GHSA-QC22-XMQ4-QG46 c2cciutils affected by CVE-2022-40896

Pinned vulnerable version of Pygment CVE-2022-40896...

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the GenericOAuthService, GithubOAuthService, GoogleOAuthService Auth services. An attacker can gain unauthorized access to another user's session and associated resources by timing concurrent OAuth login requests to...

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the GenericOAuthService, GithubOAuthService, GoogleOAuthService Auth services. An attacker can gain unauthorized access to another user's session and associated resources by timing concurrent OAuth login requests to...

Race Condition

Overview Affected versions of this package are vulnerable to Race Condition in the GenericOAuthService, GithubOAuthService, GoogleOAuthService Auth services. An attacker can gain unauthorized access to another user's session and associated resources by timing concurrent OAuth login requests to...

Securing the open source supply chain across GitHub

Over the past year, a new pattern has emerged in attacks on the open source supply chain. Attackers are focusing on exfiltrating secrets like API keys in order to both publish malicious packages from an attacker-controlled machine as well as gain access to more projects in order to propagate the...

CVE-2026-35179

creationtimestamp| type| source ---|---|--- 2026-04-01 18:48:36+00:00| published-proof-of-concept| https://github.com/WWBN/AVideo/security/advisories/GHSA-x9w5-xccw-5h9w...

CVE-2026-34243

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

GHSA-VC8F-X9PP-WF5P

creationtimestamp| type| source ---|---|--- 2026-04-01 15:25:32+00:00| seen| Telegram/4zYpYE5e92FkC7Z53Af8gCedtL6FpkxFD5yjbQn9BVECOM...

CLEANSTART-2026-PE63912 Security fixes for CVE-2021-3538, CVE-2025-29923, CVE-2025-53547, CVE-2025-55198, CVE-2025-55199, CVE-2025-68121, CVE-2026-24051, CVE-2026-25679, CVE-2026-27139, CVE-2026-27141, CVE-2026-27142, CVE-2026-33186, ghsa-557j-xg8c-q2mm, ghsa-9h84-qmv7-982p, ghsa-f6x5-jh6r-wrfv, ghsa-f9f8-9pmf-xv68, ghsa-j5w8-q4qc-rx2x applied in versions: 2.14.2-r0, 2.14.2-r1, 2.15.0-r0, 2.15.0-r1

Multiple security vulnerabilities affect the harbor package. These issues are resolved in later releases. See references for individual vulnerability details...

Arbitrary Code Injection

Overview org.webjars.npm:lodash is a modern JavaScript utility library delivering modularity, performance, & extras. Affected versions of this package are vulnerable to Arbitrary Code Injection due the improper validation of options.imports key names in .template. An attacker can execute arbitrar...

FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

Summary While testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHu...

GHSA-RWW4-4W9C-7733 FastMCP: Missing Consent Verification in OAuth Proxy Callback Facilitates Confused Deputy Vulnerabilities

Summary While testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHu...

GHSA-VR79-8M62-WH98

creationtimestamp| type| source ---|---|--- 2026-03-31 19:20:27+00:00| published-proof-of-concept| Telegram/pGlKXNBirRT0gxqFC1bVLs6pojbUfu72MTdyyvCxHD2SpM...

CVE-2026-34729

creationtimestamp| type| source ---|---|--- 2026-03-31 17:23:49+00:00| published-proof-of-concept| https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-cv2g-8cj8-vgc7 2026-03-31 17:23:49+00:00| published-proof-of-concept|...

CVE-2026-34974

creationtimestamp| type| source ---|---|--- 2026-03-31 17:23:15+00:00| published-proof-of-concept| https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg...

CVE-2026-34243

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

CVE-2026-34243

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

CVE-2026-34243

CVE-2026-34243 affects the Wenxian tool (versions up to 0.3.1 and earlier) where a GitHub Actions workflow uses untrusted input from issue_comment.body directly inside a shell command, enabling command injection and potential arbitrary code execution on the runner. The vulnerability stems from in...

CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...