Lucene search
+L

196 matches found

NVD
NVD
added 2 days ago3 views

CVE-2026-45793

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS0.00519EPSS
Exploits0References9
EUVD
EUVD
added 2 days ago5 views

EUVD-2026-44723

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS6AI score0.00519EPSS
Exploits0References9
CVE
CVE
added 2 days ago71 views

CVE-2026-45793

CVE-2026-45793 affects Composer (PHP dependency manager). Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validated GitHub tokens with ^[.A-Za-z0-9_]+$ and interpolated rejected tokens into an UnexpectedValueException. GitHub Actions GITHUB_TOKEN values formatted as g...

7.5CVSS6.1AI score0.00519EPSS
Exploits0References9
AlpineLinux
AlpineLinux
added 2 days ago13 views

CVE-2026-45793

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS6.1AI score0.00519EPSS
Exploits0
OSV
OSV
added 2026/07/08 8:16 p.m.2 views

DEBIAN-CVE-2026-59947

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug outp...

4.7CVSS6.1AI score0.00108EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/07/08 7:33 p.m.33 views

CVE-2026-59947 Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure)

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug outp...

4.7CVSS0.00108EPSS
Exploits0References5
CVE
CVE
added 2026/07/08 7:33 p.m.8 views

CVE-2026-59947

Composer is affected: prior to versions 2.2.29 and 2.10.2, running with -vvv could leak credentials embedded in the username slot of a repository or package URL (e.g., https://TOKEN@host/) to debug logs because AuthHelper, Url::sanitize, and ProcessExecutor did not sanitize username-only URL cred...

4.7CVSS6AI score0.00108EPSS
Exploits0References5
OSV
OSV
added 2026/07/08 7:33 p.m.2 views

CVE-2026-59947 Composer: URL-embedded HTTP-Basic username leaks to verbose logs (GitHub PAT exposure)

Composer is a dependency Manager for the PHP language. Prior to 2.2.29 and 2.10.2, when Composer is run with -vvv debug verbosity, it could print a credential embedded in the username slot of a repository or package URL, such as a GitHub Personal Access Token in https://TOKEN@host/, to debug outp...

4.7CVSS6.1AI score0.00108EPSS
Exploits0References7
NVD
NVD
added 2026/06/26 6:17 p.m.10 views

CVE-2026-55448

mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credentialcommand from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a...

6.3CVSS0.00159EPSS
Exploits0References1
OSV
OSV
added 2026/06/26 4:46 p.m.5 views

CVE-2026-55448 mise: Local credential_command executes untrusted config

mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credentialcommand from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a...

6.3CVSS6.2AI score0.00159EPSS
Exploits0References3
OSV
OSV
added 2026/06/26 2:13 p.m.9 views

MAL-2026-6522 Malicious code in @epsteinlovekids483/crossmint-wallets-sdk-pentest (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 6e43e5a418541bb3e485010eba536ecc9f1483dba866af53ff4a760684409213 Package's main entry dist/index.cjs unconditionally requires dist/shai-hulud.js at module load. On require, the code harvests installer secrets —...

5.9AI score
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/06/23 6:24 p.m.17 views

Mise's local credential_command executes untrusted config

Summary mise loads github.credentialcommand from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a repository can execute arbitrary shell commands when the victim runs a GitHub-related mis...

6.3CVSS6.3AI score0.00159EPSS
Exploits0References2Affected Software1
OSV
OSV
added 2026/06/15 4:45 p.m.11 views

MAL-2026-5789 Malicious code in claude-cup (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c369ccf7b5e0ef8721b5ecdc94bd843ce260923394f6c513350a58928abdbdd3 On first invocation of npx claude-cup and on every subsequent Claude Code tool call once hooks are installed, research/config-audit.js enumerates eve...

5.5AI score
Exploits0References39
OSV
OSV
added 2026/06/13 2:10 a.m.13 views

MAL-2026-5723 Malicious code in @ci-lifecycle-test/postinstall-ping (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 75c160ad40a237c1e682c696ebd0aec2861ca072f47bd5b725bc80f7f95ed509 The package's postinstall lifecycle script postinstall.js executes automatically on npm install and POSTs the JSON-serialized contents of the entire...

5.5AI score
Exploits0References1
Tenable Nessus
Tenable Nessus
added 2026/06/13 12:0 a.m.21 views

Fedora 44 : composer (2026-9b34a78e81)

The remote Fedora 44 host has a package installed that is affected by a vulnerability as referenced in the FEDORA-2026-9b34a78e81 advisory. Version 2.10.1 - 2026-06-04 Security: Fixed shell escaping when opening an editor 12903 Security: Verify backup phar signature before restoring it when using...

5.9AI score
Exploits0References1
NVD
NVD
added 2026/06/11 7:16 p.m.9 views

CVE-2026-48547

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS0.0091EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/11 6:33 p.m.11 views

CVE-2026-48547 KanaDojo < 0.1.18 Command Injection via patchNotesData.json in release.yml

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS6AI score0.0091EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/11 6:33 p.m.10 views

EUVD-2026-36284

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS6AI score0.0091EPSS
Exploits0References1
OSV
OSV
added 2026/06/11 6:33 p.m.2 views

CVE-2026-48547 KanaDojo < 0.1.18 Command Injection via patchNotesData.json in release.yml

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS6.2AI score0.0091EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:13 p.m.9 views

CVE-2026-40903

goshs is a SimpleHTTPServer written in Go. Prior to 2.0.0-beta.6, goshs has an ArtiPACKED vulnerability. ArtiPACKED can lead to leakage of the GITHUBTOKEN through workflow artifacts, even though the token is not present in the repository source code. This vulnerability is fixed in 2.0.0-beta.6...

9.1CVSS5.4AI score0.00245EPSS
Exploits0References1
Rows per page
Query Builder