GHSA-6P2J-742G-835F actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow

Summary External input from github.event.issue.title is used unsafely in a shell command in .github/workflows/release-candidate.yaml, allowing command injection during workflow execution. Details In .github/workflows/release-candidate.yaml, the issue title is interpolated directly into a shell...

GHSA-9WFR-W7MM-PC7F

creationtimestamp| type| source ---|---|--- 2026-04-04 01:18:49+00:00| seen| Telegram/Wq2MikHHjaMT3QcZYic1EqOjYlzbZBeR3fuLUZ6lQSb49CA...

GHSA-67JX-R9PV-98RJ

creationtimestamp| type| source ---|---|--- 2026-04-03 19:24:00+00:00| published-proof-of-concept| Telegram/l2CWtN20f6D8WOiAClhqJgrdc6BQljDZCBDw2ZgpHM67Hss...

Do not get high(jacked) off your own supply (chain)

In the span of just a few weeks, we have observed a dizzying array of major supply chain attacks. Prominent examples include the malicious modification of Axios, a popular HTTP client library for JavaScript, as well as cascading compromises from TeamPCP, a "chaos-as-a-service" group that injected...

GHSA-GJW9-34GF-RP6M

creationtimestamp| type| source ---|---|--- 2026-04-03 17:26:40+00:00| published-proof-of-concept| Telegram/DJsg5Qi7j92DgCP14lqfeXU4IPClBfbIww0fpCMr4ueipk0...

GHSA-RWW4-4W9C-7733

creationtimestamp| type| source ---|---|--- 2026-04-03 17:26:40+00:00| published-proof-of-concept| Telegram/DJsg5Qi7j92DgCP14lqfeXU4IPClBfbIww0fpCMr4ueipk0...

North Korean Hackers Abuse GitHub to Spy on South Korean Firms

Researchers from FortiGuard Labs have uncovered a high-severity spying campaign targeting South Korean companies. Discover how North Korean…...

CVE-2026-33544

Tinyauth is an authentication and authorization server. Prior to version 5.0.5, all three OAuth service implementations GenericOAuthService, GithubOAuthService, GoogleOAuthService store PKCE verifiers and access tokens as mutable struct fields on singleton instances shared across all concurrent...

CVE-2026-27124

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not...

GHSA-9M44-RR2W-PPP7

creationtimestamp| type| source ---|---|--- 2026-04-03 15:23:03+00:00| seen| Telegram/DMrtbPbyVuvJyzUNlrr2TA99ljgvsTw1ZTHgoXyjyFD12Ec...

CVE-2026-27124

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not...

CVE-2026-27124 FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not...

CVE-2026-27124 FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

FastMCP is the standard framework for building MCP applications. Prior to version 3.2.0, while testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not...

CVE-2026-27124

CVE-2026-27124 describes a Confused Deputy vulnerability in the FastMCP OAuthProxy used with the GitHubProvider OAuth integration. Prior to version 3.2.0, the OAuthProxy does not properly validate user consent after receiving the GitHub authorization code, and combined with GitHub’s consent-page ...

MAL-2026-2449 Malicious code in mgc (npm)

Package fetches platform-specific stage-2 payloads from a GitHub Gist. The stage-2 payloads are full Remote Access Trojans RATs for Linux Python and Windows PowerShell that beacon to a C2 server, exfiltrate system information, enumerate directories, execute arbitrary commands, and support binary...

Malicious code in mgc (npm)

Package fetches platform-specific stage-2 payloads from a GitHub Gist. The stage-2 payloads are full Remote Access Trojans RATs for Linux Python and Windows PowerShell that beacon to a C2 server, exfiltrate system information, enumerate directories, execute arbitrary commands, and support binary...

GHSA-98CH-45WP-CH47

creationtimestamp| type| source ---|---|--- 2026-04-02 22:22:27+00:00| published-proof-of-concept| Telegram/LEqzgESE2wGHUVmUGbeDXDuSp8F8SqNkH2O3nuA9SKVO2A...

GHSA-MV6H-V3JG-G539

creationtimestamp| type| source ---|---|--- 2026-04-02 19:26:58+00:00| published-proof-of-concept| Telegram/7DVhAvDfvaCSFfrp-315YEAfd2kaZp9OZJgmE0wwvo2i8o...

GHSA-9P23-P2M4-2R4M

creationtimestamp| type| source ---|---|--- 2026-04-02 19:26:18+00:00| seen| Telegram/zX6Kqs44rDek2r3jgp5vCS4jdZwe09icUbxsylGXOdI3O8...

GHSA-Q3P6-G7C4-829C

creationtimestamp| type| source ---|---|--- 2026-04-02 19:26:18+00:00| seen| Telegram/zX6Kqs44rDek2r3jgp5vCS4jdZwe09icUbxsylGXOdI3O8...