CVE-2026-45131

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow pull-request.yaml executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens...

CVE-2026-45131

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow pull-request.yaml executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens...

EUVD-2026-33666

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow pull-request.yaml executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens...

PT-2026-45467

CloudPirates Open Source Helm Charts is a collection of Helm charts. Prior to commit fcf9302, a GitHub Actions workflow pull-request.yaml executes attacker-controlled code from fork pull requests in a privileged context, exposing repository secrets including Docker Hub credentials and tokens...

CVE-2026-1699

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pullrequesttarget trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to...

PT-2026-5388

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull request target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access t...

EUVD-2022-6338

Malicious code in bioql PyPI...

EUVD-2025-27053

Malicious code in bioql PyPI...

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the repository credentials handler of the util/db/repositorysecrets.go file while performing concurrent operations for the same repository URL. An attacker can cause the server to crash and become unavailable by...

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the repository credentials handler of the util/db/repositorysecrets.go file while performing concurrent operations for the same repository URL. An attacker can cause the server to crash and become unavailable by...

CVE-2025-58371

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution RCE on the Actions runner...

CVE-2025-58371 Roo Code is vulnerable to command injection via GitHub actions workflow

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution RCE on the Actions runner...

PT-2025-28898 · Folo · Folo

Name of the Vulnerable Software and Affected Versions: Folo affected versions not specified Description: Folo organizes feeds content into one timeline. The use of pull request target in the .github/workflows/auto-fix-lint-format-commit.yml workflow file can be exploited by attackers to execute...

New GitHub Action supply chain attack: reviewdog/action-setup

A supply chain attack on tj-actions/changed-files caused many repositories to leak their secrets over the weekend. Wiz Research has discovered an additional supply chain attack on reviewdog/actions-setup@v1, that may have contributed to the compromise of tj-actions/changed-files...

SUSE CVE-2025-27616

Vela is a Pipeline Automation CI/CD framework built on Linux container technology written in Golang. Prior to versions 0.25.3 and 0.26.3, by spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo level secrets to ...

CVE-2025-27616

Vela Server (CI/CD framework) is affected in versions prior to 0.25.3 and 0.26.3. By spoofing a webhook payload with a specific set of headers and body data, an attacker could transfer ownership of a repository and its repo-level CI secrets to another repository. Those secrets could be exfiltrate...

CVE-2021-32724

check-spelling is a github action which provides CI spell checking. In affected versions and for a repository with the check-spelling action enabled that triggers on pullrequesttarget or schedule, an attacker can send a crafted Pull Request that causes a GITHUBTOKEN to be exposed. With the...

CVE-2021-32724

CVE-2021-32724 affects the GitHub Action check-spelling (check-spelling/check-spelling). In workflows that run on pull_request_target or schedule, a crafted PR can cause exposure of the GITHUB_TOKEN, enabling the attacker to push commits with repository-level access and potentially exfiltrate sec...

check-spelling 日志信息泄露漏洞

check-spelling is a spell checker. check-spelling suffers from a log information disclosure vulnerability that allows an attacker to bypass the standard approval process to push commits to the repository, commits to the repository can then steal any/all secrets available to the repository...

CVE-2021-21423

projen is a project generation tool that synthesizes project configuration files such as package.json, tsconfig.json, .gitignore, GitHub Workflows, eslint, jest, and more, from a well-typed definition written in JavaScript. Users of projen's NodeProject project type including any project type...