52 matches found
CVE-2026-45773
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a...
Directory Traversal
Overview compliance-trestle is a Tools to manage & autogenerate python objects representing the OSCAL layers/models Affected versions of this package are vulnerable to Directory Traversal through remote cache fetching. An attacker can write arbitrary files to locations outside the intended cache...
PT-2026-44160
Summary The compliance-trestle library's remote fetching cache mechanism HTTPSFetcher and SFTPFetcher constructs the local cache file path from the URL path component without sanitizing path traversal sequences ../. When a remote OSCAL profile references a URL with traversal in its path, the HTTP...
CVE-2026-45773
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a...
CVE-2026-45773 Turborepo: Login callback CSRF/session fixation
Turborepo is a high-performance build system for JavaScript and TypeScript codebases. Prior to 2.9.14, Turborepo's self-hosted login and SSO browser flows did not validate a CSRF state value on the localhost callback. While the CLI was waiting for authentication, a malicious web page could send a...
SUSE CVE-2026-34042
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and...
CVE-2026-34042
act: The CVE-2026-34042 flaw in the act project’s actions/cache server lets connections from any interface create caches with arbitrary keys and read existing caches, potentially enabling arbitrary remote code execution inside the local Docker container. The issue stems from listening on all inte...
CVE-2026-34042 act: actions/cache server allows malicious cache injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and...
Advisory ROSA-SA-2026-3203
Software: unbound 1.16.2 OS: ROSA Virtualization 2.1 unaffected versions = unbound-1.16.2-5.9.rv3 affected versions unbound-1.16.2-5.9.rv3 CVE-ID: CVE-2025-5994 BDU-ID: 2025-12600 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the Unbound DNS server is related to the loading of external unreliable...
Advisory ROSA-SA-2026-3165
Software: unbound 1.16.2 OS: ROSA Virtualization 3.1 unaffected versions = unbound-1.16.2-5.9.rv31 affected versions unbound-1.16.2-5.9.rv31 CVE-ID: CVE-2025-5994 BDU-ID: 2025-12600 CVE-Crit: HIGH CVE-DESC.: A vulnerability in the Unbound DNS server is related to the loading of external unreliabl...
[SECURITY] Fedora 43 Update: rust-sccache-0.13.0-3.fc43
Sccache is a ccache-like tool. It is used as a compiler wrapper and avoids compilation when possible. Sccache has the capability to utilize caching in remote storage environments, including various cloud storage options, or alternatively, in local storage...
OESA-2025-2632 kernel security update
The Linux Kernel, the operating system core itself. Security Fixes: In the Linux kernel, the following vulnerability has been resolved: SUNRPC: make sure cache entry active before cacheshow The function cshow was called with protection from RCU. This only ensures that cp will not be freed...
EUVD-2025-17809
Malicious code in bioql PyPI...
CVE-2025-36852
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...
GHSA-RRR2-JCR8-7Q3X @nx/azure-cache Vulnerable to Build Cache Poisoning via Untrusted Pull Requests
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...
@nx/azure-cache Vulnerable to Build Cache Poisoning via Untrusted Pull Requests
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...
CVE-2025-36852
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...
CVE-2025-36852 Build Cache Poisoning via Untrusted Pull Requests
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...
CVE-2025-36852 Build Cache Poisoning via Untrusted Pull Requests
A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...
CVE-2025-36852
CVE-2025-36852 describes a critical vulnerability in remote cache extensions used by build systems with bucket-based remote caches (e.g., Amazon S3, Google Cloud Storage). The issue allows contributors with pull request privileges to inject compromised artifacts from untrusted environments into t...