CVE-2026-48547

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

CVE-2026-48547

KanaDojo exposes a command injection in its release workflow. The vulnerability stems from patchNotesData.json fields version/changes being unsafely interpolated into a child_process.execSync() call within release.yml, allowing a PR with shell metacharacters to execute arbitrary commands. If a ma...

PT-2026-48720

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a child process.execSync ca...

Exploit for CVE-2026-39866

CVE-2026-39866 — Command Injection via unquoted workflow dispa...

CVE-2026-27938

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow release.yml vulnerable to OS command injection through direct use of $ github.event.pullrequest.body inside a run: shell block. When a pull request...

CVE-2026-27938 WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression in Release Workflow

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow release.yml vulnerable to OS command injection through direct use of $ github.event.pullrequest.body inside a run: shell block. When a pull request...

EUVD-2026-8803

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow release.yml vulnerable to OS command injection through direct use of $ github.event.pullrequest.body inside a run: shell block. When a pull request...

CVE-2026-27938

The CVE-2026-27938 entry documents a command injection flaw in the WPGraphQL repository (wp-graphql/wp-graphql) prior to version 2.9.1, stemming from an unsafe use of ${{ github.event.pull_request.body }} inside the release.yml shell run block. When a PR from develop to master is merged, the PR b...

CVE-2026-27938 WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression in Release Workflow

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow release.yml vulnerable to OS command injection through direct use of $ github.event.pullrequest.body inside a run: shell block. When a pull request...

PT-2026-22080

Name of the Vulnerable Software and Affected Versions WPGraphQL versions prior to 2.9.1 Description The WPGraphQL software includes a GraphQL API for WordPress sites. A GitHub Actions workflow file release.yml in the wp-graphql/wp-graphql repository is susceptible to OS command injection. This...

EUVD-2024-38192

Malicious code in bioql PyPI...

BIT-JUPYTERLAB-2024-39700 Remote Code Execution (RCE) vulnerability in jupyterlab extension template `update-integration-tests` GitHub Action

JupyterLab extension template is a copier template for JupyterLab extensions. Repositories created using this template with test option include update-integration-tests.yml workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to...

CVE-2024-39700

JupyterLab extension template is a copier template for JupyterLab extensions. Repositories created using this template with test option include update-integration-tests.yml workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to...

CVE-2024-39700 Remote Code Execution (RCE) vulnerability in jupyterlab extension template `update-integration-tests` GitHub Action

JupyterLab extension template is a copier template for JupyterLab extensions. Repositories created using this template with test option include update-integration-tests.yml workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to...

CVE-2024-39700 Remote Code Execution (RCE) vulnerability in jupyterlab extension template `update-integration-tests` GitHub Action

JupyterLab extension template is a copier template for JupyterLab extensions. Repositories created using this template with test option include update-integration-tests.yml workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to...

CVE-2024-39700 Remote Code Execution (RCE) vulnerability in jupyterlab extension template `update-integration-tests` GitHub Action

JupyterLab extension template is a copier template for JupyterLab extensions. Repositories created using this template with test option include update-integration-tests.yml workflow which has an RCE vulnerability. Extension authors hosting their code on GitHub are urged to upgrade the template to...

CVE-2024-39700

CVE-2024-39700 describes a remote code execution in the JupyterLab extension template copier, specifically in the update-integration-tests.yml workflow of the JupyterLab extension template used to bootstrap projects. The RCE is linked to repositories created with the template’s test option. Affec...