CVE-2026-30920

OneUptime prior to version 10.0.19 has broken access control in the GitHub App installation flow. The GitHub App callback trusts attacker-controlled state and installation_id values, and writes the provided installation_id into Project.gitHubAppInstallationId with root privileges without validati...

CVE-2026-30920 OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the...

EUVD-2026-10433

OneUptime is a solution for monitoring and managing online services. Prior to 10.0.19, OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the...

OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding

Summary OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub A...

Missing Authorization

Overview @oneuptime/common is a The OneUptime Common UI Library is a collection of shared components, utilities that are used across the OneUptime platform. It is designed to be easy to install and use, and to be extensible. This library is built with React and TypeScript. It includes c Affected...

EUVD-2026-10432

OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding...

GHSA-656W-6F6C-M9R6 OneUptime has broken access control in GitHub App installation flow that allows unauthorized project binding

Summary OneUptime's GitHub App callback trusts attacker-controlled state and installationid values and updates Project.gitHubAppInstallationId with isRoot: true without validating that the caller is authorized for the target project. This allows an attacker to overwrite another project's GitHub A...

CVE-2025-47911 affecting package gh for versions less than 2.13.0-26

CVE-2025-47911 affecting package gh for versions less than 2.13.0-26. A patched version of the package is available...

CVE-2026-28807

creationtimestamp| type| source ---|---|--- 2026-03-09 12:29:02+00:00| published-proof-of-concept| https://github.com/gleam-wisp/wisp/security/advisories/GHSA-h7cj-j2vv-qw8r...

AI Bot Hackerbot-Claw Targets Microsoft, DataDog and CNCF GitHub Repos

Security firm Pillar reveals the Chaos Agent in which Hackerbot-Claw, an AI agent, used natural language to compromise major GitHub projects and hijack developer tools...

CVE-2026-31809

creationtimestamp| type| source ---|---|--- 2026-03-09 08:40:48+00:00| published-proof-of-concept| https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pmc9-f5qr-2pcr...

CVE-2026-31861

creationtimestamp| type| source ---|---|--- 2026-03-09 08:33:47+00:00| published-proof-of-concept| https://github.com/siteboon/claudecodeui/security/advisories/GHSA-7fv4-fmmc-86g2...

PT-2026-24150

Name of the Vulnerable Software and Affected Versions OneUptime versions prior to 10.0.19 Description OneUptime’s GitHub App callback does not properly validate the state and installation id values received from a user, allowing an attacker to overwrite another project's GitHub App installation...

CVE-2026-30964

creationtimestamp| type| source ---|---|--- 2026-03-08 17:27:32+00:00| published-proof-of-concept| https://github.com/web-auth/webauthn-framework/security/advisories/GHSA-f7pm-6hr8-7ggm...

CVE-2026-29783

The shell tool within GitHub Copilot CLI versions prior to and including 0.0.422 can allow arbitrary code execution through crafted bash parameter expansion patterns. An attacker who can influence the commands executed by the agent e.g., via prompt injection through repository files, MCP server...

[SECURITY] Fedora 42 Update: gh-2.87.3-1.fc42

A command-line interface to GitHub for use in your terminal or your scripts. gh is a tool designed to enhance your workflow when working with GitHub. It provides a seamless way to interact with GitHub repositories and perform vari ous actions right from the command line, eliminating the need to...

2sio (>=0.1.0 <=0.1.5), 4mica-x402 (>=0.1.0 <=1.2.3) +49 more potentially affected by unknown CVE via x402 (>=0.2.1 <=2.12.0)

x402 PYPI version =0.2.1, =0.1.0, =0.1.0, =0.2.0, =1.0.0, =0.0.15, =0.3.14, =0.1.0, =0.1.1, =0.7.0, =0.5.4, =0.1.0, =0.1.0, =0.3.0, =0.3.5 and more Source cves: unknown CVE Source advisory: OSV:GHSA-QR2G-P6Q7-W82M...

Black's vulnerable version parsing leads to RCE in GitHub Action

Impact Black provides a GitHub action for formatting code. This action supports an option, usepyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. Th...

GHSA-V53H-F6M7-XCGM Black's vulnerable version parsing leads to RCE in GitHub Action

Impact Black provides a GitHub action for formatting code. This action supports an option, usepyproject: true, for reading the version of Black to use from the repository pyproject.toml. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. Th...

Fedora 42 : prometheus (2026-c9fb6d2b76)

The remote Fedora 42 host has a package installed that is affected by multiple vulnerabilities as referenced in the FEDORA-2026-c9fb6d2b76 advisory. Rename from golang-github-prometheus and upgrade to 3.10.0 Tenable has extracted the preceding description block directly from the Fedora security...