Summary The OpenZeppelin Contracts Wizard generated Hardhat (test/test.ts) and Foundry (test/ .t.sol) example test files that interpolated user-supplied strings (opts.name, opts.uri) into the test source without escapin…
| CVE ID | CVE-2026-48054 |
| Vendor | npm |
| Affected Product | @openzeppelin/wizard |
| Vulnerability Type | Vulnerability |
| CVSS Score | 8.8 (HIGH) |
| Actively Exploited | ❌ No known exploitation |
| Patch Status | See Vendor Advisory → |
| Reported By | CYBERDUDEBIVASH SENTINEL APEX Intelligence (via github_advisories) |
#
test/test.ts) and Foundry (test/ .t.sol) example test files that interpolated user-supplied strings (opts.name, opts.uri) into the test source without escaping. A crafted input could produce a generated test file in which the input string broke out of its surrounding literal and was parsed as code, executing when a developer ran npm test or forge test on the downloaded project.@openzeppelin/wizard via the documented public API: not affected. The vulnerable functions (zipHardhat, zipFoundry) are not part of the package's documented public exports.Sigma rules, YARA signatures, IOC table, and SIEM queries for Splunk, Elastic, Sentinel, and Chronicle — deployable in 5 minutes.