42 matches found
Coder < 2.29.7 / 2.30.x < 2.30.2 Workspace Auto-Creation Without Consent (CVE-2026-44454)
The version of Coder installed on the remote host is prior to 2.29.7 or 2.30.x prior to 2.30.2. It is, therefore, affected by a command injection vulnerability. The dotfiles registry module passed unsanitized user input to shell commands, enabling arbitrary code execution inside provisioned...
CVE-2026-59854 SiYuan: Incomplete IsSensitivePath denylist: globalCopyFiles reads home-dir credential dotfiles into the workspace
SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, POST /api/file/globalCopyFiles accepts attacker-supplied absolute source paths and relies on util.IsSensitivePath in kernel/util/path.go, whose denylist misses common home-directory credential files such as...
CVE-2026-44454 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a craft...
Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
Command injection via dotfiles URI parameter combined with workspace auto-creation Summary The dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted dotfilesuri value for example,...
GHSA-M3CR-VC2J-PM27 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent
Command injection via dotfiles URI parameter combined with workspace auto-creation Summary The dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted dotfilesuri value for example,...
PT-2026-55445
Name of the Vulnerable Software and Affected Versions coder versions prior to 2.29.7 coder versions prior to 2.30.2 Description A command injection issue exists in the dotfiles registry module where unsanitized user input is passed to shell commands. An attacker can provide a crafted dotfiles uri...
[SECURITY] Fedora 44 Update: chezmoi-2.70.5-1.fc44
Manage your dotfiles across multiple diverse machines, securely...
MAL-2026-5641 Malicious code in goreleaser-run (npm)
--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f2733e0c086915d44eb8c971575087d9260bf1133d62da63920b578cf7e60c30 Package impersonates the legitimate goreleaser tool name goreleaser-run, homepage spoofed to https://goreleaser.org; goreleaser is not officially...
Malicious code in wallet-security-checker (npm)
A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...
Malicious code in chain-key-validator (npm)
A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...
Malicious code in eth-wallet-sentinel (npm)
A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...
MAL-2026-4203 Malicious code in crypto-credential-scanner (npm)
A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...
MAL-2026-4205 Malicious code in defi-threat-scanner (npm)
A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...
Malicious code in defi-env-auditor (npm)
A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...
MAL-2026-4204 Malicious code in defi-env-auditor (npm)
A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...
GHSA-H5VH-M7FG-W5H6 SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets
Summary POST /api/file/globalCopyFiles reads source files using filepath.Abs with no workspace boundary check, relying solely on util.IsSensitivePath whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace an...
[SECURITY] Fedora 42 Update: chezmoi-2.69.4-1.fc42
Manage your dotfiles across multiple diverse machines, securely...
CVE-2026-1665
A command injection vulnerability exists in nvm Node Version Manager versions 0.40.3 and below. The nvmdownload function uses eval to execute wget commands, and the NVMAUTHHEADER environment variable was not sanitized in the wget code path though it was sanitized in the curl code path. An attacke...
[SECURITY] Fedora 43 Update: chezmoi-2.69.0-1.fc43
Manage your dotfiles across multiple diverse machines, securely...
[SECURITY] Fedora 43 Update: chezmoi-2.68.1-1.fc43
Manage your dotfiles across multiple diverse machines, securely...