CVE Search Engine - Security Vulnerabilities and Exploits Search Tool

Positive Technologies•added 4 days ago•9 views

PT-2026-51010

Name of the Vulnerable Software and Affected Versions AWX affected versions not specified Description A flaw exists in the GitHub webhook integration where the controller stores the pull request.statuses url value from a pull request webhook payload without validating if it points to a trusted...

6.3CVSS5.9AI score

Exploits0References5

Github Security Blog•added 2026/06/16 1:47 p.m.•7 views

pypdf: Possible large memory usage for form XObjects during text extraction

Impact An attacker who uses this vulnerability can craft a PDF which leads to large memory usage. This requires extracting the text of a page which contains a form XObject with self-references. Patches This has been fixed in pypdf==6.12.2. Workarounds If you cannot upgrade yet, consider applying...

6.9CVSS5.2AI score0.00024EPSS

Exploits0References4Affected Software1

NVD•added 2026/06/11 7:16 p.m.•6 views

CVE-2026-48547

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS0.0091EPSS

NVD•added 2026/06/11 7:16 p.m.•7 views

CVE-2026-47172

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks ou...

9.5CVSS0.00324EPSS

NVD•added 2026/06/11 7:16 p.m.•8 views

CVE-2026-47174

In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisf...

9.5CVSS0.00312EPSS

EUVD•added 2026/06/11 6:46 p.m.•8 views

EUVD-2026-36290

Vulnrichment•added 2026/06/11 6:46 p.m.•7 views

CVE-2026-47174 Duck Site: Untrusted pull request code can trigger privileged production deployment

Vulnrichment•added 2026/06/11 6:33 p.m.•9 views

CVE-2026-48547 KanaDojo < 0.1.18 Command Injection via patchNotesData.json in release.yml

8.5CVSS6AI score0.0091EPSS

EUVD•added 2026/06/11 6:28 p.m.•48 views

EUVD-2026-36300

CVE•added 2026/06/11 6:28 p.m.•13 views

CVE-2026-47172

Quest Bot (open-source Discord bot) contains a privilege escalation in the deploy workflow prior to v1.0.3. The repository’s privileged deploy workflow runs after the unprivileged build, and when a PR from a main branch is opened, the deploy workflow can check out the PR head_sha, build it into a...

Vulnrichment•added 2026/06/11 6:28 p.m.•7 views

CVE-2026-47172 Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_run` deployment.

EUVD•added 2026/06/11 5:53 p.m.•5 views

EUVD-2026-36273

KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull...

8.5CVSS6.7AI score0.00487EPSS

Exploits0References3

Positive Technologies•added 2026/06/11 12:0 a.m.•7 views

PT-2026-48711

Positive Technologies•added 2026/06/11 12:0 a.m.•10 views

Exploits0References3

PT-2026-48713

CNNVD•added 2026/06/11 12:0 a.m.•14 views

Duck Site 安全漏洞

Duck Site is a website content management tool open source by the Duck Organization. Versions of Duck Site prior to 1.0.1 contained security vulnerabilities. These vulnerabilities stemmed from improper deployment of workflow condition checks, which could allow attacker-controlled pull request cod...