Server-side Request Forgery (SSRF)

Overview Affected versions of this package are vulnerable to Server-side Request Forgery SSRF in the URL validation logic due to improper handling of underscores in hostnames. An attacker can access internal resources or sensitive endpoints by submitting specially crafted URLs containing...

Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)

Summary A vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the egress-policy: block network restriction using DNS over HTTPS DoH. Harden-Runner secures GitHub Actions workflows on runners by applying network policies, including an allowed-endpoints configuration...

Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)

Summary A vulnerability exists in the Community Tier of Harden-Runner that allows bypassing the egress-policy: block network restriction using DNS queries over TCP. Harden-Runner enforces egress policies on GitHub runners by filtering outbound connections at the network layer. When egress-policy:...

Investing in the people shaping open source and securing the future together

Open source has always been about community. It's about maintainers who review pull requests late at night. Volunteers who respond to security reports from strangers. And communities that quietly power the world's software. The reality behind the commits is that maintainers get stretched thin. Th...

GitGuardian Reports an 81% Surge of AI-Service Leaks as 29M Secrets Hit Public GitHub

New York, NY, 17th March 2026, CyberNewswire...

How searching for a VPN could mean handing over your work login details

This blog is about how trying to do the “right thing” can lead you straight into a trap. People searching for a VPN ended up downloading credential-stealing malware. From the victim’s perspective, their trust was exploited at every step: trust in search engines, in familiar logos, in digital...

New Vidar 2.0 Infostealer Spreads via Fake Game Cheats on GitHub, Reddit

The new infostealer campaign spreads Vidar 2.0 via fake game cheats on GitHub and Reddit, stealing crypto, login tokens, and files while targeting young gamers ignoring security warnings...

PT-2026-25988

Name of the Vulnerable Software and Affected Versions Harden-Runner versions 2.15.1 and below Description Harden-Runner, a CI/CD security agent functioning as an EDR for GitHub Actions runners, contains a DNS over HTTPS DoH issue. This allows attackers to circumvent network restrictions imposed b...

GO-2026-4696 Gokapi vulnerable to Privilege Escalation in File Replace in github.com/forceu/gokapi

Gokapi vulnerable to Privilege Escalation in File Replace in github.com/forceu/gokapi. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from vulnerability scanner...

GlassWorm Attack Uses Stolen GitHub Tokens to Force-Push Malware Into Python Repos

The GlassWorm malware campaign is being used to fuel an ongoing attack that leverages the stolen GitHub tokens to inject malware into hundreds of Python repositories. "The attack targets Python projects — including Django apps, ML research code, Streamlit dashboards, and PyPI packages — by...

EUVD-2026-12107

In Bun before 1.3.5, the default trusted dependencies list aka trust allow list can be spoofed by a non-npm package in the case of a matching name for file, link, git, or github...

About the Remote Code Execution Vulnerability - n8n (CVE-2025-68613)

About Remote Code Execution Vulnerability - n8n CVE-2025-68613. n8n is a workflow automation platform available under a fair-code license. Improper Control of Dynamically-Managed Code Resources CWE-913 in the n8n workflow expression evaluation system allows a remote authenticated attacker without...

ClickFix Campaigns Spread MacSync macOS Infostealer via Fake AI Tool Installers

Three different ClickFix campaigns have been found to act as a delivery vector for the deployment of a macOS information stealer called MacSync. "Unlike traditional exploit-based attacks, this method relies entirely on user interaction – usually in the form of copying and executing commands –...

Fedora: Security Advisory (FEDORA-2026-2c281f4add)

The remote host is missing an update for the SPDX-FileCopyrightText: 2026 Greenbone AG Some text descriptions might be excerpted from a referenced sources, and are Copyright C by the respective right holders. SPDX-License-Identifier: GPL-2.0-only ifdescription...

GHSA-4V26-V6CG-G6F9 vulnerabilities

Vulnerabilities for packages: zabbix, zabbix-fips...

Fedora 42 : golang-github-openprinting-ipp-usb (2026-2c281f4add)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-2c281f4add advisory. 0.9.31 Tenable has extracted the preceding description block directly from the Fedora security advisory. Note that Nessus has not tested for these...

GHSA-WCXR-59V9-RXR8

creationtimestamp| type| source ---|---|--- 2026-03-14 06:40:06+00:00| seen| https://gist.github.com/alon710/04f59b4b34fdad62bcd6aca02cca19bb 2026-03-29 15:19:56+00:00| published-proof-of-concept| Telegram/cXzVIGK7PQfwtmMwRkRYvJTJsFs-s6Ys2jSidGnYSoPd-U...

CVE-2026-32815

creationtimestamp| type| source ---|---|--- 2026-03-14 05:26:51+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-xp2m-98x8-rpj6...

GHSA-G353-MGV3-8PCJ

creationtimestamp| type| source ---|---|--- 2026-03-14 04:40:05+00:00| seen| https://gist.github.com/alon710/6d8cc1349cbd20b4b2228bf8920e9f07 2026-03-29 15:20:09+00:00| seen| Telegram/bOji7uFGKpjQ-Vv3CFZvWqxNHLg4F03MY6E5pxai3iB8W0...

GHSA-44VG-5WV2-H2HG

creationtimestamp| type| source ---|---|--- 2026-03-14 02:40:05+00:00| seen| https://gist.github.com/alon710/1291af57a3f24c084d79b6036abb3239...