GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

Summary A security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. Details The vulnerability stems from the way GitHub CLI handles raw Actions log...

GHSA-CRC3-H8V6-QH57 GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection

Summary A security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. Details The vulnerability stems from the way GitHub CLI handles raw Actions log...

GHSA-F9F8-RM49-7JV2 Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Summary Composer leaks the full contents of tokens configured as GitHub OAuth tokens if they do not match Composer's expected format for such tokens to stderr. GitHub has introduced a new format for GitHub Actions GITHUBTOKEN values. These tokens are validated in the same way by Composer on GitHu...

GHSA-WG5X-3G47-V38R fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode

When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain...

fabric-chaincode-java: TLS Private Key Password Disclosed in INFO Startup Logs in Chaincode-as-a-Service Mode

When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker with access to the chaincode server logs could recover the TLS private key password. If the attacker can also obtain...

WordPress WP Activity Log plugin <= 5.6.3 - Cross Site Scripting (XSS) vulnerability

Cross Site Scripting XSS vulnerability discovered by daroo in WordPress Plugin WP Activity Log versions = 5.6.3...

CVE-2026-43634 HestiaCP 1.2.0-1.9.4 IP Spoofing via CF-Connecting-IP Header

HestiaCP versions 1.2.0 through 1.9.4 contain an IP spoofing vulnerability that allows unauthenticated remote attackers to bypass authentication security controls by supplying an arbitrary IP address in the CF-Connecting-IP HTTP header without verifying the request originated from Cloudflare's...

Vaadin Build Plugins is Affected by a Possible Information Disclosure Vulnerability

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...

CVE-2026-7571

A flaw was found in Keycloak. A low-privilege user, with knowledge of user credentials and client ID, can bypass a security control intended to disable the implicit flow in OpenID Connect OIDC clients. By manipulating client data during a session restart, an attacker can obtain an access token th...

org.apache.tomcat/tomcat-juli: tomcat: Apache Tomcat: console manipulation

An improper input neutralization flaw has been discovered in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a...

org.apache.tomcat/tomcat-juli: tomcat: Apache Tomcat: console manipulation

An improper input neutralization flaw has been discovered in Apache Tomcat. Tomcat did not escape ANSI escape sequences in log messages. If Tomcat was running in a console on a Windows operating system, and the console supported ANSI escape sequences, it was possible for an attacker to use a...

BIT-MONGODB-2026-8200 Schema validation log messages may not redact user data

When schema validation is enabled on a collection and an update or insert would violate the collection's schema, the local server log message generated may not have all user data redacted. This issue impacts MongoDB Server v7.0 versions prior to 7.0.34, v8.0 versions prior to 8.0.23, v8.2 version...

MC-271325-DoS-PoC

Log amplification based denial for service for vanilla Minecra...

MC-271325-PoC

Status trailing-byte log amplification MC-271325 Unauthenti...

PT-2026-41961

Name of the Vulnerable Software and Affected Versions fabric-chaincode-java versions 2.3.1 through 2.5.9 Description When chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in plaintext. An attacker...

GHSA-PQ7C-X8G4-RVP6 NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes

Summary Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log...

NiceGUI: Unauthenticated log-volume denial of service in dynamic resource routes

Summary Two FastAPI routes that serve per-component static assets in NiceGUI accept a sub-path parameter that may resolve to a directory rather than a file. Requests that resolve to a directory raise an unhandled RuntimeError inside Starlette's FileResponse, which Uvicorn writes to the server log...

OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers

Summary OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total ioviter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment. Details In...

GHSA-VVMG-8MJR-G6Q3 OpenTelemetry eBPF Instrumentation: Log enricher writev path can overread and overwrite user buffers

Summary OBI's log enricher mishandles writev buffers by reading only the first iovec entry but using the total ioviter.count as the copy length. When log injection is enabled, a crafted multi-segment writev call can make OBI read and overwrite memory beyond the first segment. Details In...

SUSE CVE-2026-45803

gh is GitHub's official command line tool. From 1.6.0 to before 2.92.0, a security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. The vulnerabilit...