Securing CI/CD in an agentic world: Claude Code Github action case

Microsoft Threat Intelligence discovered that Anthropic's Claude Code GitHub Action could expose CI/CD workflow secrets when AI agents process untrusted GitHub content, including issue bodies, pull request descriptions, and comments. We found that while Claude Code Action supported environment...

GO-2026-4705 SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets in github.com/siyuan-note/siyuan/kernel

SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets in github.com/siyuan-note/siyuan/kernel...

CVE-2026-32747 SiYuan: Incomplete sensitive path blocklist in globalCopyFiles allows reading /proc and Docker secrets

SiYuan is a personal knowledge management system. In versions 3.6.0 and below, the globalCopyFiles API eads source files using filepath.Abs with no workspace boundary check, relying solely on util.IsSensitivePath whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin c...

GHSA-H5VH-M7FG-W5H6 SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets

Summary POST /api/file/globalCopyFiles reads source files using filepath.Abs with no workspace boundary check, relying solely on util.IsSensitivePath whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace an...

PT-2023-3594 · Apparmor +10 · Apparmor +10

Name of the Vulnerable Software and Affected Versions: runc versions prior to 1.1.5 Description: The issue is related to the incorrect handling of symbolic links before accessing a file, which allows an attacker to access confidential data, compromise its integrity, and cause a denial of service...

Updated dosbox package fixes security vulnerabilities

Dosbox 0.74-3 is a security release: Fixed that a very long line inside a bat file would overflow the parsing buffer. CVE-2019-7165 by Alexandre Bartel Added a basic permission system so that a program running inside DOSBox can't access the contents of /proc e.g. /proc/self/mem when / or /proc we...

DEBIAN-CVE-2016-8649

lxc-attach in LXC before 1.0.9 and 2.x before 2.0.6 allows an attacker inside of an unprivileged container to use an inherited file descriptor, of the host's /proc, to access the rest of the host's filesystem via the openat family of syscalls...

Linux kernel multiple security vulnerabilities

Kernel memory access with vmsplice syscall, access between virtual machines with /proc...