USN-8012-1 gh vulnerabilities

It was discovered that GitHub CLI could behave unexpectedly if users downloaded a malicious GitHub Actions workflow artifact through gh run download. An attacker could possibly use this issue to create or overwrite files in unintended directories. CVE-2024-54132 It was discovered that GitHub CLI...

EUVD-2025-14654

Malicious code in bioql PyPI...

Malicious code in get-latest-workflow-artifact (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware 9d2fe1e8a2dd5f7f462bc112e5e6f5740518b4ade0c28f710ddb195f0415cbdd Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

CVE-2025-46820 phpgt/Dom exposes the GITHUB_TOKEN in Dom workflow run artifact

phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUBTOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the...

PT-2025-19986 · Phpgt/Dom · Phpgt/Dom

Name of the Vulnerable Software and Affected Versions: phpgt/Dom versions prior to 4.1.8 Description: The issue exposes the GITHUB TOKEN in the Dom workflow run artifact. This occurs because the ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact, which is a zip of t...

CVE-2025-32958 Adept exposed the GITHUB_TOKEN in workflow run artifact

Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file...

CVE-2025-32958

Adept (prior to commit a1a41b7) exposed the GITHUB_TOKEN via the mac-standalone artifact created by remoteBuild.yml using actions/upload-artifact@v4. The artifact was a zip of the current directory that included the generated .git/config containing the run’s token, enabling an attacker to extract...

AZL-54009 CVE-2024-54132 affecting package gh for versions less than 2.13.0-23

The GitHub CLI is GitHub’s official command line tool. A security vulnerability has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run download. This vulnerability stems from ...

GitHub CLI 路径遍历漏洞

GitHub CLI is the GitHub CLI open source for GitHub on the command line. A path traversal vulnerability exists in GitHub CLI version 2.63.0 and earlier, which stems from the possibility that files may be created or overwritten in unintended directories when a user downloads a malicious GitHub...

PT-2024-9531

Name of the Vulnerable Software and Affected Versions GitHub CLI versions prior to 2.63.1 Description A security issue has been identified in GitHub CLI that could create or overwrite files in unintended directories when users download a malicious GitHub Actions workflow artifact through gh run...

PT-2024-35462 · Argo Helm · Argo Helm

Name of the Vulnerable Software and Affected Versions: Argo Helm versions prior to 0.45.0 Description: The issue is related to the workflow-role lacking granularity in its privileges, giving unnecessary permissions to workflowtasksets and workflowartifactgctasks for all workflow Pods. This could...