22 matches found
CVE-2026-31976
xygeni-action, the GitHub Action for Xygeni Scanner, was abused via tag poisoning: compromised credentials moved the v5 tag to a malicious commit in a PR window (Mar 3–10, 2026). Workflows referencing xygeni-action@v5 could execute a C2 implant on CI runners for up to 180 seconds. The issue stems...
EUVD-2017-9177
Malware in sbrugna...
EUVD-2022-5132
Malicious code in bioql PyPI...
CVE-2020-15272
In the git-tag-annotation-action open source GitHub Action before version 1.0.1, an attacker can execute arbitrary shell commands if they can control the value of the tag input or manage to alter the value of the GITHUBREF environment variable. The problem has been patched in version 1.0.1. If yo...
Design/Logic Flaw
The Binance Trust Wallet app for iOS in commit 3cd6e8f647fbba8b5d8844fcd144365a086b629f, git tag 0.0.4 misuses the trezor-crypto library and consequently generates mnemonic words for which the device time is the only entropy source, leading to economic losses, as exploited in the wild in July 202...
CVE-2024-23660
The CVE-2024-23660 entry concerns Binance Trust Wallet for iOS (version 0.0.4). The root cause is misuse of the trezor-crypto library, causing mnemonic words to be generated with device time as the sole entropy source. This leads to predictable mnemonics and potential theft of funds, with real-wo...
GHSA-R8RW-XX57-M64Q Cross-Site Request Forgery in Jenkins Git Plugin
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record...
Command Injection
Overview async-git is a 👾 Retrieve data from current git repository Affected versions of this package are vulnerable to Command Injection via shell metacharacters, as demonstrated by git.reset and git.tag. POC git.reset'; touch HACKED '; // file "HACKED" was created git.tag'; touch HACKED '; //...
CVE-2020-15272
In the git-tag-annotation-action open source GitHub Action before version 1.0.1, an attacker can execute arbitrary shell commands if they can control the value of the tag input or manage to alter the value of the GITHUBREF environment variable. The problem has been patched in version 1.0.1. If yo...
Design/Logic Flaw
In the git-tag-annotation-action open source GitHub Action before version 1.0.1, an attacker can execute arbitrary shell commands if they can control the value of the tag input or manage to alter the value of the GITHUBREF environment variable. The problem has been patched in version 1.0.1. If yo...
CVE-2020-15272
The CVE-2020-15272 entry concerns the git-tag-annotation-action (open source GitHub Action) prior to version 1.0.1. Affected logic allows an attacker to execute arbitrary shell commands if they control the tag input or can alter the GITHUB_REF environment variable. The issue is patched in version...
CVE-2020-15272 Shell-injection in git-tag-annotation GitHub action
In the git-tag-annotation-action open source GitHub Action before version 1.0.1, an attacker can execute arbitrary shell commands if they can control the value of the tag input or manage to alter the value of the GITHUBREF environment variable. The problem has been patched in version 1.0.1. If yo...
Fedora 29 : mingw-libidn2 (2019-a8d35fcf7c)
Libidn 2.2.0 released 2019-05-23 ================================== - Perform A-Label roundtrip for lookup functions by default - Stricter check of input to punycode decoder - Fix punycode decoding with no ASCII chars but given delimiter - Fix idn2 --no-tr64 was a no-op - Allow as a basic code...
jenkins-plugin-git: CSRF vulnerability in Git Plugin (SECURITY-1095)
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record...
Cross site request forgery (csrf)
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record...
CVE-2019-1003010
A cross-site request forgery vulnerability exists in Jenkins Git Plugin 3.9.1 and earlier in src/main/java/hudson/plugins/git/GitTagAction.java that allows attackers to create a Git tag in a workspace and attach corresponding metadata to a build record...
Atlassian Bitbucket Server Path Traversal Vulnerability
Atlassian Bitbucket Server is a Git code hosting solution from Atlassian Australia. The solution is capable of managing and reviewing code with features such as diff view, JIRA integration and build integration. A directory traversal vulnerability exists in the git repository tag rest resource in...
Path traversal
The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 the fixed version for 4.14.x, from version 5.0.0 before 5.0.9 the fixed version for 5.0.x, from version 5.1.0 before 5.1.8 the fixed version for 5.1.x, from version 5.2.0 before 5.2.6 the fixed...
CVE-2017-18037
The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 the fixed version for 4.14.x, from version 5.0.0 before 5.0.9 the fixed version for 5.0.x, from version 5.1.0 before 5.1.8 the fixed version for 5.1.x, from version 5.2.0 before 5.2.6 the fixed...
CVE-2017-18037
The git repository tag rest resource in Atlassian Bitbucket Server from version 3.7.0 before 4.14.11 the fixed version for 4.14.x, from version 5.0.0 before 5.0.9 the fixed version for 5.0.x, from version 5.1.0 before 5.1.8 the fixed version for 5.1.x, from version 5.2.0 before 5.2.6 the fixed...