CVE-2025-68119 Unexpected code execution when invoking toolchain in cmd/go

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

CVE-2025-68119

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

CVE-2025-68119

CVE-2025-68119 describes local code execution and arbitrary-file writes when downloading/building modules with malicious version strings in environments where external VCS tools are present. Specifically: on systems with Mercurial (hg), downloading modules from non-standard sources (e.g., custom ...

CVE-2025-68119 Unexpected code execution when invoking toolchain in cmd/go

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

GO-2026-4338 Unexpected code execution when invoking toolchain in cmd/go

Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial hg installed, downloading modules from non-standard sources e.g., custom domains can cause unexpected code execution due to how external VCS commands are constructed. This iss...

CVE-2026-24685

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint /projects/:projectid/repository/diff.diff when rendering a single revision via git show. By...

CVE-2026-24685

CVE-2026-24685 affects OpenProject prior to 16.6.6 and 17.0.2. The vulnerability arises in the repository diff download endpoint when rendering a single revision with git show; an attacker can inject git show options by supplying a crafted rev (e.g., rev=--output=/tmp/poc.txt), causing OpenProjec...

CVE-2026-24685 OpenProject has Argument Injection on Repository module that allows Arbitrary File Write

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint /projects/:projectid/repository/diff.diff when rendering a single revision via git show. By...

CVE-2026-24685 OpenProject has Argument Injection on Repository module that allows Arbitrary File Write

OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint /projects/:projectid/repository/diff.diff when rendering a single revision via git show. By...

SUSE CVE-2026-24056

pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a file: directory or git: dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path e.g., /etc/passwd,...

PT-2026-5124

Name of the Vulnerable Software and Affected Versions Symfony versions prior to 5.4.51 Symfony versions prior to 6.4.33 Symfony versions prior to 7.3.11 Symfony versions prior to 7.4.5 Symfony versions prior to 8.0.5 Description The Symfony Process component did not properly handle certain...

PT-2026-5149

Name of the Vulnerable Software and Affected Versions OpenProject versions prior to 16.6.6 OpenProject versions prior to 17.0.2 Description OpenProject is a web-based project management software. A file write issue exists in the repository diff download endpoint /projects/:project...

CVE-2026-24910

In Bun before 1.3.5, the default trusted dependencies list aka trust allow list can be spoofed by a non-npm package in the case of a matching name for file, link, git, or github...

CVE-2026-24910

CVE-2026-24910 affects Bun prior to 1.3.5. The issue: the default trusted dependencies list (trust allow list) can be spoofed by a non-npm package when a name matches an existing trusted dependency, across file, link, git, or GitHub sources. Reported impacts include potential manipulation of the ...

CVE-2026-24910

In Bun before 1.3.5, the default trusted dependencies list aka trust allow list can be spoofed by a non-npm package in the case of a matching name for file, link, git, or github...

EUVD-2026-4859

In Bun before 1.3.5, the default trusted dependencies list aka trust allow list can be spoofed by a non-npm package in the case of a matching name for file, link, git, or github...

CVE-2026-24910

In Bun before 1.3.5, the default trusted dependencies list aka trust allow list can be spoofed by a non-npm package in the case of a matching name for file, link, git, or github...

Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 : Git LFS vulnerabilities (USN-7977-1)

The remote Ubuntu 18.04 LTS / 20.04 LTS / 22.04 LTS / 24.04 LTS / 25.10 host has packages installed that are affected by multiple vulnerabilities as referenced in the USN-7977-1 advisory. Ryota K discovered that Git LFS may leak login credentials in certain instances due to failing to check for...

Ubuntu: Security Advisory (USN-7977-1)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...