5f
- WEBgithub.com/OpenZeppelin/contracts-wizard/releases/tag/%40openzeppelin%2Fwizard%400.10.9
- WEBgithub.com/OpenZeppelin/contracts-wizard/security/advisories/GHSA-4x76-22x2-rx8v