405 matches found
CVE-2025-54586
GitProxy
CVE-2025-54586 GitProxy is susceptible to a hidden commits injection attack
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visib...
CVE-2025-54586 GitProxy is susceptible to a hidden commits injection attack
GitProxy is an application that stands between developers and a Git remote endpoint. In versions 1.19.1 and below, attackers can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visib...
GitProxy Hidden Commits Injection
Summary An attacker can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate...
GHSA-V98G-8RQX-G93G GitProxy Hidden Commits Injection
Summary An attacker can inject extra commits into the pack sent to GitHub, commits that aren’t pointed to by any branch. Although these “hidden” commits never show up in the repository’s visible history, GitHub still serves them at their direct commit URLs. This lets an attacker exfiltrate...
PT-2025-31448 · Gitproxy · Git-Proxy
Name of the Vulnerable Software and Affected Versions: GitProxy versions 1.19.1 and below Description: GitProxy is an application that acts as an intermediary between developers and a Git remote endpoint. Attackers can inject extra commits into the pack sent to GitHub, commits that are not...
The Fintech Open Source Foundation GitProxy 安全漏洞
The Fintech Open Source Foundation GitProxy is a The Fintech Open Source Foundation Foundation deployment of custom push protections and policies on top of Git. A security vulnerability exists in The Fintech Open Source Foundation GitProxy 1.19.1 and earlier versions, which stems from the...
CVE-2025-53532
CVE-2025-53532 affects giscus server-side API, allowing an unauthorized user to create discussions in any repository where giscus is installed. Impact is partial for integrity with no confidentiality/availability impact stated; CVSS v3.1 base score 5.3 (Network attack vector, Low attack complexit...
CVE-2024-8263
An improper privilege management vulnerability allowed arbitrary workflows to be committed using an improperly scoped PAT through the use of nested tags. This vulnerability affected all versions of GitHub Enterprise Server and was fixed in version 3.10.17, 3.11.15, 3.12.9, 3.13.4, and 3.14.1. Thi...
CVE-2023-2030
An issue has been discovered in GitLab CE/EE affecting all versions from 12.2 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which an attacker could potentially modify the metadata of signed commits...
CVE-2022-23569
Tensorflow is an Open Source Machine Learning Framework. Multiple operations in TensorFlow can be used to trigger a denial of service via CHECK-fails i.e., assertion failures. This is similar to TFSA-2021-198 and has similar fixes. We have patched the reported issues in multiple GitHub commits. I...
CVE-2022-36014
TensorFlow is an open source platform for machine learning. When mlir::tfg::TFOp::nameAttr receives null type list attributes, it crashes. We have patched the issue in GitHub commits 3a754740d5414e362512ee981eefba41561a63a6 and a0f0b9a21c9270930457095092f558fbad4c03e5. The fix will be included in...
CVE-2021-39908
In all versions of GitLab CE/EE starting from 0.8.0 before 14.2.6, all versions starting from 14.3 before 14.3.4, and all versions starting from 14.4 before 14.4.1 certain Unicode characters can be abused to commit malicious code into projects without being noticed in merge request or source code...
CVE-2021-3866
Cross-site Scripting XSS - Stored in GitHub repository zulip/zulip more than and including 44f935695d452cc3fb16845a0c6af710438b153d and prior to 3eb2791c3e9695f7d37ffe84e0c2184fae665cb6...
CVE-2020-7651
All versions of snyk-broker before 4.79.0 are vulnerable to Arbitrary File Read. It allows partial file reads for users who have access to Snyk's internal network via patch history from GitHub Commits API...
CVE-2025-48064
GitHub Desktop on Windows prior to 3.4.20-beta3 is vulnerable: when viewing a file diff in the history view, Git calls git log/diff with the commit SHA and file names, and realpath traversal may cause Git to access a UNC network path, potentially leaking environment data via NTLM authentication (...
S3C2 Summit 2024-09: Industry Secure Software Supply Chain Summit
While providing economic and software development value, software supply chains are only as strong as their weakest link. Over the past several years, there has been an exponential increase in cyberattacks, specifically targeting vulnerable links in critical software supply chains. These attacks...
CVE-2025-46824
The CVE-2025-46824 entry concerns the Discourse Code Review Plugin. Before commit eed3a80, an attacker could cause arbitrary JavaScript execution in a user’s browser by clicking links to malicious GitHub commits, effectively enabling an XSS vector in Discourse code review workflows. The issue is ...
CVE-2025-46824 Discourse Code Review Plugin vulnerable to XSS via auto link commits
The Discourse Code Review Plugin allows users to review GitHub commits on Discourse. Prior to commit eed3a80, an attacker can execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This problem is patched in commit eed3a80 of the discourse-code-review plugin...
PT-2025-20284 · Discourse · Discourse Code Review Plugin
Name of the Vulnerable Software and Affected Versions: Discourse Code Review Plugin versions prior to commit eed3a80 Description: The issue allows an attacker to execute arbitrary JavaScript on users' browsers by posting links to malicious GitHub commits. This is a problem with the Discourse Code...