CVE-2026-48054
Published:June 11, 2026
Updated:June 16, 2026
Summary The OpenZeppelin Contracts Wizard generated Hardhat ("test/test.ts") and Foundry ("test/<Name>.t.sol") example test files that interpolated user-supplied strings ("opts.name", "opts.uri") into the test source without escaping. A crafted input could produce a generated test file in which the input string broke out of its surrounding literal and was parsed as code, executing when a developer ran "npm test" or "forge test" on the downloaded project. Impact - Users of the hosted Wizard at https://wizard.openzeppelin.com: no action required. The site has been redeployed with the fix. - Users of "@openzeppelin/wizard" via the documented public API: not affected. The vulnerable functions ("zipHardhat", "zipFoundry") are not part of the package's documented public exports. - Callers of "zipHardhat" / "zipFoundry" who forward externally-controlled strings into "opts.name" / "opts.uri": upgrade to "0.10.9". Patches Fixed in "@openzeppelin/wizard@0.10.9".
Affected Packages
@openzeppelin/wizard (NPM):
Affected version(s) >=0.1.0 <0.10.9Fix Suggestion:
Update to version 0.10.9Related Resources (4)
Do you need more information?
Contact UsCVSS v4
Base Score:
8.7
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
PASSIVE
Vulnerable System Confidentiality
HIGH
Vulnerable System Integrity
HIGH
Vulnerable System Availability
HIGH
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
8.8
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
HIGH
Weakness Type (CWE)
Improper Control of Generation of Code ('Code Injection')