10 matches found
SUSE CVE-2026-34041
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
CVE-2026-34041
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
CVE-2026-34041
act: Unrestricted set-env and add-path command processing enables environment injection in github.com/nektos/act. Prior to version 0.2.86, act unconditionally processes deprecated ::set-env:: and ::add-path:: commands, allowing an attacker to inject environment variables or modify PATH for subseq...
CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
CVE-2026-34041
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
Act 注入漏洞
Act is a locally run tool developed by Nektos and open source. Versions of Act prior to 0.2.86 had an injection vulnerability. This vulnerability stemmed from unconditionally processing the::set-env:: and::add-path:: workflow commands, which could lead to setting arbitrary environment variables o...
GHSA-XMGR-9PQC-H5VW act: Unrestricted set-env and add-path command processing enables environment injection
Summary act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which GitHub Actions disabled in October 2020 CVE-2020-15228, GHSA-mfwh-5m23-j46w due to environment injection risks. When a workflow step echoes untrusted data to stdout, an attacker can inject...
CVE-2020-15228
In the @actions/core npm module before version 1.2.6,addPath and exportVariable functions communicate with the Actions Runner over stdout by generating a string in a specific format. Workflows that log untrusted data to stdout may invoke these commands, resulting in the path or environment...