Jujutsu does not have SHA-1 collision detection

Summary Jujutsu 0.28.0 and earlier rely on versions of gitoxide that use SHA-1 hash implementations without any collision detection, leaving them vulnerable to hash collision attacks. Details This is a result of the underlying CVE-2025-31130 / GHSA-2frx-2596-x5r6 vulnerability in the gitoxide...

CVE-2025-30370

CVE-2025-30370 affects the jupyterlab-git JupyterLab extension. When a user opens a repository whose directory name contains a shell command substitution (e.g., $()) and selects “Git > Open Git Repository in Terminal,” the extension previously executed a shell command via a cd to the repositor...

canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output

Impact Users using the github-token input are impacted. If the get-workflow-version-action step fails, the exception output may include the GITHUBTOKEN. If the full token is included in the exception output, GitHub will automatically redact the secret from the GitHub Actions logs. However, the...

GHSA-26WH-CC3R-W6PJ canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output

Impact Users using the github-token input are impacted. If the get-workflow-version-action step fails, the exception output may include the GITHUBTOKEN. If the full token is included in the exception output, GitHub will automatically redact the secret from the GitHub Actions logs. However, the...

CVE-2025-31479

CVE-2025-31479 : The GitHub composite action canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output for versions prior to 1.0.1. If the step fails, the exception may include tokens, which can be viewed by anyone with read access to the repository in GitHub Actio...

tough terminating targets role delegations are not respected

Summary Delegations are a mechanism defined by the TUF specification that allow multiple different identities to provide and sign content within a single repository. Terminating delegations and delegation priority give a TUF repository unambiguous control over how overlapping delegations are...

openSUSE Security Advisory (SUSE-SU-2025:0857-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2025 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

Kubernetes GitRepo Volume Inadvertent Local Repository Access

A security vulnerability was discovered in Kubernetes that could allow a user with create pod permission to exploit gitRepo volumes to access local git repositories belonging to other pods on the same node. This CVE only affects Kubernetes clusters that utilize the in-tree gitRepo volume to clone...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation. An attacker with create pod permission could access local git repositories belonging to other pods on the same node by exploiting this vulnerability. Notes: 1 This is only exploitable if the cluster still uses...

Improper Input Validation

Overview Affected versions of this package are vulnerable to Improper Input Validation. An attacker with create pod permission could access local git repositories belonging to other pods on the same node by exploiting this vulnerability. Notes: 1 This is only exploitable if the cluster still uses...

CVE-2025-1767

CVE-2025-1767 affects Kubernetes clusters using the in-tree gitRepo volume to clone git repositories from pods on the same node. The in-tree gitRepo volume feature is deprecated and will not receive security updates upstream; clusters still using this feature remain vulnerable. The connected docu...

AI-Assisted Fake GitHub Repositories Fuel SmartLoader and LummaStealer Distribution

In this blog entry, we uncovered a campaign that uses fake GitHub repositories to distribute SmartLoader, which is then used to deliver Lumma Stealer and other malicious payloads. The campaign leverages GitHub’s trusted reputation to evade detection, using AI-generated content to make fake...

Exploit for Unrestricted Upload of File with Dangerous Type in Git

CVE-2024-32002: Exploiting Git RCE via git clone This repos...

12,000+ API Keys and Passwords Found in Public Datasets Used for LLM Training

A dataset used to train large language models LLMs has been found to contain nearly 12,000 live secrets, which allow for successful authentication. The findings once again highlight how hard-coded credentials pose a severe security risk to users and organizations alike, not to mention compounding...

Hackers Exploit Fake GitHub Repositories to Spread GitVenom Malware

Kaspersky's Securelist exposes the GitVenom campaign involving fake GitHub repositories to distribute malware. Targeting developers with seemingly legitimate…...

The GitVenom campaign: cryptocurrency theft using GitHub

In our modern world, it's difficult to underestimate the impact that open-source code has on software development. Over the years, the global community has managed to publish a tremendous number of projects with freely accessible code that can be viewed and enhanced by anyone on the planet. Very...

UBUNTU-CVE-2024-31144

For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.htmlobject-model-overview Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories SRs. The metadata itself is stored in a Virtual Disk Image VDI inside ...

CVE-2024-31144 Xapi: Metadata injection attack against backup/restore functionality

For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.htmlobject-model-overview Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories SRs. The metadata itself is stored in a Virtual Disk Image VDI inside ...

CVE-2024-31144 Xapi: Metadata injection attack against backup/restore functionality

For a brief summary of Xapi terminology, see: https://xapi-project.github.io/xen-api/overview.htmlobject-model-overview Xapi contains functionality to backup and restore metadata about Virtual Machines and Storage Repositories SRs. The metadata itself is stored in a Virtual Disk Image VDI inside ...

CVE-2024-31144

CVE-2024-31144 affects Xen/Xapi backup/restore of VM/SR metadata via a VDI metadata store. The vulnerability arises because the host searches VDI images to locate the metadata VDI and restore metadata; a malicious guest can manipulate its disk to appear as a metadata backup, potentially causing m...