Lucene search
K

42 matches found

Tenable Nessus
Tenable Nessus
added 4 days ago9 views

Coder < 2.29.7 / 2.30.x < 2.30.2 Workspace Auto-Creation Without Consent (CVE-2026-44454)

The version of Coder installed on the remote host is prior to 2.29.7 or 2.30.x prior to 2.30.2. It is, therefore, affected by a command injection vulnerability. The dotfiles registry module passed unsanitized user input to shell commands, enabling arbitrary code execution inside provisioned...

8.8CVSS6.5AI score0.02642EPSS
Exploits0References2
Cvelist
Cvelist
added 5 days ago33 views

CVE-2026-59854 SiYuan: Incomplete IsSensitivePath denylist: globalCopyFiles reads home-dir credential dotfiles into the workspace

SiYuan is an open-source personal knowledge management system. Prior to 3.7.1, POST /api/file/globalCopyFiles accepts attacker-supplied absolute source paths and relies on util.IsSensitivePath in kernel/util/path.go, whose denylist misses common home-directory credential files such as...

4.9CVSS0.00278EPSS
Exploits0References4
OSV
OSV
added last week10 views

CVE-2026-44454 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent

Coder allows organizations to provision remote development environments via Terraform. Prior to versions 2.29.7 and 2.30.2, the dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a craft...

8.1CVSS6.6AI score0.02642EPSS
Exploits0References9
Github Security Blog
Github Security Blog
added 2026/07/02 6:14 p.m.11 views

Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent

Command injection via dotfiles URI parameter combined with workspace auto-creation Summary The dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted dotfilesuri value for example,...

8.8CVSS6.4AI score0.02642EPSS
Exploits0References9Affected Software2
OSV
OSV
added 2026/07/02 6:14 p.m.10 views

GHSA-M3CR-VC2J-PM27 Coder vulnerable to workspace auto-creation via crafted URL parameters without user consent

Command injection via dotfiles URI parameter combined with workspace auto-creation Summary The dotfiles registry module passed unsanitized user input to shell commands, allowing arbitrary code execution inside a provisioned workspace. Any user who supplied a crafted dotfilesuri value for example,...

8.1CVSS6.4AI score0.02642EPSS
Exploits0References9
Positive Technologies
Positive Technologies
added 2026/07/02 12:0 a.m.25 views

PT-2026-55445

Name of the Vulnerable Software and Affected Versions coder versions prior to 2.29.7 coder versions prior to 2.30.2 Description A command injection issue exists in the dotfiles registry module where unsanitized user input is passed to shell commands. An attacker can provide a crafted dotfiles uri...

8.8CVSS6.3AI score0.02642EPSS
Exploits0References14
Fedora
Fedora
added 2026/06/13 1:13 a.m.21 views

[SECURITY] Fedora 44 Update: chezmoi-2.70.5-1.fc44

Manage your dotfiles across multiple diverse machines, securely...

6.1CVSS7.8AI score0.00287EPSS
Exploits0
OSV
OSV
added 2026/06/11 12:53 p.m.10 views

MAL-2026-5641 Malicious code in goreleaser-run (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector f2733e0c086915d44eb8c971575087d9260bf1133d62da63920b578cf7e60c30 Package impersonates the legitimate goreleaser tool name goreleaser-run, homepage spoofed to https://goreleaser.org; goreleaser is not officially...

5.5AI score
Exploits0References2
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 12:0 a.m.23 views

Malicious code in wallet-security-checker (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

5.8AI score
Exploits0References14
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 12:0 a.m.12 views

Malicious code in chain-key-validator (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

5.8AI score
Exploits0References16
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/21 12:0 a.m.16 views

Malicious code in eth-wallet-sentinel (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

5.8AI score
Exploits0References16
OSV
OSV
added 2026/05/21 12:0 a.m.8 views

MAL-2026-4203 Malicious code in crypto-credential-scanner (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

5.9AI score
Exploits0References16
OSV
OSV
added 2026/05/21 12:0 a.m.10 views

MAL-2026-4205 Malicious code in defi-threat-scanner (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

5.8AI score
Exploits0References16
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/05/20 10:34 p.m.16 views

Malicious code in defi-env-auditor (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

5.9AI score
Exploits0References16
OSV
OSV
added 2026/05/20 10:34 p.m.9 views

MAL-2026-4204 Malicious code in defi-env-auditor (npm)

A coordinated supply-chain attack comprising 10 npm packages published by maintainer ddjidd5640 [email protected] within a 48-hour window 2026-05-19T03:55Z – 2026-05-21T04:31Z. All packages masquerade as legitimate Web3/DeFi developer security tools MCP servers while silently exfiltrating...

5.9AI score
Exploits0References16
OSV
OSV
added 2026/03/16 6:46 p.m.5 views

GHSA-H5VH-M7FG-W5H6 SiYuan globalCopyFiles: incomplete sensitive path blocklist allows reading /proc and Docker secrets

Summary POST /api/file/globalCopyFiles reads source files using filepath.Abs with no workspace boundary check, relying solely on util.IsSensitivePath whose blocklist omits /proc/, /run/secrets/, and home directory dotfiles. An admin can copy /proc/1/environ or Docker secrets into the workspace an...

6.8CVSS5.9AI score0.00411EPSS
Exploits1References5
Fedora
Fedora
added 2026/03/07 3:33 a.m.10 views

[SECURITY] Fedora 42 Update: chezmoi-2.69.4-1.fc42

Manage your dotfiles across multiple diverse machines, securely...

7.5CVSS5.8AI score0.00632EPSS
Exploits3
ATTACKERKB
ATTACKERKB
added 2026/01/29 11:4 p.m.6 views

CVE-2026-1665

A command injection vulnerability exists in nvm Node Version Manager versions 0.40.3 and below. The nvmdownload function uses eval to execute wget commands, and the NVMAUTHHEADER environment variable was not sanitized in the wget code path though it was sanitized in the curl code path. An attacke...

5.4CVSS6.2AI score0.00767EPSS
Exploits0References5Affected Software1
Fedora
Fedora
added 2026/01/14 12:55 a.m.11 views

[SECURITY] Fedora 43 Update: chezmoi-2.69.0-1.fc43

Manage your dotfiles across multiple diverse machines, securely...

7.5CVSS7.1AI score0.00632EPSS
Exploits1
Fedora
Fedora
added 2025/12/26 12:48 a.m.7 views

[SECURITY] Fedora 43 Update: chezmoi-2.68.1-1.fc43

Manage your dotfiles across multiple diverse machines, securely...

7.5CVSS7.1AI score0.00613EPSS
Exploits0
Rows per page
Query Builder