Lucene search
K

969 matches found

OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago7 views

Malicious code in antsrcsrctest (npm)

The npm package antsrcsrctest masquerades as a "simple date formatting utility" index.js exports a harmless formatDate function that is never referenced by the malicious code but is a credential-harvesting and cloud-metadata-stealing reconnaissance tool. It declares a preinstall: node preinstall....

6.1AI score
Exploits0References2
NVD
NVD
added last week7 views

CVE-2026-14967

BBOT's githubworkflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODEREPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the...

3.1CVSS0.00198EPSS
Exploits0References1
Cvelist
Cvelist
added last week32 views

CVE-2026-14967 Path traversal in github_workflows allows writing artifacts outside output directory

BBOT's githubworkflows module could be induced to write a downloaded artifact outside its configured output directory: its path-containment check did not resolve .., so a crafted CODEREPOSITORY URL could traverse out of the intended folder. The write is bounded to two directory levels above the...

3.1CVSS0.00198EPSS
Exploits0References1
CVE
CVE
added last week6 views

CVE-2026-14967

BBOT’s github_workflows module has a path-traversal vulnerability: the path-containment check fails to resolve ‘..’, allowing a crafted CODE_REPOSITORY URL to traverse out of the configured output directory. The write is bounded to two directory levels above the output location and the target is ...

3.1CVSS5.9AI score0.00198EPSS
Exploits0References1
NVD
NVD
added 2026/07/03 9:17 p.m.11 views

CVE-2026-58426

Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write...

9.6CVSS0.00177EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/07/03 8:54 p.m.36 views

CVE-2026-58426 Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write

Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write...

9.6CVSS0.00177EPSS
Exploits0References4
OSV
OSV
added 2026/07/03 8:54 p.m.3 views

CVE-2026-58426 Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write

Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write...

9.6CVSS5.9AI score0.00177EPSS
Exploits0References6
ATTACKERKB
ATTACKERKB
added 2026/07/03 8:54 p.m.6 views

CVE-2026-58426

Gitea Actions Artifacts V4 signed URL HMAC ambiguity allows cross-repository artifact read and cross-task upload-state write...

9.6CVSS5.9AI score0.00177EPSS
Exploits0References5Affected Software1
CVE
CVE
added 2026/07/03 8:54 p.m.13 views

CVE-2026-58426

The CVE-2026-58426 affects Gitea, specifically the Actions Artifacts V4 signed URL mechanism, where an HMAC ambiguity enables cross-repository artifact read and cross-task upload-state write. The vulnerability stems from how signed URLs are validated, allowing unauthorized access across repositor...

9.6CVSS5.9AI score0.00177EPSS
Exploits0References4
Positive Technologies
Positive Technologies
added 2026/07/03 12:0 a.m.14 views

PT-2026-55658

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description An HMAC ambiguity in Gitea Actions Artifacts V4 signed URLs allows for cross-repository artifact reading and cross-task upload-state writing. HMAC Hash-based Message Authentication Code is a...

9.6CVSS5.9AI score0.00177EPSS
Exploits0References11
Cvelist
Cvelist
added 2026/07/02 7:33 a.m.37 views

CVE-2026-9563

In Eclipse Parsson published Maven Central artifacts before version 1.1.8, the JSON parser did not enforce a default maximum on the number of characters consumed while parsing a single JSON document. Applications that parse attacker- controlled JSON can be forced to consume excessive CPU and memo...

7.5CVSS0.00366EPSS
Exploits0References5
AstraLinux
AstraLinux
added 2026/06/24 3:11 p.m.5 views

Astra Linux – Vulnerability in docker.io-app

Docker Compose relies on the path information embedded in remote OCI Compose artifacts. When a layer includes the annotations com.dockercompose.extends or com.dockercompose.envfile, Compose incorporates the value provided by the attacker from com.dockercompose.file/com.dockercompose.envfile into...

8.9CVSS8.6AI score0.13848EPSS
Exploits0References3
OSV
OSV
added 2026/06/24 11:53 a.m.1 views

CVE-2026-56370 ImageMagick - Out-of-bounds Access in ConnectedComponentsImage via connected-components Artifact

ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of...

4.8CVSS6AI score0.00121EPSS
Exploits0References4
Cvelist
Cvelist
added 2026/06/24 11:53 a.m.39 views

CVE-2026-56370 ImageMagick - Out-of-bounds Access in ConnectedComponentsImage via connected-components Artifact

ImageMagick before 7.1.2-19 contains an out-of-bounds access vulnerability in ConnectedComponentsImage when processing connected-components artifacts with invalid indices. Attackers can trigger access violations by specifying malformed connected-components definitions via CLI, causing denial of...

4.8CVSS0.00121EPSS
Exploits0References2
NVD
NVD
added 2026/06/22 11:16 p.m.11 views

CVE-2026-47155

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image...

6.5CVSS0.00146EPSS
Exploits0References4
ATTACKERKB
ATTACKERKB
added 2026/06/22 10:20 p.m.5 views

CVE-2026-47155

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image...

6.5CVSS5.8AI score0.00146EPSS
Exploits0References5Affected Software1
Cvelist
Cvelist
added 2026/06/22 10:20 p.m.28 views

CVE-2026-47155 vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image...

6.5CVSS0.00146EPSS
Exploits0References4
CVE
CVE
added 2026/06/22 10:20 p.m.46 views

CVE-2026-47155

CVE-2026-47155 affects vLLM prior to 0.22.0. Description: revision pinning controls do not consistently apply to all artifacts loaded for a model, enabling loading of dynamic code, GGUF files, image processors, retrieval side weights, or same-repository subfolder weights/config from an unpinned/d...

6.5CVSS5.8AI score0.00146EPSS
Exploits0References4Affected Software1
OSV
OSV
added 2026/06/22 10:20 p.m.5 views

CVE-2026-47155 vLLM: Artifact Pin Decay in vLLM allows pinned deployments to load unpinned code, weights, and processors

vLLM is an inference and serving engine for large language models LLMs. Prior to 0.22.0, vLLM's revision pinning controls do not consistently apply to all artifacts loaded for a model. A deployment that supplies --revision or --code-revision can still load dynamic code, GGUF files, image...

6.5CVSS6AI score0.00146EPSS
Exploits0References6
NVD
NVD
added 2026/06/19 10:16 a.m.15 views

CVE-2026-8296

In affected versions of Octopus Server with certain access levels it was possible to embed a Cross-Site Scripting Payload via artifacts...

5.6CVSS0.00198EPSS
Exploits0References1
Rows per page
Query Builder