CVE-2026-26189 Trivy Action has a script injection via sourced env file in composite action

Trivy Action runs Trivy as GitHub action to scan a Docker container image for vulnerabilities. A command injection vulnerability exists in aquasecurity/trivy-action versions 0.31.0 through 0.33.1 due to improper handling of action inputs when exporting environment variables. The action writes...

CVE-2026-26189

CVE-2026-26189 affects aquasecurity/trivy-action (GitHub Action) where command injection is possible via unsafely exporting environment variables to trivy_envs.txt and sourcing it in entrypoint.sh. Affected versions are 0.31.0 through 0.33.1; a patch was released in 0.34.0. The issue arises from ...

Trivy Action 操作系统命令注入漏洞

Trivy Action is a container vulnerability scanning tool developed by Aqua Security. Versions of Trivy Action prior to 0.33.1 contain an operating system command injection vulnerability. This vulnerability arises from improper handling of input during the process of exporting environment variables...

CVE-2025-67231

A reflected cross-site scripting XSS vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload...

CVE-2025-67231

A reflected cross-site scripting XSS vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload...

ToDesktop Builder security vulnerabilities

ToDesktop Builder is a desktop application building tool developed by ToDesktop Company in Ireland. Version 0.33.1 of ToDesktop Builder contains a security vulnerability. This vulnerability stems from reflective cross-site scripting, which could allow attackers to execute arbitrary code in the...

CVE-2025-67231

A reflected cross-site scripting XSS vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload...

CVE-2025-67231

A reflected cross-site scripting XSS vulnerability in ToDesktop Builder v0.33.1 allows attackers to execute arbitrary code in the context of a user's browser via a crafted payload...

CVE-2025-67231

CVE-2025-67231 is a confirmed reflected XSS in ToDesktop Builder v0.33.1. The issue allows an attacker to execute arbitrary code in the context of a user’s browser via a crafted payload. Documented by multiple feeds (NVD, Red Hat, CIRCL, attackerkb, CVE lists) consistently describe a reflected XS...

PT-2024-40452 · Softwarex · Softwarex

Name of the Vulnerable Software and Affected Versions: SoftwareX versions prior to 0.33.1 Description: The issue arises when a node receives a block with a timestamp more than 15 seconds ahead of its local time, potentially leading to the block being marked as invalid and the peer being banned. T...

Matrix matrix-appservice-irc 注入漏洞

Matrix is an ambitious new ecosystem for open federated instant messaging and VoIP. matrix-appservice-irc is a bridge for Matrix. This bridge passes all IRC messages to Matrix and all Matrix messages to IRC. An injection vulnerability exists in Matrix matrix-appservice-irc version 0.33.1 and...

CVE-2022-23637 Stored Cross-Site-Scripting (XSS) in Markdown Editor

K-Box is a web-based application to manage documents, images, videos and geodata. Prior to version 0.33.1, a stored Cross-Site-Scripting XSS vulnerability is present in the markdown editor used by the document abstract and markdown file preview. A specifically crafted anchor link can, if clicked,...

CVE-2022-23637

K-Box (web-based document/image/geodata manager) contains a stored XSS vulnerability in the markdown editor used for document abstracts and markdown previews. The issue arises from unsafely handled input in the editor, where a crafted anchor link can trigger untrusted JavaScript actions (e.g., co...

Rust ash crate 安全漏洞

Rust ash crate is a very lightweight Vulkan wrapper. a security vulnerability exists in versions of Rust ash crate prior to 0.33.1, which stems from the fact that util::readspv can read data from an uninitialized memory location. No details of the vulnerability are currently available...