GHSA-656W-6F6C-M9R6 OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding

Summary OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub A...

CVE-2025-47911 affecting package gh for versions less than 2.13.0-26

CVE-2025-47911 affecting package gh for versions less than 2.13.0-26. A patched version of the package is available...

CVE-2026-28807

creationtimestamp| type| source ---|---|--- 2026-03-09 12:29:02+00:00| published-proof-of-concept| https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r...

AI Bot Hackerbot-Claw Targets Microsoft, DataDog and CNCF GitHub Repos

Security firm Pillar reveals the Chaos Agent in which Hackerbot-Claw, an AI agent, used natural language to compromise major GitHub projects and hijack developer tools...

CVE-2026-31809

creationtimestamp| type| source ---|---|--- 2026-03-09 08:40:48+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr...

CVE-2026-31861

creationtimestamp| type| source ---|---|--- 2026-03-09 08:33:47+00:00| published-proof-of-concept| https://github.com/siteboon/claudecodeui/security/advisories/GHSA-7fv4-fmmc-86g2...

PT-2026-24150

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.19 Description OneUptime’s GitHub App callback does not properly validate the state and installation id values received from a user, allowing an attacker to overwrite another project's GitHub App installation...

CVE-2026-30964

creationtimestamp| type| source ---|---|--- 2026-03-08 17:27:32+00:00| published-proof-of-concept| https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm...

CVE-2026-29783

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent e.g., via prompt injection through repository files, MCP server...

[SECURITY] Fedora 42 Update: gh-2.87.3-1.fc42

A command-line interface to GitHub for use in your terminal or your scripts. gh is a tool designed to enhance your workflow when working with GitHub. It provides a seamless way to interact with GitHub repositories and perform vari ous actions right from the command line, eliminating the need to...

Black's vulnerable version parsing leads to RCE in GitHub Action

Impact Black provides a GitHub action for formatting code. This action supports an option, usepyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. Th...

GHSA-V53H-F6M7-XCGM Black's vulnerable version parsing leads to RCE in GitHub Action

Impact Black provides a GitHub action for formatting code. This action supports an option, usepyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. Th...

Fedora 42 : prometheus (2026-c9fb6d2b76)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-c9fb6d2b76 advisory. Rename from golang-github-prometheus and upgrade to 3.10.0 Tenable has extracted the preceding description block directly from the Fedora security...

PT-2026-24654

Name of the Vulnerable Software and Affected Versions Black versions prior to 26.3.0 Description Black is a Python code formatter that provides a GitHub action for code formatting. The action supports an option, use pyproject: true, to read the Black version from the repository's pyproject.toml...

How to scan for vulnerabilities with GitHub Security Lab’s open source AI-powered framework

For the last few months, we've been using the GitHub Security Lab Taskflow Agent along with a new set of auditing taskflows that specialize in finding web security vulnerabilities. They also turn out to be very successful at finding high-impact vulnerabilities in open source projects. As security...

GHSA-W6VW-MRGV-69VF

creationtimestamp| type| source ---|---|--- 2026-03-06 20:09:04+00:00| seen| https://github.blog/security/how-to-scan-for-vulnerabilities-with-github-security-labs-open-source-ai-powered-framework/ 2026-03-10 23:10:58+00:00| seen|...

CVE-2025-15033

creationtimestamp| type| source ---|---|--- 2026-03-06 20:09:04+00:00| seen| https://github.blog/security/how-to-scan-for-vulnerabilities-with-github-security-labs-open-source-ai-powered-framework/...

GHSA-P6PV-Q7RC-G4H9

creationtimestamp| type| source ---|---|--- 2026-03-06 20:09:04+00:00| seen| https://github.blog/security/how-to-scan-for-vulnerabilities-with-github-security-labs-open-source-ai-powered-framework/...

GHSA-Q45J-X3CJ-GJVQ

creationtimestamp| type| source ---|---|--- 2026-03-06 20:09:04+00:00| seen| https://github.blog/security/how-to-scan-for-vulnerabilities-with-github-security-labs-open-source-ai-powered-framework/...

GHSA-C8XF-3J86-7686

creationtimestamp| type| source ---|---|--- 2026-03-06 20:09:04+00:00| seen| https://github.blog/security/how-to-scan-for-vulnerabilities-with-github-security-labs-open-source-ai-powered-framework/...