Lucene search
+L

128 matches found

Nuclei
Nuclei
added yesterday22 views

Docusaurus Gists Plugin < 4.0.0 - GitHub Personal Access Token Exposure

The Docusaurus gists plugin adds a page to your Docusaurus instance, displaying all public gists of a GitHub user. docusaurus-plugin-content-gists versions prior to 4.0.0 are vulnerable to exposing GitHub Personal Access Tokens in production build artifacts when passed through plugin configuratio...

10CVSS5.2AI score0.01842EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 5 days ago5 views

PT-2026-57839

Name of the Vulnerable Software and Affected Versions mcp-gitlab versions prior to 2.1.18 Description A path traversal issue exists in the job id parameter within the build/index.js file. This allows attackers to escape the intended path prefix by providing crafted values, such as ../../../user, ...

9.2CVSS6.2AI score0.0038EPSS
Exploits0References7
EUVD
EUVD
added 2026/07/01 11:28 a.m.10 views

EUVD-2026-40945

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...

4.1CVSS5.8AI score0.0019EPSS
Exploits1References2
ATTACKERKB
ATTACKERKB
added 2026/07/01 11:28 a.m.6 views

CVE-2026-13323

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...

4.1CVSS5.8AI score0.0019EPSS
Exploits1References3Affected Software1
OSV
OSV
added 2026/07/01 11:28 a.m.4 views

CVE-2026-13323

In Open VSX Registry before 1.0.2, the /vscode/unpkg/ endpoint serves user-supplied HTML files with Content-Type: text/html and without a Content-Security-Policy or Content-Disposition: attachment response header. An unauthenticated attacker can register a publisher account, upload a VSIX...

4.1CVSS6AI score0.0019EPSS
Exploits1References4
CVE
CVE
added 2026/07/01 11:28 a.m.36 views

CVE-2026-13323

Vulnerability CVE-2026-13323 affects Open VSX Registry before 1.0.2. The /vscode/unpkg/ endpoint serves user-supplied HTML without CSP or Content-Disposition headers, enabling a publisher to upload a crafted VSIX and lure authenticated users to visit the URL. This inline rendering in the open-vsx...

8.7CVSS5.8AI score0.0019EPSS
Exploits1References2Affected Software1
NVD
NVD
added 2026/06/19 7:16 p.m.13 views

CVE-2026-12726

A flaw was found in the AWX GitHub webhook integration. When processing GitHub pullrequest webhooks, the controller stores the pullrequest.statusesurl value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub...

6.3CVSS0.00204EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/19 6:49 p.m.26 views

CVE-2026-12726 Awx: automation-controller: awx: github webhook second-order ssrf via unvalidated statuses_url exfiltrates pat credential

A flaw was found in the AWX GitHub webhook integration. When processing GitHub pullrequest webhooks, the controller stores the pullrequest.statusesurl value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub...

6.3CVSS0.00204EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 2026/06/19 6:49 p.m.5 views

CVE-2026-12726

A flaw was found in the AWX GitHub webhook integration. When processing GitHub pullrequest webhooks, the controller stores the pullrequest.statusesurl value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub...

6.3CVSS5.8AI score0.00204EPSS
Exploits0References3
CVE
CVE
added 2026/06/19 6:49 p.m.43 views

CVE-2026-12726

AWX/AUTOMATION-CONTROLLER GitHub webhook integration vulnerability (CVE-2026-12726): processing of GitHub pull_request webhooks stores statuses_url from the payload without validating it points to a trusted GitHub API endpoint. If a job template uses a GitHub Personal Access Token as the webhook ...

6.3CVSS5.8AI score0.00204EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2026/06/19 6:44 p.m.10 views

CVE-2026-12726

A flaw was found in the AWX GitHub webhook integration. When processing GitHub pullrequest webhooks, the controller stores the pullrequest.statusesurl value from the webhook payload without validating that it points to a trusted GitHub API endpoint. If a job template is configured with a GitHub...

6.3CVSS5.8AI score0.00204EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/06/19 12:0 a.m.22 views

PT-2026-51010

Name of the Vulnerable Software and Affected Versions AWX affected versions not specified Description A flaw exists in the GitHub webhook integration where the controller stores the pull request.statuses url value from a pull request webhook payload without validating if it points to a trusted...

6.3CVSS5.9AI score0.00204EPSS
Exploits0References5
RedhatCVE
RedhatCVE
added 2026/06/05 7:18 p.m.12 views

CVE-2026-45132

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow generate-schema.yaml exposes sensitive credentials Personal Access Token and SSH signing key to fork-controlled code due to unsafe checkout and credential handling practices. Th...

10CVSS5.5AI score0.0026EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/06/01 4:13 p.m.11 views

CVE-2026-45132 CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow generate-schema.yaml exposes sensitive credentials Personal Access Token and SSH signing key to fork-controlled code due to unsafe checkout and credential handling practices. Th...

10CVSS5.8AI score0.0026EPSS
Exploits0References2
CVE
CVE
added 2026/06/01 4:13 p.m.26 views

CVE-2026-45132

CVE-2026-45132 concerns CloudPirates Open Source Helm Charts. Prior to commit fcf9302, a GitHub Actions workflow (generate-schema.yaml) exposed sensitive credentials—Personal Access Token and an SSH signing key —to fork-controlled code due to unsafe checkout and credential handling practices. The...

10CVSS5.8AI score0.0026EPSS
Exploits0References2
Cvelist
Cvelist
added 2026/06/01 4:13 p.m.38 views

CVE-2026-45132 CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow generate-schema.yaml exposes sensitive credentials Personal Access Token and SSH signing key to fork-controlled code due to unsafe checkout and credential handling practices. Th...

10CVSS0.0026EPSS
Exploits0References2
OSV
OSV
added 2026/06/01 4:13 p.m.4 views

CVE-2026-45132 CloudPirates Open Source Helm Charts: GitHub Actions workflow leaks PAT and SSH signing key via unsafe credential handling

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow generate-schema.yaml exposes sensitive credentials Personal Access Token and SSH signing key to fork-controlled code due to unsafe checkout and credential handling practices. Th...

10CVSS5.9AI score0.0026EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.26 views

PT-2026-45468

Name of the Vulnerable Software and Affected Versions CloudPirates Open Source Helm Charts versions prior to commit fcf9302 Description A GitHub Actions workflow named 'generate-schema.yaml' exposes sensitive credentials, specifically a Personal Access Token and an SSH signing key, to code...

10CVSS5.3AI score0.0026EPSS
Exploits0References8
EUVD
EUVD
added 2026/05/26 9:8 p.m.16 views

EUVD-2026-32003

GitLab MCP Server lets an AI agent talk directly to GitLab. Prior to 0.6.0, the HTTP transport in src/transport.ts ships with no authentication layer at all and a wildcard Access-Control-Allow-Origin: on every response. The structural defect is that the SSE server stands up a stateful,...

9.2CVSS5.8AI score0.00392EPSS
Exploits0References1
CNNVD
CNNVD
added 2026/05/26 12:0 a.m.11 views

GitLab MCP Server 安全漏洞

GitLab MCP Server is an open-source tool developed by yoda.digital that connects AI agents with GitLab repositories. Versions of GitLab MCP Server prior to 0.6.0 contained security vulnerabilities. These vulnerabilities stemmed from the lack of authentication mechanisms at the HTTP transport laye...

9.2CVSS5.8AI score0.00392EPSS
Exploits0References1
Rows per page
Query Builder