CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

GHSA-PX3P-VGH9-M57C

creationtimestamp| type| source ---|---|--- 2026-03-31 15:18:14+00:00| published-proof-of-concept| Telegram/glZc2MUrWDW1orrk5KZxOV-1RuNHXXM8No2M1-1yJOvNvE...

GHSA-37CH-88JC-XWX2 vulnerabilities

Vulnerabilities for packages: json-server, sqlpad, kubeflow-pipelines, argo-workflows, kubeflow-centraldashboard...

CVE-2026-34042

act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and...

CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...

CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...

PT-2026-29421

Summary While testing the GitHubProvider OAuth integration, which allows authentication to a FastMCP MCP server via a FastMCP OAuthProxy using GitHub OAuth, it was discovered that the FastMCP OAuthProxy does not properly validate the user's consent upon receiving the authorization code from GitHu...

wenxian 操作系统命令注入漏洞

Wenxian is a tool developed by Jinzhe Zeng as a reference format generator based on document identifiers. Versions of Wenxian 0.3.1 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from the use of unvalidated user input directly in...

OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens

OpenAI Codex vulnerability allowed attackers to steal GitHub tokens via malicious branch names using hidden Unicode command injection flaw...

CVE-2026-34715

creationtimestamp| type| source ---|---|--- 2026-03-30 19:31:23+00:00| published-proof-of-concept| https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf 2026-03-30 19:31:23+00:00| published-proof-of-concept|...

GHSA-Q9VP-3WCG-8P4X

creationtimestamp| type| source ---|---|--- 2026-03-30 19:17:51+00:00| published-proof-of-concept| Telegram/fjirMqbI7HbDe3OLZhJWgKP9iQtg8z94oAYRFGU8rTUaV0...

Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2

Summary On March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the telnyx Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline...

CVE-2026-34523

creationtimestamp| type| source ---|---|--- 2026-03-30 17:31:58+00:00| published-proof-of-concept| https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-525j-2hrj-m8fp 2026-03-30 17:31:58+00:00| published-proof-of-concept|...

Malicious Package

Overview eslint-validator is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

GHSA-F27W-VCWJ-C954

creationtimestamp| type| source ---|---|--- 2026-03-30 15:22:38+00:00| seen| Telegram/rgowYjXIbIqHAY83QR77NdcMiEs7Q8IlbaGHk6-omsHWj8...

GHSA-2J22-PR5W-6GQ8 vulnerabilities

Vulnerabilities for packages: ruby3.4-rails...

CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

CVE-2026-29872

A cross-session information disclosure vulnerability exists in the awesome-llm-apps project in commit e46690f99c3f08be80a9877fab52acacf7ab8251 2026-01-19. The affected Streamlit-based GitHub MCP Agent stores user-supplied API tokens in process-wide environment variables using os.environ without...

Exploit for Exposure of Resource to Wrong Sphere in Linuxfoundation Containerd

ZipSlip Container Escape Vulnerability in containerd CVE...