CVE-2026-48501

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

DEBIAN-CVE-2026-48501

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

EUVD-2026-33340

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

GHSA-XX3C-QF5G-HC39 Symfony has an Argument Injection in SendmailTransport via Dash-Prefixed Recipient Address

Description Symfony Mailer selects a transport via the MAILERDSN environment variable / configuration e.g. smtp://..., sendmail://..., native://default. SendmailTransport invokes the local sendmail binary and supports two modes: -bs speak SMTP over stdin: the default and -t read the message on...

CVE-2026-44972 GuardDog: Unsanitized human-readable scan output allows terminal escape injection from malicious package content

GuardDog is a CLI tool to identify malicious PyPI packages. From 2.6.0 to 2.9.0, GuardDog includes attacker-controlled filenames, file locations, messages, and code snippets in its default human-readable output without escaping terminal control characters. A malicious package can therefore inject...

CVE-2026-46598 vulnerabilities

Vulnerabilities for packages: docker-cli-buildx, prometheus, cloud-provider-aws, fscrypt, kaf, minio, opentofu, knative-serving, aactl, istio, teleport, kine, buildah, mattermost, containerd, flux, rancher, cilium, podman, kots, kubernetes-dashboard, prometheus-operator, gitlab-kas, nerdctl, kuma...

CVE-2026-39834 vulnerabilities

Vulnerabilities for packages: prometheus, policy-controller, kargo, aactl, docker-machine-driver-linode, splunk-otel-collector, crossplane-provider-azure-managedidentity, istio, teleport, traefik, containerd, flux-source-controller, podman, argocd-image-updater, ko, kubernetes-dashboard, caddy,...

CVE-2026-39828 vulnerabilities

Vulnerabilities for packages: zarf, skaffold, prometheus, cloud-provider-aws, fscrypt, kaf, minio, knative-serving, aactl, istio, kine, mattermost, containerd, flux-source-controller, k9s, flux, trivy, flux-image-automation-controller, rancher, cilium, kubescape, argocd-image-updater, kots,...

CVE-2026-46595 vulnerabilities

Vulnerabilities for packages: aactl, external-dns, gitea-fips, frankenphp-8.4, kots, cilium-cli, chisel-fips, trivy-fips, zitadel, kyverno, flux, telegraf, minio-fips, gatekeeper-fips, k9s, snyk-cli, frankenphp-8.5, tekton-pipelines-fips, trivy, kine, prometheus-mongodb-exporter, istio,...

CVE-2026-39832 vulnerabilities

Vulnerabilities for packages: aactl, external-dns, gitea-fips, frankenphp-8.4, kots, step-issuer-fips, cilium-cli, docker-cli-buildx, docker-cli-buildx-fips, trivy-fips, apko-fips, zitadel, kyverno, packer-fips, redpanda-console, flux, telegraf, apply-cve-bump, gatekeeper-fips, k9s, snyk-cli,...

USN-8321-1: Papers vulnerability

It was discovered that Papers incorrectly handled PDF /GoToR actions. If a user were tricked into opening a specially crafted PDF file, an attacker could use this issue to manipulate command lines and possibly execute arbitrary code...

[SECURITY] Fedora 43 Update: rust-sequoia-sq-1.3.1-11.fc43

Command-line frontends for Sequoia...

[SECURITY] Fedora 43 Update: curl-8.15.0-7.fc43

curl is a command line tool for transferring data with URL syntax, supporting FTP, FTPS, HTTP, HTTPS, SCP, SFTP, TFTP, TELNET, DICT, LDAP, LDAPS, FILE, IMA P, SMTP, POP3 and RTSP. curl supports SSL certificates, HTTP POST, HTTP PUT, FTP uploading, HTTP form based upload, proxies, cookies,...

[SECURITY] Fedora 42 Update: rust-sequoia-sq-1.3.1-11.fc42

Command-line frontends for Sequoia...

PT-2026-44137

Description Symfony Mailer selects a transport via the MAILER DSN environment variable / configuration e.g. smtp://..., sendmail://..., native://default. SendmailTransport invokes the local sendmail binary and supports two modes: -bs speak SMTP over stdin: the default and -t read the message on...

Kata Containers have VM Escape via virtiofsd Argument Injection through Default-Enabled Pod Annotations

Summary Kata Containers ships with a default configuration that allows pod creators to inject arbitrary command-line arguments into the virtiofsd process through the io.katacontainers.config.hypervisor.virtiofsextraargs pod annotation. By injecting -o source=/ along with --no-announce-submounts a...

GHSA-VV9J-GJW2-J8WP yeoman-environment Vulnerable to Arbitrary Package Installation without User Confirmation

Impact yeoman-environment versions = 2.9.0 and 6.0.1 install missing local generator packages from caller-supplied package names without user confirmation. In downstream consumers that pass attacker-controlled project configuration into this path, this can result in arbitrary package installation...

MAL-2026-4783 Malicious code in @iola_adm/iola-cli (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e28a7ca88c4000d6efee1c0e324c8f28bebf03ef988e2ac3aa437857f34ee08 src/cli.js contains a hardcoded endpoint https://apiiola.yasg.ru referenced multiple times lines 1, 2, 198 and invoked via fetch at line 256, in code...

SUSE CVE-2018-25356

SIPp 3.6 and earlier contains a local buffer overflow vulnerability in command-line argument handling that allows local attackers to crash the application or execute arbitrary code. Attackers can trigger the vulnerability by supplying oversized input to the -3pcc, -i, or -logfile parameters,...

CVE-2026-48695

FastNetMon Community Edition through 1.2.9 contains an OS command injection vulnerability in the MikroTik router integration plugin. The log function in src/mikrotikplugin/fastnetmonmikrotik.php lines 107-108 constructs shell commands by concatenating the $msg parameter directly into exec calls:...