19 matches found
CVE-2026-45803
A flaw was found in GitHub CLI. A remote attacker who can influence GitHub Actions workflow log output could inject terminal escape sequences into workflow logs. When a user views these logs using gh run view --log or gh run view --log-failed, the injected sequences may be replayed by the user's...
GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection
Summary A security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. Details The vulnerability stems from the way GitHub CLI handles raw Actions log...
GHSA-CRC3-H8V6-QH57 GitHub CLI: GitHub Actions log output in `gh run view` allows terminal escape sequence injection
Summary A security vulnerability has been identified in GitHub CLI that could allow terminal escape sequence injection when users view GitHub Actions workflow logs using gh run view --log or gh run view --log-failed. Details The vulnerability stems from the way GitHub CLI handles raw Actions log...
GitHub CLI 安全漏洞
GitHub CLI is an open-source command-line interface for GitHub. Versions of GitHub CLI from 1.6.0 to 2.92.0 contained a security vulnerability. This vulnerability stemmed from the lack of cleaning terminal control sequences when processing GitHub Actions workflow logs. It could allow attackers to...
CVE-2025-31479 canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output
canonical/get-workflow-version-action is a GitHub composite action to get commit SHA that GitHub Actions reusable workflow was called with. Prior to 1.0.1, if the get-workflow-version-action step fails, the exception output may include the GITHUBTOKEN. If the full token is included in the excepti...
reviewdog/action-setup GitHub Action Embedded Malicious Code Vulnerability
reviewdog action-setup GitHub Action contains an embedded malicious code vulnerability that dumps exposed secrets to Github Actions Workflow Logs...
VulnCheck KEV: CVE-2025-30154
reviewdog action-setup GitHub Action contains an embedded malicious code vulnerability that dumps exposed secrets to Github Actions Workflow Logs...
tj-actions/changed-files GitHub Action Embedded Malicious Code Vulnerability
tj-actions/changed-files GitHub Action contains an embedded malicious code vulnerability that allows a remote attacker to discover secrets by reading Github Actions Workflow Logs. These secrets may include, but are not limited to, valid AWS access keys, GitHub personal access tokens PATs, npm...
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...
tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.
Summary A supply chain attack compromised the tj-actions/changed-files GitHub Action, impacting over 23,000 repositories. Attackers retroactively modified multiple version tags to reference a malicious commit, exposing CI/CD secrets in workflow logs. The vulnerability existed between March 14 and...
GHSA-MRRH-FWG8-R2C3 tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.
Summary A supply chain attack compromised the tj-actions/changed-files GitHub Action, impacting over 23,000 repositories. Attackers retroactively modified multiple version tags to reference a malicious commit, exposing CI/CD secrets in workflow logs. The vulnerability existed between March 14 and...
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...
CVE-2025-30066
CVE-2025-30066 affects tj-actions/changed-files before 46, where a malicious commit (0e58ed8) was used to alter tags (e.g., v1, v45.0.7) and cause secrets to be read from GitHub Actions logs. Public reports and advisories (CISA, OSV, GHSA) confirm secrets disclosure via runners’ logs in affected ...
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...
CVE-2025-30066
tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were modified by a threat actor to point at commit 0e58ed8, which contained malicious updateFeatures code...
HashiCorp Vault 日志信息泄露漏洞
HashiCorp Vault is a private key access management tool from HashiCorp Hashicorp USA. An information disclosure vulnerability exists in HashiCorp vault-action prior to version 2.2.0, which stems from a multi-line secret that fails to properly register with GitHub Actions to mask logs, which can b...
PT-2019-12932 · Open Source Matters · Joomla!
Name of the Vulnerable Software and Affected Versions: Joomla! versions prior to 3.9.7 Description: An issue was discovered in the CSV export of com actionslogs, which is vulnerable to CSV injection. Recommendations: For versions prior to 3.9.7, update to version 3.9.7 or later to resolve the iss...