CVE-2026-23654

Dependency on vulnerable third-party component in GitHub Repo: zero-shot-scfoundation allows an unauthorized attacker to execute code over a network...

CVE-2026-32805

Romeo gives the capability to reach high code coverage of Go ≥1.20 apps by helping to measure code coverage for functional and integration tests within GitHub Actions. Prior to version 0.2.2, the sanitizeArchivePath function in webserver/api/v1/decoder.go lines 80-88 is vulnerable to a path...

CVE-2026-33475

Langflow is a tool for building and deploying AI-powered agents and workflows. An unauthenticated remote shell injection vulnerability exists in multiple GitHub Actions workflows in the Langflow repository prior to version 1.9.0. Unsanitized interpolation of GitHub context variables e.g., $...

CVE-2026-2266

An improper neutralization of input vulnerability was identified in GitHub Enterprise Server that allowed DOM-based cross-site scripting via task list content. The task list content extraction logic did not properly re-encode browser-decoded text nodes before rendering, allowing user-supplied HTM...

CVE-2026-31900

Black is the uncompromising Python code formatter. Black provides a GitHub action for formatting code. This action supports an option, usepyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct...

MAL-2026-2230 Malicious code in aquasecurityofficial.trivy-vulnerability-scanner (VSCode:https://open-vsx.org)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security b6cab1dae06f51e2aaa57704d8374b6882440070d0796e7b719a85e6f803888b This extension is a compromised version of the offical Trivy VSCode extension available on the Microsoft Marketplace. Versions 1.8.11 and...

Malicious code in aquasecurityofficial.trivy-vulnerability-scanner (VSCode:https://open-vsx.org)

--- -= Per source details. Do not edit below this line.=- Source: google-open-source-security b6cab1dae06f51e2aaa57704d8374b6882440070d0796e7b719a85e6f803888b This extension is a compromised version of the offical Trivy VSCode extension available on the Microsoft Marketplace. Versions 1.8.11 and...

PT-2026-28215

Hi guys! Recently I got this email from [email protected]. I read through the email and spotted a few grammatical errors, as well as a share.google link, which I thought was unusual for Microsoft to do. Even though it was fully delivered and signed by GitHub.com, I realised that what the...

GHSA-8M2X-3M6Q-6W8J vulnerabilities

Vulnerabilities for packages: nats-top, nats, telegraf, kine, k3s...

GHSA-8M2X-3M6Q-6W8J vulnerabilities

Vulnerabilities for packages: k3s, nats-fips, telegraf, nats-top, rke2-runtime, nats, kine, prometheus-nats-exporter-fips, nats-top-fips, milvus, rke2-runtime-fips, prometheus-nats-exporter...

CVE-2026-20719

Mattermost contains a DoS vulnerability (CVE-2026-20719) in rendering external SVGs within link embeds. Affected versions are Mattermost 11.4.x <= 11.4.0, 11.3.x <= 11.3.1, 11.2.x <= 11.2.3, and 10.11.x

Fake OpenClaw Token Giveaway Targets GitHub Devs with Wallet-Draining Scam

OX Security reveals a new phishing campaign targeting GitHub developers. Scammers use fake OpenClaw token giveaways to trick users into connecting and draining their crypto wallets...

CVE-2026-33868

creationtimestamp| type| source ---|---|--- 2026-03-25 11:02:39+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-33868.yaml 2026-03-26 21:03:02+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3mhyiuuwxmq2l 2026-03-27...

GHSA-V55J-83PF-R9CQ vulnerabilities

Vulnerabilities for packages: gitlab-rails-ce-fips, ruby3.4-rails, gitlab-rails-ce, ruby3.2-rails...

CVE-2025-58044

creationtimestamp| type| source ---|---|--- 2026-03-25 05:44:05+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2025/CVE-2025-58044.yaml 2026-03-26 21:03:04+00:00| seen| https://bsky.app/profile/beikokucyber.bsky.social/post/3mhyiuvbik22q...

Guidance for detecting, investigating, and defending against the Trivy supply chain compromise

In this article 1. Analyzing the Trivy supply chain compromise 2. Detection and investigation 3. Mitigation and protection guidance 4. Advanced hunting queries 5. References 6. Learn more On March 19, 2026, Trivy, Aqua Security’s widely used open-source vulnerability scanner, was reported to have...

GHSA-394X-VWMW-CRM3 vulnerabilities

Vulnerabilities for packages: linkerd2, nushell, zed, linkerd2-proxy, rustls-ffi, rustup, linkerd-extension-init, lychee, zizmor, parseable, efs-utils, deno, buck2, py3-xet-core, pixi, linkerd-network-validator, qdrant, cargo-audit, ztunnel, ntpd-rs, wasmcloud...

CVE-2026-33635

creationtimestamp| type| source ---|---|--- 2026-03-24 19:13:41+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-pv9c-9mfh-hvxq...

Malicious code in @pansycareful/github-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b0fd8e716dd8a1f3d3d8e33d9dfec9cee22ca3b511d7ac05fb3b175da1d1842 The package @pansycareful/github-helper was found to contain malicious code...

MAL-2026-2333 Malicious code in @pansycareful/github-helper (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 9b0fd8e716dd8a1f3d3d8e33d9dfec9cee22ca3b511d7ac05fb3b175da1d1842 The package @pansycareful/github-helper was found to contain malicious code...