5 matches found
CVE-2026-49988
Repomix is a tool that packs repositories into AI-friendly files. Prior to 1.14.1, the Repomix MCP server attachpackedoutput and readrepomixoutput flow can register and read arbitrary local .json, .txt, .md, or .xml files without the filesystemreadfile runSecretLint safety check or Repomix...
CVE-2026-49988
Repomix’s MCP server flow attach_packed_output followed by read_repomix_output can register and expose arbitrary local files (.json/.txt/.md/.xml) without running the secret-scan check, bypassing the file_system_read_file boundary. The root cause is that this path validates only by extension/form...
Unprotected Alternate Channel
Overview repomix is an A tool to pack repository contents to single file for AI consumption Affected versions of this package are vulnerable to Unprotected Alternate Channel through the attachpackedoutput process. An attacker can access sensitive information from arbitrary local .json, .txt, .md,...
NPM: repomix: attach_packed_output can bypass file-read secret scanning for supported local files
NPM: repomix: attachpackedoutput can bypass file-read secret scanning for supported local files vulnerability discovered by ? in WordPress Npm repomix versions = 1.14.0...
CVE-2026-3307 Authorization bypass in GitHub Enterprise Server secret scanning push protection allows cross-repository modification of delegated bypass reviewers
An authorization bypass vulnerability was identified in GitHub Enterprise Server that allowed an attacker with admin access on one repository to modify the secret scanning push protection delegated bypass reviewer list on another repository by manipulating the ownerid parameter in the request bod...