EUVD-2026-28893

Argo Workflows is an open source container-native workflow engine for orchestrating parallel jobs on Kubernetes. From version 4.0.0 to before version 4.0.5, the workflow executor logs all artifact repository credentials S3 access keys, secret keys, GCS service account keys, Azure account keys, Gi...

Malicious code in haswons (npm)

haswons is a typosquatting package impersonating hasown, the utility for checking whether an object has a direct own property. The package bundles the legitimate hasown source to appear functional while hiding a credential-theft payload in index1.js, executed at install time via the postinstall...

gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits

Summary gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees:...

GHSA-7RMH-48MX-2VWC gitsign verify accepts signatures over go-git-normalized bytes, enabling trust confusion on malformed commits

Summary gitsign verify and gitsign verify-tag re-encode commit/tag objects through go-git's EncodeWithoutSignature before checking the signature, instead of verifying against the raw git object bytes. For malformed objects with duplicate tree headers, git-core and go-git parse different trees:...

CVE-2026-41506

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

CVE-2026-41506

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

UBUNTU-CVE-2026-41506

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

CVE-2026-41506 go-git Credential leak via cross-host redirect in smart HTTP transport

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

EUVD-2026-28596

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

CVE-2026-41506

go-git is vulnerable to credential leakage during smart-HTTP redirects in clone/fetch operations prior to versions 5.18.0 and 6.0.0-alpha.2. The issue, a cross-host redirect exposure, has been patched in 5.18.0 and 6.0.0-alpha.2. Impact is a potential exposure of HTTP credentials during redirects...

CVE-2026-41506

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

CVE-2026-41506 go-git Credential leak via cross-host redirect in smart HTTP transport

go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentials when following redirects during smart-HTTP clone and fetch operations. This issue has been patched in versions 5.18.0 and 6.0.0-alpha....

git-lfs security update

An update is available for git-lfs. This update affects Rocky Linux 9. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is available for each vulnerability from the CVE list Git Large File Storage LFS replaces large files such as audio samples, videos...

Quasar Linux RAT Steals Developer Credentials for Software Supply Chain Compromise

A previously undocumented Linux implant codenamed Quasar Linux RAT QLNX is targeting developers' systems to establish a silent foothold as well as facilitate a broad range of post-compromise functionality, such as credential harvesting, keylogging, file manipulation, clipboard monitoring, and...

GHSA-CM33-6792-R9FM vulnerabilities

Vulnerabilities for packages: druid, spark, apache-nifi, apache-pulsar, management-api-for-apache-cassandra-5.0, flyway, infinispan, opensearch, tez, trino, wildfly, zipkin, thingsboard, akhq, strimzi-kafka-operator, apicurio-registry, keycloak...

Linux Distros Unpatched Vulnerability : CVE-2026-41506

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - go-git is an extensible git implementation library written in pure Go. Prior to versions 5.18.0 and 6.0.0-alpha.2, go-git may leak HTTP authentication credentia...

Linux Distros Unpatched Vulnerability : CVE-2026-44244

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - GitPython is a python library used to interact with Git repositories. Prior to version 3.1.49, GitConfigParser.setvalue passes values to Python's configparser...

Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 26.04 LTS : Docker vulnerabilities (USN-8230-1)

The remote Ubuntu 20.04 LTS / 22.04 LTS / 24.04 LTS / 26.04 LTS host has a package installed that is affected by multiple vulnerabilities as referenced in the USN-8230-1 advisory. It was discovered that BuildKit, contained within Docker, incorrectly handled file path validation when processing...

go-git 安全漏洞

go-git is an open-source, highly scalable Git implementation written entirely in Go. Versions of go-git prior to 5.18.0 and 6.0.0-alpha.2 contained security vulnerabilities. These vulnerabilities were due to a flaw where, during intelligent HTTP cloning and fetch operations, redirecting could lea...

PT-2026-39243

Name of the Vulnerable Software and Affected Versions Gitsign versions prior to 0.16.0 Description gitsign verify and gitsign verify-tag re-encode commit or tag objects using the EncodeWithoutSignature function from the go-git library before checking the signature, rather than verifying the raw g...