CVE-2026-55487 pnpm: manifest identity spoof satisfies allowBuilds and runs attacker lifecycle

pnpm is a package manager. Prior to 10.34.2 and 11.5.3, the generic peer-suffix normalizer also stripped parenthesized text from git, URL, tarball, file, and other opaque locators. Approval for one source string could therefore authorize a different attacker-controlled source whose locator...

MAL-2026-6423 Malicious code in leo-connector-elasticsearch (npm)

The leo-connector-elasticsearch npm package was compromised as part of the Miasma worm campaign targeting the LeoPlatform npm ecosystem. On June 24, 2026, 20 LeoPlatform packages were published within a 3-second window by a threat actor who had taken over the npm account czirker belonging to the...

CVE-2026-48719

Warp is an agentic development environment. From 0.2025.08.06.08.12.stable00 until 0.2026.05.06.15.42.stable01, Warp contains a command injection in the prompt branch selector. A user who can publish a branch to a Git repository opened in Warp can cause a crafted branch name to be interpreted by...

EUVD-2026-38486

n8n is an open source workflow automation platform. Prior to 1.123.43, 2.22.1, and 2.20.7, an attacker with write access to the git repository connected to an n8n Source Control configuration could commit a malicious Data Table JSON file containing a crafted column name. When an administrator...

CVE-2026-5366

CVE-2026-5366 affects Prefect v3.6.23, where the vulnerability resides in the GitRepository storage class. The commit_sha parameter passed to git commands lacks validation and does not use a -- separator, enabling an attacker to inject git flags (e.g., --upload-pack) and potentially execute arbit...

perl-Git-Repository-1.326.0-1.1 on GA media (moderate)

perl-Git-Repository-1.326.0-1.1 on GA media Announcement ID: openSUSE-SU-2026:10987-1 Rating: moderate Cross-References: CVE-2022-39253 CVSS scores: CVE-2022-39253 SUSE : 4.3 CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Affected Products: openSUSE Tumbleweed An update that solves one vulnerabilit...

degit 操作系统命令注入漏洞

Degit is a tool developed by Rich Harris as a quick replication mechanism for Git repositories. Versions of degit prior to 2.8.6, as well as versions 3.0.0 to 3.3.1, contained an operating system command injection vulnerability. This vulnerability stemmed from improper handling of user input for...

OPENSUSE-SU-2026:10987-1 perl-Git-Repository-1.326.0-1.1 on GA media

These are all security issues fixed in the perl-Git-Repository-1.326.0-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2026-44798

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the currenthead field on the record, which was not intended to be user-editable. Doing so could cause...

Source controller: Improper path handling allows traversal

Impact An actor with the ability to influence the contents of a bucket referenced by a Bucket resource can cause source-controller to write fetched object data to paths outside the per-reconciliation working directory. The corruption surface is bounded by source-controller's own and downstream Fl...

PT-2026-47088

Name of the Vulnerable Software and Affected Versions source-controller versions prior to 1.8.5 Description Improper path handling allows for path traversal in two scenarios. First, an actor capable of influencing the contents of a bucket referenced by a Bucket resource can force the...

CVE-2026-44881 Portainer: Arbitrary File Read via Git Symlink Injection in Stack Auto-Update

Portainer Community Edition is a lightweight service delivery platform for containerized applications that can be used to manage Docker, Swarm, Kubernetes and ACI environments. From 2.33.0 to before 2.33.8, 2.39.2, and 2.41.0, Portainer supports deploying stacks from Git repositories. When a...

CVE-2026-44798

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the currenthead field on the record, which was not intended to be user-editable. Doing so could cause...

CVE-2026-44798

CVE-2026-44798 affects Nautobot before versions 2.4.33 and 3.1.2, where a user with access to add/change a GitRepository could misuse the REST API to directly set the repository’s current_head field, which was not intended to be user-editable. This could cause local clones to checkout a non-lates...

CVE-2026-44798

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the currenthead field on the record, which was not intended to be user-editable. Doing so could cause...

EUVD-2026-32973

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the currenthead field on the record, which was not intended to be user-editable. Doing so could cause...

CVE-2026-44798 Nautobot: GitRepository.current_head field should not be writable through REST API

Nautobot is a Network Source of Truth and Network Automation Platform. Prior to 2.4.33 and 3.1.2, a user with access to add/change a GitRepository record could use the REST API to directly set the currenthead field on the record, which was not intended to be user-editable. Doing so could cause...

MAL-2026-4803 Malicious code in @fhkry/baileys (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 75b00f1cbf8b88a31654d13fe812fd9201f0b0c92f9ddad31fea59376752a636 This package is a Baileys WhatsApp Web library fork that, on every WebSocket connection, silently performs WhatsApp newsletter actions on the...

gittuf 安全漏洞

Gittuf is a cross-platform Git repository security protection tool developed by Gittuf. Versions of Gittuf prior to 0.14.0 contained security vulnerabilities. These vulnerabilities were due to a policy rollback issue, which could allow attackers to roll back the current policy to any previous...

CVE-2026-45033

GitHub Copilot CLI brings AI-powered coding assistance directly to your command line. Prior to 1.0.43, a security vulnerability has been identified in GitHub Copilot CLI where a malicious bare git repository nested inside a project directory can achieve arbitrary code execution when the agent...