Wasmtime with Winch compiler backend may allow a sandbox-escaping memory access

This is an entry in the RustSec database for the Wasmtime security advisory located at https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-xx5w-cvp6-jv83 For more information see the GitHub-hosted security advisory...

CVE-2026-40152

creationtimestamp| type| source ---|---|--- 2026-04-09 10:01:49+00:00| published-proof-of-concept| https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-7j2f-xc8p-fjmq...

The long road to your crypto: ClipBanker and its marathon infection chain

At the start of the year, a certain Trojan caught our eye due to its incredibly long infection chain. In most cases, it kicks off with a web search for "Proxifier". Proxifiers are speciaized software designed to tunnel traffic for programs that do not natively support proxy servers. They are a...

Exploit for CVE-2026-40271

Lazarus Group: 19-Day A/B Test Campaign Analysis TLP:CLEA...

GHSA-479C-33WC-G2PG

creationtimestamp| type| source ---|---|--- 2026-04-09 01:27:07+00:00| seen| Telegram/CihYo3BrEf6YGxiGwCEATnWAB3StjZgrXU02lSezsa6vAg...

Security Concerns in Generative AI Coding Assistants: Insights from Online Discussions on GitHub Copilot

Generative Artificial Intelligence GenAI has become a central component of many development tools e.g., GitHub Copilot that support software practitioners across multiple programming tasks, including code completion, documentation, and bug detection. However, current research has identified...

GHSA-53MR-6C8Q-9789 vulnerabilities

Vulnerabilities for packages: airflow, litellm...

GHSA-G7C4-WV7Q-GCC6 vulnerabilities

Vulnerabilities for packages: glibc...

CVE-2026-34166

creationtimestamp| type| source ---|---|--- 2026-04-08 13:25:28+00:00| published-proof-of-concept| https://github.com/harttle/liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx...

H4C-WEB

H4C-WEB !/bin/bash =======================================...

GHSA-736H-475M-XHJC vulnerabilities

Vulnerabilities for packages: grafana, grafana-fips...

Uncaught Exception

Overview Affected versions of this package are vulnerable to Uncaught Exception via the eventstream decoder process. An attacker can cause the host process to terminate unexpectedly by sending a crafted EventStream response frame containing a header value type byte outside the valid range...

CVE-2026-39373

creationtimestamp| type| source ---|---|--- 2026-04-08 00:16:14+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-fjrm-76x2-c4q4...

GHSA-3G6G-GQ4R-XJM9 Emissary has GitHub Actions Shell Injection via Workflow Inputs

Summary Three GitHub Actions workflow files contained 10 shell injection points where user-controlled workflowdispatch inputs were interpolated directly into shell commands via $ expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to reposito...

Emissary has GitHub Actions Shell Injection via Workflow Inputs

Summary Three GitHub Actions workflow files contained 10 shell injection points where user-controlled workflowdispatch inputs were interpolated directly into shell commands via $ expression syntax. An attacker with repository write access could inject arbitrary shell commands, leading to reposito...

CVE-2026-33815

A flaw was found in github.com/jackc/pgx. This memory-safety vulnerability could potentially lead to unexpected behavior or system instability. Mitigation Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria...

GHSA-X8RX-789C-2PXQ

creationtimestamp| type| source ---|---|--- 2026-04-07 21:22:30+00:00| published-proof-of-concept| Telegram/PsCoAl2rNCHfpa-IE94yjZNK4tjM6zifbqO0UkQOdEj8yI...

GHSA-GPJ5-G38J-94V9

creationtimestamp| type| source ---|---|--- 2026-04-07 21:22:19+00:00| seen| Telegram/ORzlugWNJSN1mBT3L8tDKZ1H7oYKkiEmKL9E7e5xnpgHaiU...

EUVD-2026-19918

dbt enables data analysts and engineers to transform their data using the same practices that software engineers use to build applications. Inside the reusable workflow dbt-labs/actions/blob/main/.github/workflows/open-issue-in-repo.yml, the prep job uses peter-evans/find-comment to search for an...

CVE-2026-39382

In CVE-2026-39382, the vulnerability arises in a dbt workflow where the prep job uses peter-evans/find-comment to fetch a comment-body, which is then interpolated into a shell command without escaping. This allows attacker-controlled text to break out of quotes and inject arbitrary shell commands...