GHSA-XJHV-V822-PF94

creationtimestamp| type| source ---|---|--- 2026-02-25 01:40:27+00:00| seen| https://gist.github.com/alon710/447723fe5251aee242f8395c82fa3afa...

GHSA-299V-8PQ9-5GJQ

creationtimestamp| type| source ---|---|--- 2026-02-25 01:08:27+00:00| seen| https://gist.github.com/alon710/95d75a59b32de2eaa17ab17568afc3b1...

GHSA-G3GW-Q23R-PGQM

creationtimestamp| type| source ---|---|--- 2026-02-25 01:08:20+00:00| seen| https://gist.github.com/alon710/3c4ee34d2cdc53cc5dccf62f09e44104...

GHSA-V2GC-RM6G-WRW9

creationtimestamp| type| source ---|---|--- 2026-02-25 01:08:11+00:00| seen| https://gist.github.com/alon710/2a6bff36b163c3eb59d13fedcce793b9...

GHSA-78QV-3MPX-9CQQ

creationtimestamp| type| source ---|---|--- 2026-02-25 01:08:04+00:00| seen| https://gist.github.com/alon710/2374cc8dbd605d3c0e5e8ece442a11db...

LiveCode 代码注入漏洞

LiveCode is a multi-platform programming tool developed by the LiveCode team. It can run on iOS, Android, OS X, Windows 95 through Windows 10, Raspberry Pi, and various Unix variants including Linux, Solaris, and BSD. LiveCode has a code injection vulnerability. This vulnerability stems from the...

PT-2026-21922

Name of the Vulnerable Software and Affected Versions LiveCode versions prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 Description LiveCode is an open-source, client-side code playground. The i18n-update-pull GitHub Actions workflow is susceptible to JavaScript injection prior to commit...

GHSA-GQ3J-XVXP-8HRF vulnerabilities

Vulnerabilities for packages: opensearch-dashboards, langfuse...

RoguePilot Flaw in GitHub Codespaces Enabled Copilot to Leak GITHUB_TOKEN

A vulnerability in GitHub Codespaces could have been exploited by bad actors to seize control of repositories by injecting malicious Copilot instructions in a GitHub issue. The artificial intelligence AI-driven vulnerability has been codenamed RoguePilot by Orca Security. It has since been patche...

NULL Pointer Dereference

Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the PFCP SessionReportRequest process when ReportType.USAR is set to 1 and the UsageReport omits the mandatory URRID sub-IE. An attacker can cause the service to crash and terminate by sending a specially...

GHSA-M7JM-9GC2-MPF2 vulnerabilities

Vulnerabilities for packages: prism, tileserver-gl, saf, renovate...

GHSA-QVHC-9V3J-5RFW vulnerabilities

Vulnerabilities for packages: dotnet...

GO-2026-4529 Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign

Cosign considered signatures valid with expired intermediate certificates when transparency log verification is skipped in github.com/sigstore/cosign...

GO-2026-4505 Libredesk has a SSRF Vulnerability in Webhooks in github.com/abhinavxd/libredesk

Libredesk has a SSRF Vulnerability in Webhooks in github.com/abhinavxd/libredesk...

GO-2026-4516 Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints in github.com/akuity/kargo

Kargo has an Authorization Bypass Vulnerability in Batch Resource Creation API Endpoints in github.com/akuity/kargo...

GO-2026-4515 Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo

Kargo has Missing Authorization Vulnerabilities in Approval & Promotion REST API Endpoints in github.com/akuity/kargo...

Use After Free

Overview Affected versions of this package are vulnerable to Use After Free in the chaiscript::TypeInfo::bareequal function. An attacker can cause a program crash or potentially execute arbitrary code by triggering use of memory after it has been freed. Remediation There is no fixed version for...

GHSA-PX4R-G4P3-HHQV vulnerabilities

Vulnerabilities for packages: spegel, k3s, spegel-fips, rke2-runtime, ipfs-cluster-fips, kubo, ipfs-cluster...

Malicious npm Packages Harvest Crypto Keys, CI Secrets, and API Tokens

Cybersecurity researchers have disclosed what they say is an active "Shai-Hulud-like" supply chain worm campaign that has leveraged a cluster of at least 19 malicious npm packages to enable credential harvesting and cryptocurrency key theft. The campaign has been codenamed SANDWORMMODE by supply...

Git Argument Injection via Reference Field in GitHubRepository Block

This report is not public...