CVE-2026-40610

BentoML is a Python library for building online serving systems optimized for AI apps and model inference. In versions 1.4.38 and prior, the build packaging workflow follows attacker-controlled symlinks inside the build context and copies the referenced file contents into the generated Bento...

CVE-2026-43895 jq: Embedded NUL in jq import paths causes local redaction-policy bypass and preserves sensitive fields in published artifacts

jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during module and data-file lookup. This creates a mismatch between the logical import string that policy o...

CVE-2026-40313 PraisonAI: ArtiPACKED Vulnerability via GitHub Actions Credential Persistence

PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the...

CVE-2026-40313

Summary: PraisonAI versions ≤ 4.5.139 expose GitHub Actions credential leakage via ArtiPACKED attack due to actions/checkout persisting GITHUB_TOKEN (and sometimes ACTIONS_RUNTIME_TOKEN) in the repository’s .git/config when artifacts are uploaded from workflows. This can allow read-access users t...

CVE-2026-40313

PraisonAI is a multi-agent teams system. In versions 4.5.139 and below, the GitHub Actions workflows are vulnerable to ArtiPACKED attack, a known credential leakage vector caused by using actions/checkout without setting persist-credentials: false. By default, actions/checkout writes the...

GO-2025-4024 Argo Workflow may expose artifact repository credentials in github.com/argoproj/argo-workflows

Argo Workflow may expose artifact repository credentials in github.com/argoproj/argo-workflows...

CVE-2025-53902

Tuleap exposes confidential artifact information to unauthorized users via email notifications. CVE-2025-53902 affects Tuleap Community Edition <16.9.99.1752585665 and Tuleap Enterprise Edition <16.8-6 and

CVE-2025-32953

z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU. In version 1.38 and prior, the makefile-ubuntu.yml workflow file uses actions/upload-artifact@v4 to upload the z80pack-ubuntu artifact. This artifact is a zip of the current directory, which includes the automatically...

CVE-2025-32953

CVE-2025-32953 affects z80pack (versions 1.38 and earlier). The root cause is in the makefile-ubuntu.yml workflow, which uses actions/upload-artifact@v4 to package z80pack-ubuntu as an artifact that zip-compresses the current directory and includes the generated .git/config containing the run’s G...

GitLab Enterprise Edition和GitLab Community Edition 安全漏洞

GitLab Enterprise Edition EE and GitLab Community Edition CE are both products of GitLab, Inc. GitLab Enterprise Edition is a content management system. GitLab Enterprise Edition is a content management system. A security vulnerability exists in GitLab Enterprise Edition and GitLab Community...