CVE-2026-22869

Eigent’s CVE-2026-22869 affects its CI workflow (.github/workflows/ci.yml) used in the Eigent multi‑agent Workforce. The vulnerability arises from using the pull_request_target trigger in combination with checking out untrusted PR code, enabling arbitrary code execution from fork pull requests wi...

Parse Server 安全漏洞

Parse Server is an open source backend from Parse Platform Open Source that can be deployed to any infrastructure that can run Node.js. A security vulnerability exists in Parse Server versions prior to 8.6.0-alpha.2, which stems from a GitHub CI workflow elevation of privilege that could lead to...

CVE-2025-62794 GitHub Workflow Updater stored the optional Github token in plaintext

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" ap...

CVE-2025-62794

CVE-2025-62794 affects the GitHub Workflow Updater VS Code extension. Before version 0.0.7, the extension stored provided GitHub tokens in plaintext JSON in editor configuration on disk instead of using securestorage. This allowed a local attacker with read access to the user’s home directory to ...

CVE-2025-62794 GitHub Workflow Updater stored the optional Github token in plaintext

GitHub Workflow Updater is a VS Code extension that automatically pins GitHub Actions to specific commits for enhanced security. Before 0.0.7, any provided Github token would be stored in plaintext in the editor configuration as json on disk, rather than through the more secure "securestorage" ap...

PT-2025-44215

Name of the Vulnerable Software and Affected Versions GitHub Workflow Updater versions prior to 0.0.7 Description The GitHub Workflow Updater VS Code extension had a security issue where GitHub tokens were stored in plaintext within the editor configuration as JSON on disk, instead of utilizing t...

GitHub Workflow Updater 安全漏洞

GitHub Workflow Updater is a VS Code extension by Richard Tweed Personal Developer. A security vulnerability exists in GitHub Workflow Updater versions prior to 0.0.7, which stems from storing Github tokens in cleartext, which could lead to token disclosure...

EUVD-2024-38940

Malicious code in bioql PyPI...

EUVD-2023-32123

Malicious code in bioql PyPI...

EUVD-2025-23165

Malicious code in bioql PyPI...

EUVD-2023-38213

Malicious code in bioql PyPI...

CVE-2025-58371

Roo Code is an AI-powered autonomous coding agent that lives in users' editors. In versions 3.26.6 and below, a Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to craft malicious input and achieve Remote Code Execution RCE on the Actions runner...

PT-2025-36339

Name of the Vulnerable Software and Affected Versions: Roo Code versions 3.26.6 and below Description: Roo Code is an AI-powered autonomous coding agent. A Github workflow used unsanitized pull request metadata in a privileged context, allowing an attacker to achieve Remote Code Execution RCE on...

MAL-2025-41437 Malicious code in @nx/enterprise-cloud (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security a8a1b6e74c68b5c6901f2ea242469aa5a34ffec9ddc3fb92267b3d1627123267 The nx project and associated plugins were compromised via a vulnerable GitHub workflow that allowed code injection and the theft of an NP...

Malicious code in @nx/eslint (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 28938ac9b6855425f3f452af308a0335a4dc5eb1c23ba08865c5cc5be914783e The nx project and associated plugins were compromised via a vulnerable GitHub workflow that allowed code injection and the theft of an NP...

Malicious code in @nx/js (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 3c2a892d723eab92005e851787f5a482f8d1a64259e6dda10ee1d097c0123a84 The nx project and associated plugins were compromised via a vulnerable GitHub workflow that allowed code injection and the theft of an NP...

MAL-2025-41436 Malicious code in @nx/devkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 82ff2a985875be92c4e6805f2f65ae5435da3dcda53d0caebed254db81dd0b62 The nx project and associated plugins were compromised via a vulnerable GitHub workflow that allowed code injection and the theft of an NP...

Malicious code in @nx/devkit (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 82ff2a985875be92c4e6805f2f65ae5435da3dcda53d0caebed254db81dd0b62 The nx project and associated plugins were compromised via a vulnerable GitHub workflow that allowed code injection and the theft of an NP...

MAL-2025-41443 Malicious code in nx (npm)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security 94e241aa8202f641d66991ca134d9c18bf1fecbf8e89c2f2052aa2a7a41e5148 The nx project and associated plugins were compromised via a vulnerable GitHub workflow that allowed code injection and the theft of an NP...

MAL-2025-41440 Malicious code in @nx/key (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a77d672a4263588b96bbf3fbf8ddbd4e1e7b6ee0bccd619a447bf9e301883b3 The package @nx/[email protected] is published under the @nx scope and ships a heavily obfuscated JavaScript file native.js using hex-mangled identifiers...