Lucene search
+L

42 matches found

cve
cve
added 2 days ago8 views

CVE-2026-55576

The CVE-2026-55576 entry concerns MaaAssistantArknights. In the dev-v2 workflow, the string from github.event.pull_request.title was inlined into a run: shell command in .github/workflows/release-preparation.yml for PRs opened, reopened, or ready_for_review. A non-draft fork PR with a title start...

8.8CVSS6.2AI score0.00297EPSS
Exploits0References2
nvd
nvd
added 2026/07/08 4:16 p.m.7 views

CVE-2026-14967

BBOT's githubworkflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODEREPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the...

3.1CVSS0.00198EPSS
Exploits0References1
cvelist
cvelist
added 2026/07/08 3:3 p.m.32 views

CVE-2026-14967 Path traversal in github_workflows allows writing artifacts outside output directory

BBOT's githubworkflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODEREPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the...

3.1CVSS0.00198EPSS
Exploits0References1
cve
cve
added 2026/07/08 3:3 p.m.6 views

CVE-2026-14967

BBOT’s github_workflows module has a path-traversal vulnerability: the path-containment check fails to resolve ‘..’, allowing a crafted CODE_REPOSITORY URL to traverse out of the configured output directory. The write is bounded to two directory levels above the output location and the target is ...

3.1CVSS5.9AI score0.00198EPSS
Exploits0References1
euvd
euvd
added 2026/07/08 3:3 p.m.8 views

EUVD-2026-42296

BBOT's githubworkflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODEREPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the...

3.1CVSS5.9AI score0.00198EPSS
Exploits0References1
osv
osv
added 2026/06/18 3:4 p.m.11 views

GHSA-RVP7-W75Q-9FV2 BBOT: Symlink-Following Arbitrary Write via github_workflows Module

The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...

2.2CVSS5.2AI score0.00091EPSS
Exploits0References4
osv
osv
added 2026/06/17 11:17 p.m.2 views

CVE-2026-12567

The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...

2.2CVSS5.9AI score
Exploits0References1
nvd
nvd
added 2026/06/17 11:17 p.m.13 views

CVE-2026-12567

The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...

2.2CVSS0.00091EPSS
Exploits0References1
cvelist
cvelist
added 2026/06/17 9:51 p.m.21 views

CVE-2026-12567 Symlink-following arbitrary write via github_workflows module

The githubworkflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an attacker-chosen location...

2.2CVSS0.00091EPSS
Exploits0References1
cve
cve
added 2026/06/17 9:51 p.m.23 views

CVE-2026-12567

CVE-2026-12567 affects the github_workflows module. It constructs local directory paths from user-controlled repository names without validating for symlinks, enabling a local attacker sharing the scan directory to plant a symlink at a predictable output path. This can cause workflow data to be w...

2.2CVSS5.1AI score0.00091EPSS
Exploits0References1
ptsecurity
ptsecurity
added 2026/06/17 12:0 a.m.19 views

PT-2026-50562

Name of the Vulnerable Software and Affected Versions github workflows affected versions not specified Description The github workflows module constructs local directory paths using repository names provided by the user without validating for symlinks. A local attacker with access to the scan...

2.2CVSS5.2AI score0.00091EPSS
Exploits0References12
nvd
nvd
added 2026/06/05 8:17 p.m.16 views

CVE-2026-45758

Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai 0.10.1 to PyPI. Aany user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026 may be affected. Security...

9.6CVSS0.00276EPSS
Exploits0References3
pypa
pypa
added 2026/06/05 8:17 p.m.9 views

PYSEC-0000-CVE-2026-45758

Guardrails AI is a Python framework that helps build AI applications. On May 11, 2026 at approximately 6:00 PM Pacific, an attacker published a malicious version of guardrails-ai 0.10.1 to PyPI. Aany user who installed guardrails-ai==0.10.1 from PyPI on May 11, 2026 may be affected. Security...

9.6CVSS5.5AI score0.00276EPSS
Exploits0References3Affected Software1
cnnvd
cnnvd
added 2026/06/01 12:0 a.m.14 views

CloudPirates Open Source Helm Charts 代码注入漏洞

CloudPirates Open Source Helm Charts is a collection of Helm Charts for cloud-native applications, developed by CloudPirates.io. Previous versions of CloudPirates Open Source Helm Charts had a code injection vulnerability. This vulnerability stems from executing code controlled by the attacker in...

10CVSS5.4AI score0.00275EPSS
Exploits0References2
cisa
cisa
added 2026/05/28 12:0 p.m.51 views

Supply Chain Compromises Impact Nx Console and GitHub Repositories

CISA is prioritizing the response to multiple emerging software supply chain intrusion campaigns targeting developer ecosystems Continuous Integration/Continuous Development CI/CD pipelines. These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code VS...

9.8CVSS5.8AI score0.0185EPSS
Exploits1References8
snyk
snyk
added 2026/05/21 9:0 p.m.12 views

Embedded Malicious Code

Overview @tiledesk/tiledesk-server is a The Tiledesk server module Affected versions of this package are vulnerable to Embedded Malicious Code part of the "Megalodon" campaign that orchestrated a massive supply-chain attack, pushing malicious commits to 5,561 GitHub repositories within a six-hour...

9.8CVSS5.9AI score
Exploits0References2
ossf
ossf
added 2026/05/19 12:0 a.m.14 views

Malicious code in @antv/l7-utils (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
ossf
ossf
added 2026/05/19 12:0 a.m.14 views

Malicious code in @antv/g6-extension-react (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
osv
osv
added 2026/05/19 12:0 a.m.8 views

MAL-2026-3861 Malicious code in @antv/color-schema (npm)

Part of the Mini Shai-Hulud supply chain attack campaign in which a threat actor compromised the npm account atool and published 631 malicious versions across 314 npm packages in an automated 22-minute burst. Each malicious version injects a preinstall hook that executes a 498KB obfuscated Bun...

5.8AI score
Exploits0References5
osv
osv
added 2026/05/12 8:41 p.m.3 views

CVE-2026-44246 nnU-Net: Agentic workflow injection in `.github/workflows/issue-triage.yml` of `MIC-DKFZ/nnUNet`

nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable to Agentic Workflow Injection. The workflow sets allowednonwriteusers: $...

7.2CVSS6AI score0.00242EPSS
Exploits1References3
Rows per page
Query Builder