CVE-2026-27938

The CVE-2026-27938 entry documents a command injection flaw in the WPGraphQL repository (wp-graphql/wp-graphql) prior to version 2.9.1, stemming from an unsafe use of ${{ github.event.pull_request.body }} inside the release.yml shell run block. When a PR from develop to master is merged, the PR b...

CVE-2026-27938

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow release.yml vulnerable to OS command injection through direct use of $ github.event.pullrequest.body inside a run: shell block. When a pull request...

CVE-2026-27938 WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression in Release Workflow

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow release.yml vulnerable to OS command injection through direct use of $ github.event.pullrequest.body inside a run: shell block. When a pull request...

OpenLIT 安全漏洞

OpenLIT is an open-source language model development tool developed by OpenLIT. Versions of OpenLIT prior to 1.37.1 contained security vulnerabilities. These vulnerabilities stemmed from the use of the pullrequesttarget event in GitHub Actions workflows, allowing for the execution of untrusted...

WordPress plugin WPGraphQL 操作系统命令注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. Versions...

GHSA-MPHV-75CG-56WG

creationtimestamp| type| source ---|---|--- 2026-02-25 23:40:19+00:00| seen| https://gist.github.com/alon710/2fdb93ea28abae568076465460152300...

GO-2026-4546 FileBrowser Quantum: Password Protection Not Enforced on Shared File Links in github.com/gtsteffaniak/filebrowser/backend

FileBrowser Quantum: Password Protection Not Enforced on Shared File Links in github.com/gtsteffaniak/filebrowser/backend...

GO-2026-4545 esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh

esm.sh is vulnerable to full-response SSRF in github.com/esm-dev/esm.sh...

GHSA-QRVQ-68C2-7GRW vulnerabilities

Vulnerabilities for packages: kine, k3s, nats-top, telegraf...

GHSA-JHP4-JVQ3-W5XR

creationtimestamp| type| source ---|---|--- 2026-02-25 19:10:19+00:00| seen| https://gist.github.com/alon710/1b38be1c4bfe28706dfdf76e6aecf149...

GHSA-CVWJ-6C9H-JG6V Parse Dashboard is Missing Authorization for its Agent Endpoint

Impact The AI Agent API endpoint POST /apps/:appId/agent does not enforce authorization. Authenticated users scoped to specific apps can access any other app's agent endpoint by changing the app ID in the URL. Read-only users are given the full master key instead of the read-only master key and c...

CVE-2026-27701

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's i18n-update-pull GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated...

EUVD-2026-8645

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's i18n-update-pull GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated...

CVE-2026-27701 LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's i18n-update-pull GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated...

GHSA-XJHV-V822-PF94

creationtimestamp| type| source ---|---|--- 2026-02-25 01:40:27+00:00| seen| https://gist.github.com/alon710/447723fe5251aee242f8395c82fa3afa...

GHSA-299V-8PQ9-5GJQ

creationtimestamp| type| source ---|---|--- 2026-02-25 01:08:27+00:00| seen| https://gist.github.com/alon710/95d75a59b32de2eaa17ab17568afc3b1...

GHSA-G3GW-Q23R-PGQM

creationtimestamp| type| source ---|---|--- 2026-02-25 01:08:20+00:00| seen| https://gist.github.com/alon710/3c4ee34d2cdc53cc5dccf62f09e44104...

GHSA-V2GC-RM6G-WRW9

creationtimestamp| type| source ---|---|--- 2026-02-25 01:08:11+00:00| seen| https://gist.github.com/alon710/2a6bff36b163c3eb59d13fedcce793b9...

GHSA-78QV-3MPX-9CQQ

creationtimestamp| type| source ---|---|--- 2026-02-25 01:08:04+00:00| seen| https://gist.github.com/alon710/2374cc8dbd605d3c0e5e8ece442a11db...

LiveCode 代码注入漏洞

LiveCode is a multi-platform programming tool developed by the LiveCode team. It can run on iOS, Android, OS X, Windows 95 through Windows 10, Raspberry Pi, and various Unix variants including Linux, Solaris, and BSD. LiveCode has a code injection vulnerability. This vulnerability stems from the...