CVE-2025-24362 CodeQL GitHub Action failed workflow writes GitHub PAT to debug artifacts

In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository...

PT-2025-5344 · Github · Codeql Action +1

Name of the Vulnerable Software and Affected Versions: CodeQL Action versions prior to 3.28.3 CodeQL CLI versions prior to 2.20.3 Description: In certain circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain environment variables from t...

DEBIAN-CVE-2024-53859

go-gh is a Go module for interacting with the gh utility and the GitHub API from the command line. A security vulnerability has been identified in go-gh that could leak authentication tokens intended for GitHub hosts to non-GitHub hosts when within a codespace. go-gh sources authentication tokens...

GitHub Actions Script Injection in `ultralytics/actions`

Summary The Ultralytics action available at https://github.com/marketplace/actions/ultralytics-actions is vulnerable to GitHub Actions script injection. If anyone uses the action within a workflow that runs on the pullrequesttarget trigger, then an attacker can inject arbitrary code into that...

CVE-2024-4254

The 'deploy-website.yml' workflow in the gradio-app/gradio repository, specifically in the 'main' branch, is vulnerable to secrets exfiltration due to improper authorization. The vulnerability arises from the workflow's explicit checkout and execution of code from a fork, which is unsafe as it...

Unspecified Vulnerability in JetBrains TeamCity (CNVD-2025-16890)

JetBrains TeamCity is a set of distributed build management and continuous integration tools from the Czech company JetBrains. The tool provides continuous unit testing, code quality analysis and build problem analysis reports and other features. JetBrains TeamCity suffers from a security...

CVE-2024-35183

CVE-2024-35183 affects wolfictl (Wolfi) and involves a git authentication issue in versions before 0.16.10. The vulnerability arises from a GetGitAuth flow that reads a GitHub token from the GITHUB_TOKEN environment variable and uses it for HTTP basic auth with go-git, in cases where the remote r...

CVE-2024-35183 wolfictl leaks GitHub tokens to remote non-GitHub git servers

wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than github.com. Most git-dependent functionality in wolfictl relies on its own git package, which contains...

CVE-2024-35183 wolfictl leaks GitHub tokens to remote non-GitHub git servers

wolfictl is a command line tool for working with Wolfi. A git authentication issue in versions prior to 0.16.10 allows a local user’s GitHub token to be sent to remote servers other than github.com. Most git-dependent functionality in wolfictl relies on its own git package, which contains...

GHSA-8FG7-HP93-QHVR wolfictl leaks GitHub tokens to remote non-GitHub git servers

Summary A git authentication issue allows a local user’s GitHub token to be sent to remote servers other than github.com. Details Most git-dependent functionality in wolfictl relies on its own git package, which contains centralized logic for implementing interactions with git repositories. Some ...

wolfictl leaks GitHub tokens to remote non-GitHub git servers

Summary A git authentication issue allows a local user’s GitHub token to be sent to remote servers other than github.com. Details Most git-dependent functionality in wolfictl relies on its own git package, which contains centralized logic for implementing interactions with git repositories. Some ...

wolfictl 安全漏洞

wolfictl is a Wolfictl open source command line tool for use with Wolfi. A security vulnerability exists in Wolfictl versions prior to 0.16.10, which stems from a GitHub token that could be leaked to a remote non-GitHub git server...

CVE-2024-1482

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to create new branches in public repositories and run arbitrary GitHub Actions workflows with permissions from the GITHUBTOKEN. To exploit this vulnerability, an attacker would need access...

Design/Logic Flaw

Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log...

CVE-2023-39348 Improper log output when using GitHub Status Notifications in spinnaker

Spinnaker is an open source, multi-cloud continuous delivery platform. Log output when updating GitHub status is improperly set to FULL always. It's recommended to apply the patch and rotate the GitHub token used for github status notifications. Given that this would output github tokens to a log...

PT-2023-18155 · Nuxtlabs · Nuxtlabs/Github-Module

Name of the Vulnerable Software and Affected Versions: nuxtlabs/github-module versions prior to 1.6.2 Description: The issue involves the use of hard-coded credentials in the GitHub repository nuxtlabs/github-module. A hardcoded GitHub token was found in the source code, which had access to...

CVE-2023-26493

Cocos Engine is an open-source framework for building 2D & 3D real-time rendering and interactive content. In the github repo for Cocos Engine the web-interface-check.yml was subject to command injection. The web-interface-check.yml was triggered when a pull request was opened or updated and...

PT-2023-21716 · Onesignal · Onesignal

Name of the Vulnerable Software and Affected Versions: OneSignal affected versions not specified Description: The issue concerns a workflow triggered by closed issues, utilizing a GitHub repository token with full write permissions. This allows an attacker to potentially take over the GitHub...

The vulnerability of the Check Spelling web service on GitHub, related to the disclosure of information via the GITHUB_TOKEN token, allows a violator to gain unauthorized access to protected information.

The vulnerability of the Check Spelling web service from GitHub relates to the exposure of information through the GITHUBToken token. Exploiting this vulnerability could allow a malicious actor, operating remotely, to gain unauthorized access to the protected information. source-iocs-preserved...

Account Takeover

Description A malicious actor can setup a website on vercel.app with the vercel.app domain, after that, they can change the subdomain to something containing modrinth, This will allow a open redirect on https://api.modrinth.com/v2/auth/init?url=ATTACKERURL, allowing stealing the github token whic...