Lucene search
K

148 matches found

Cvelist
Cvelist
added 2026/06/26 4:48 p.m.38 views

CVE-2026-55441 mise: Arbitrary command execution via task-include files in an untrusted, config-less repository

mise manages dev tools like node, python, cmake, and terraform. Prior to 2026.6.4, mise's trust feature gates config files mise.toml, .tool-versions through trustcheck, but task-include files are loaded on a path that never reaches it. When a directory has a task-include dir mise-tasks/,...

8.6CVSS0.00184EPSS
Exploits0References1
OSV
OSV
added 2026/06/11 1:25 p.m.7 views

GHSA-QQ6C-99PV-PRVF PDM: Project-Controlled `.pdm-plugins` Content Executes Before CLI Parsing

Summary PDM automatically loads project-local plugin paths from .pdm-plugins during Core initialization. Because this path is added via site.addsitedir, attacker-controlled .pth files inside the project plugin directory are processed and can execute Python code before normal CLI handling begins...

8.4CVSS6.3AI score0.00028EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/06/10 9:55 p.m.7 views

CVE-2026-42305 Dulwich has an arbitrary file write via NTFS-hostile tree entries on Windows

Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accept...

8.8CVSS6.5AI score0.00635EPSS
Exploits0References4
EUVD
EUVD
added 2026/06/10 9:55 p.m.12 views

EUVD-2026-36181

Dulwich is a pure-Python implementation of the Git file formats and protocols. Versions starting with 0.10.0 and prior to 1.2.5 have an arbitrary file write leading to remote code execution when cloning or checking out a malicious Git repository on Windows. Dulwich's path-element validator accept...

9.8CVSS8.4AI score0.02225EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2026/06/05 7:47 p.m.11 views

CVE-2026-45772

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection...

9.8CVSS6.2AI score0.00386EPSS
Exploits0References1
F5 Networks
F5 Networks
added 2026/06/05 3:53 p.m.40 views

K000161612: Golang vulnerabilities CVE-2025-4674 and CVE-2025-61724

Security Advisory Description CVE-2025-4674 The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS e.g. Git, but contai...

8.6CVSS6.8AI score0.00526EPSS
Exploits0
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.9 views

Astra Linux – Vulnerability in Git

Git is a version control system. Before versions 2.45.1, 2.44.1, 2.43.4, 2.42.2, 2.41.1, 2.40.2, and 2.39.4, repositories containing submodules could be exploited through a bug in Git. This bug allowed an attacker to manipulate the creation of files—specifically, files that were written into the...

9CVSS7.1AI score0.25334EPSS
Exploits32References2
AstraLinux
AstraLinux
added 2026/05/20 5:53 a.m.6 views

Astra Linux – Vulnerability in Git

Git is a version control system. Prior to versions 2.30.9, 2.31.8, 2.32.7, 2.33.8, 2.34.8, 2.35.8, 2.36.6, 2.37.7, 2.38.5, 2.39.3, and 2.40.1, a specially crafted .gitmodules file with submodule URLs that were longer than 1024 characters could be used to exploit a bug in...

7.8CVSS8AI score0.06079EPSS
Exploits2References2
EUVD
EUVD
added 2026/05/19 7:46 p.m.13 views

EUVD-2026-30551

Turbo: Unexpected local code execution during Yarn Berry detection...

9.8CVSS6.2AI score0.00386EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/05/19 7:46 p.m.13 views

Turbo: Unexpected local code execution during Yarn Berry detection

Impact Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection executed yarn --version from the project directory, which could cause Yarn to load and execute a...

9.8CVSS6.4AI score0.00386EPSS
Exploits0References3Affected Software3
NVD
NVD
added 2026/05/15 4:16 p.m.15 views

CVE-2026-45772

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection...

9.8CVSS0.00386EPSS
Exploits0References1
Cvelist
Cvelist
added 2026/05/15 3:45 p.m.44 views

CVE-2026-45772 Turborepo: Unexpected local code execution during Yarn Berry detection

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection...

0.00386EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2026/05/15 3:45 p.m.10 views

CVE-2026-45772 Turborepo: Unexpected local code execution during Yarn Berry detection

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection...

6.4AI score0.00386EPSS
Exploits0References1
ATTACKERKB
ATTACKERKB
added 2026/05/15 3:45 p.m.5 views

CVE-2026-45772

Turborepo is a high-performance build system for JavaScript and TypeScript codebases. From 1.1.0 to before 2.9.14, Turborepo can be vulnerable to arbitrary code execution when run in untrusted repositories that contain malicious Yarn configuration. In affected versions, package manager detection...

6.4AI score0.00386EPSS
Exploits0References2Affected Software3
CVE
CVE
added 2026/05/15 3:45 p.m.51 views

CVE-2026-45772

Turborepo (versions 1.1.0–2.9.13) is vulnerable to arbitrary code execution when run in untrusted repositories containing malicious Yarn configuration. The issue arises because package manager detection executes yarn --version from the project directory, potentially loading a project-controlled y...

9.8CVSS6.4AI score0.00386EPSS
Exploits0References1Affected Software1
Tenable Nessus
Tenable Nessus
added 2026/05/14 12:0 a.m.9 views

Unity Linux 20.1070a Security Update: git (UTSA-2026-021384)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-021384 advisory. Gitk is a Tcl/Tk based Git history browser. Starting with 1.7.0, when a user clones an untrusted repository and runs gitk without additional command arguments, files...

3.6CVSS6.4AI score0.00287EPSS
Exploits0References4
Snyk
Snyk
added 2026/03/26 6:27 p.m.6 views

Symlink Attack

Overview Affected versions of this package are vulnerable to Symlink Attack when processing Git URL fragment subdir components. An attacker can access files outside the intended Git repository root by specifying a crafted subdir value in the URL fragment. Note: This is only exploitable if builds...

8.2CVSS5.9AI score0.00463EPSS
Exploits0References3
OSV
OSV
added 2026/03/18 1:15 a.m.5 views

CVE-2026-28500 ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack

Open Neural Network Exchange ONNX is an open standard for machine learning interoperability. In versions up to and including 1.20.1, a security control bypass exists in onnx.hub.load due to improper logic in the repository trust verification mechanism. While the function is designed to warn users...

8.6CVSS5.9AI score0.00318EPSS
Exploits0References8
Github Security Blog
Github Security Blog
added 2026/03/16 4:23 p.m.10 views

ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack

What's the issue Passing silent=True to onnx.hub.load kills all trust warnings and user prompts. This means a model can be downloaded from any unverified GitHub repo with zero user awareness. python if not verifyreporefrepo and not silent: completely skipped when silent=True print"The model repo...

9.1CVSS6.2AI score0.00318EPSS
Exploits0References5Affected Software1
OSV
OSV
added 2026/03/16 4:23 p.m.1 views

GHSA-HQMJ-H5C6-369M ONNX Untrusted Model Repository Warnings Suppressed by silent=True in onnx.hub.load() — Silent Supply-Chain Attack

What's the issue Passing silent=True to onnx.hub.load kills all trust warnings and user prompts. This means a model can be downloaded from any unverified GitHub repo with zero user awareness. python if not verifyreporefrepo and not silent: completely skipped when silent=True print"The model repo...

8.6CVSS6.2AI score0.00318EPSS
Exploits0References5
Rows per page
Query Builder