42 matches found
CVE-2026-31852
Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions nearly all write permissions, this vulnerability enables...
CVE-2026-31852
Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions nearly all write permissions, this vulnerability enables...
CVE-2026-31852
CVE-2026-31852 affects the Jellyfin project, specifically the GitHub Actions workflow in jellyfin/jellyfin-ios (code-quality.yml). The root cause is an elevated-permissions workflow that accepts pull requests from forked repositories, enabling arbitrary code execution and full takeover of the jel...
EUVD-2026-11242
Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions nearly all write permissions, this vulnerability enables...
Jellyfin 安全漏洞
Jellyfin is an open-source free software media system developed by Jellyfin. It allows you to control the management and streaming of media. It serves as a replacement for proprietary products like Emby and Plex, enabling the delivery of media from proprietary servers to end-user devices through...
CVE-2026-24480 QGIS had validated RCE and Repository Takeover via GitHub Actions
QGIS is a free, open source, cross platform geographical information system GIS The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it...
CVE-2026-24480 QGIS had validated RCE and Repository Takeover via GitHub Actions
QGIS is a free, open source, cross platform geographical information system GIS The repository contains a GitHub Actions workflow called "pre-commit checks" that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it...
CVE-2026-24480
CVE-2026-24480 affects QGIS’ GitHub Actions workflow named “pre-commit checks.” Before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, the workflow used pull_request_target and checked out/executed untrusted PR code in a privileged context, allowing potential remote code execution and repository...
CVE-2023-40034
Woodpecker is a community fork of the Drone CI system. In affected versions an attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover of an repo. This is only critical if the CI is configured for public usage and connected to a for...
EUVD-2024-42300
Malicious code in bioql PyPI...
EUVD-2025-0031
Malicious code in bioql PyPI...
EUVD-2025-23165
Malicious code in bioql PyPI...
curl: Account/Repository Takeover via Abandoned GitHub Username in curl's href_extractor.c
Summary: The hrefextractor.c example in the curl repository https://github.com/curl/curl/blob/master/docs/examples/hrefextractor.c references an external HTML parser library hosted at https://github.com/arjunc77/htmlstreamparser. The referenced GitHub username arjunc77 or repository...
CVE-2025-54430
dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...
CVE-2025-54430 dedupe is vulnerable to secret exfiltration via `issue_comment`
dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...
CVE-2025-54430 dedupe is vulnerable to secret exfiltration via `issue_comment`
dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...
PT-2025-31382 · Dedupe · Dedupe
Name of the Vulnerable Software and Affected Versions: dedupe versions prior to commit 3f61e79 Description: dedupe is a Python library used for fuzzy matching, deduplication, and entity resolution on structured data. A critical severity issue exists in the .github/workflows/benchmark-bot.yml...
CVE-2025-54415 dag-factory's CI/CD Workflow Allows for Repository Takeover and Secret Exfiltration
dag-factory is a library for Apache Airflow® to construct DAGs declaratively via configuration files. In versions 0.23.0a8 and below, a high-severity vulnerability has been identified in the cicd.yml workflow within the astronomer/dag-factory GitHub repository. The workflow, specifically when...
CVE-2025-54415 dag-factory's CI/CD Workflow Allows for Repository Takeover and Secret Exfiltration
dag-factory is a library for Apache Airflow® to construct DAGs declaratively via configuration files. In versions 0.23.0a8 and below, a high-severity vulnerability has been identified in the cicd.yml workflow within the astronomer/dag-factory GitHub repository. The workflow, specifically when...
CVE-2025-54415
CVE-2025-54415 affects the dag-factory project (Apache Airflow) for versions ≤ 0.23.0a8. The vulnerability lies in the cicd.yml workflow configured in the astronomer/dag-factory GitHub repository, which, when triggered by pull_request_target, can be exploited to execute arbitrary code in the GitH...