Lucene search
+L

1383 matches found

Cvelist
Cvelist
added 2 days ago33 views

CVE-2026-46420 setup-php: Command Injection in Repository-Derived PHP Version Resolution

setup-php is a GitHub action to set up PHP with extensions, php.ini configuration, coverage drivers, and tools. From 2.25.0 prior to 2.37.1, shivammathur/setup-php resolves the PHP version from repository-controlled files such as .php-version, composer.lock through platform-overrides.php, and...

5.6CVSS0.00852EPSS
Exploits1References3
Cvelist
Cvelist
added 2 days ago37 views

CVE-2026-15343 Path traversal vulnerability in GitHub Enterprise Server allowed writing files to arbitrary repository paths, including GitHub Actions workflow files, via unchecked Dependabot dependency-file paths

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an attacker who had code execution inside the Dependabot updater container to write files to arbitrary repository paths, including GitHub Actions workflow files under .github/workflows/ as the path validation d...

8.6CVSS0.00446EPSS
Exploits0References5
Positive Technologies
Positive Technologies
added 2 days ago8 views

PT-2026-60782

A path traversal vulnerability was identified in GitHub Enterprise Server that allowed an attacker who had code execution inside the Dependabot updater container to write files to arbitrary repository paths, including GitHub Actions workflow files under .github/workflows/ as the path validation d...

8.6CVSS6.2AI score0.00446EPSS
Exploits0References6
NVD
NVD
added 4 days ago12 views

CVE-2026-55576

MaaAssistantArknights is a one-click tool for daily Arknights tasks. In the current dev-v2 workflow, .github/workflows/release-preparation.yml inlined attacker-controlled github.event.pullrequest.title into a run: shell command during the pullrequest opened, reopened, and readyforreview events, s...

8.8CVSS0.00297EPSS
Exploits0References2
ATTACKERKB
ATTACKERKB
added 4 days ago5 views

CVE-2026-50562

FastGPT is a knowledge-based AI application platform. At commit 22ebfacbb43311e9b73294040ae0eb87390c6bba and earlier, artifacts built from untrusted pull request code in .github/workflows/preview-docs-build.yml and .github/workflows/preview-fastgpt-build.yml can be downloaded by privileged...

9.3CVSS6.1AI score0.00151EPSS
Exploits0References2
Cvelist
Cvelist
added 4 days ago34 views

CVE-2026-45793 Composer: Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS0.00519EPSS
Exploits0References9
EUVD
EUVD
added 4 days ago7 views

EUVD-2026-44723

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS6AI score0.00519EPSS
Exploits0References9
OSV
OSV
added 4 days ago5 views

CVE-2026-45793 Composer: Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Composer is a dependency Manager for the PHP language. Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration validates GitHub OAuth tokens with the regex ^.A-Za-z0-9+$ and interpolates rejected tokens into an UnexpectedValueException; GitHub Actions GITHUBTOKEN values using t...

7.5CVSS6.1AI score0.00519EPSS
Exploits0References11
CVE
CVE
added 4 days ago73 views

CVE-2026-45793

CVE-2026-45793 affects Composer (PHP dependency manager). Prior to 1.10.28, 2.2.28, and 2.9.8, Composer\IO\BaseIO::loadConfiguration() validated GitHub tokens with ^[.A-Za-z0-9_]+$ and interpolated rejected tokens into an UnexpectedValueException. GitHub Actions GITHUB_TOKEN values formatted as g...

7.5CVSS6.1AI score0.00519EPSS
Exploits0References9
OSSF Malicious Packages
OSSF Malicious Packages
added 6 days ago11 views

Malicious code in kuaishou (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd1d5daf09cc7bfff164e60bf5abd0a1b374b5bb616f0a78cac8f6c6ea613608 The package's prepare lifecycle script, which runs automatically on npm install, collects host, user, and platform identifiers along with the full...

6.1AI score
Exploits0References4
CVE
CVE
added 2026/07/08 3:8 p.m.13 views

CVE-2026-54344

CVE-2026-54344 affects ToolJet prior to version 3.20.180. The render preview deployment workflow interpolates github.event.comment.body directly into a bash conditional in a run step, enabling any GitHub user who can comment on an open PR with a deploy command to execute shell commands on the CI ...

4.7CVSS6.1AI score0.00171EPSS
Exploits0References1
The Hacker News
The Hacker News
added 2026/06/26 11:5 a.m.7 views

Miasma Malware Targets npm Packages and GitHub Actions in Supply Chain Attack

Cybersecurity researchers have flagged yet another evolution of the supply chain attack linked to the Mini Shai-Hulud, Miasma, and Hades malware family that has compromised a new set of npm packages, even as it has propagated to the Go ecosystem. "The latest activity includes malicious npm releas...

6.5AI score
Exploits0
OSSF Malicious Packages
OSSF Malicious Packages
added 2026/06/22 12:0 p.m.14 views

Malicious code in respects-switch (npm)

respects-switch is a dependency confusion proof-of-concept package published to the public npm registry by the account r0binak and self-labeled "Security research PoC - Dependency Confusion Hunter". It was published at the artificially high version 999.0.0, the canonical floating-version bait use...

5.8AI score
Exploits0References3
OSV
OSV
added 2026/06/12 6:24 p.m.4 views

OPENSUSE-SU-2026:20963-1 Security update for neonmodem

This update for neonmodem fixes the following issues: Changes in neonmodem: - Update golang.org/x/net dependency to v0.55.0 due to bsc1267193 - Update golang.org/x/image dependency to v0.38.0 due to bsc1260727 - Update golang.org/x/term dependency to v0.42.0 due to bsc1260727 - Update to version...

6.5CVSS6.2AI score0.00328EPSS
Exploits0References8
NVD
NVD
added 2026/06/11 7:16 p.m.9 views

CVE-2026-48547

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS0.0091EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2026/06/11 6:33 p.m.11 views

CVE-2026-48547 KanaDojo < 0.1.18 Command Injection via patchNotesData.json in release.yml

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS6AI score0.0091EPSS
Exploits0References2
EUVD
EUVD
added 2026/06/11 6:33 p.m.10 views

EUVD-2026-36284

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS6AI score0.0091EPSS
Exploits0References1
OSV
OSV
added 2026/06/11 6:33 p.m.3 views

CVE-2026-48547 KanaDojo < 0.1.18 Command Injection via patchNotesData.json in release.yml

KanaDojo contains a command injection vulnerability that allows an attacker with pull request access to execute arbitrary shell commands by inserting shell metacharacters into the version or changes fields of patchNotesData.json, which are interpolated unsanitized into a childprocess.execSync cal...

8.5CVSS6.2AI score0.0091EPSS
Exploits0References5
NVD
NVD
added 2026/06/11 6:16 p.m.15 views

CVE-2026-48546

KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull...

8.5CVSS0.00487EPSS
Exploits0References3
EUVD
EUVD
added 2026/06/11 5:53 p.m.10 views

EUVD-2026-36273

KanaDojo before 0.1.18 contains a sandbox escape vulnerability that allows an attacker to execute arbitrary code by exploiting the explicit passing of the global require function into a Node.js vm.runInNewContext sandbox context in the issue-auto-respond.yml workflow. Attackers can submit a pull...

8.5CVSS6.7AI score0.00487EPSS
Exploits0References3
Rows per page
Query Builder