CVE-2026-45033

GitHub Copilot CLI (affected component: Git operations in Copilot CLI) contains a local privilege/command execution flaw exposed when a malicious bare git repository is nested within a project directory. The issue arises from git auto-discovery of bare repositories during directory traversal, all...

neo-pocs

neo-pocs Containerized proof-of-concept packages for reviewed...

CVE-2026-45803

creationtimestamp| type| source ---|---|--- 2026-05-13 15:20:46+00:00| published-proof-of-concept| https://github.com/cli/cli/security/advisories/GHSA-crc3-h8v6-qh57...

CVE-2026-44970

creationtimestamp| type| source ---|---|--- 2026-05-13 15:01:46+00:00| published-proof-of-concept| https://github.com/dbt-labs/dbt-mcp/security/advisories/GHSA-jj54-r8gm-2fcf...

CVE-2026-44969

creationtimestamp| type| source ---|---|--- 2026-05-13 15:01:34+00:00| published-proof-of-concept| https://github.com/dbt-labs/dbt-mcp/security/advisories/GHSA-7xgw-6qf3-7w59...

CVE-2026-45616

creationtimestamp| type| source ---|---|--- 2026-05-13 14:00:05+00:00| seen| https://t.me/GithubRedTeam/84084 2026-05-13 21:00:04+00:00| published-proof-of-concept| Telegram/O41s4ZacceniC-zmRdA20LKtlUfLN8dJaI2Rmc1hsAXigiA...

CVE-2026-46339

creationtimestamp| type| source ---|---|--- 2026-05-13 13:15:48+00:00| published-proof-of-concept| https://github.com/decolua/9router/security/advisories/GHSA-fhh6-4qxv-rpqj...

Generation of Error Message Containing Sensitive Information

Overview composer/composer is a Dependency Manager for PHP. Composer helps you declare, manage and install dependencies of PHP projects. It ensures you have the right stack everywhere. Affected versions of this package are vulnerable to Generation of Error Message Containing Sensitive Information...

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

More info at https://github.com/composer/composer/security/advisories/GHSA-f9f8-rm49-7jv2...

Github Actions issued GITHUB_TOKEN disclosure in GitHub Actions logs

Summary Composer leaks the full contents of tokens configured as GitHub OAuth tokens if they do not match Composer's expected format for such tokens to stderr. GitHub has introduced a new format for GitHub Actions GITHUBTOKEN values. These tokens are validated in the same way by Composer on GitHu...

GHSA-C4J6-FC7J-M34R

creationtimestamp| type| source ---|---|--- 2026-05-13 06:02:34+00:00| seen| https://t.me/GithubRedTeam/84034 2026-05-13 09:00:04+00:00| seen| Telegram/6gD9pQtVCgeRlU-Eqvw6JM83wq5C4Rc0rf2uF-yzttPU 2026-05-15 00:16:17+00:00| seen| https://gist.github.com/hahwul/e82a1e91f75872e43287743d4a15d035...

GHSA-GX5P-JG67-6X7H vulnerabilities

Vulnerabilities for packages: keep...

EUVD-2026-29841

nnU-Net is a semantic segmentation framework that automatically adapts its pipeline to a dataset. Prior to 2.4.1, the nnU-Net Issue Triage workflow in .github/workflows/issue-triage.yml is vulnerable to Agentic Workflow Injection. The workflow sets allowednonwriteusers: $...

CVE-2026-44246

The CVE concerns nnU-Net (MIC-DKFZ/nnUNet) before version 2.4.1. The issue lies in the nnU-Net Issue Triage workflow at .github/workflows/issue-triage.yml, which sets allowed_non_write_users: ${{ github.event.issue.user.login }}. This allows any logged-in GitHub user opening an issue to reach an ...

CVE-2026-46395

creationtimestamp| type| source ---|---|--- 2026-05-12 20:26:15+00:00| published-proof-of-concept| https://github.com/haxtheweb/issues/security/advisories/GHSA-6c8g-9hfh-pq5h...

CVE-2026-46396

creationtimestamp| type| source ---|---|--- 2026-05-12 20:26:06+00:00| published-proof-of-concept| https://github.com/haxtheweb/issues/security/advisories/GHSA-jh3h-rpxg-fr36...

CVE-2026-46393

creationtimestamp| type| source ---|---|--- 2026-05-12 20:23:35+00:00| published-proof-of-concept| https://github.com/haxtheweb/issues/security/advisories/GHSA-q862-gcgq-5m6g...

CVE-2026-45721

creationtimestamp| type| source ---|---|--- 2026-05-12 20:16:42+00:00| published-proof-of-concept| https://github.com/xyproto/algernon/security/advisories/GHSA-xwcr-wm99-g9jc...

Embedded Malicious Code

@tanstack/ packages are vulnerable to Embedded Malicious Code. The vulnerability is due to misconfigured GitHub Actions workflows and cache poisoning weaknesses that allowed attackers to extract OIDC tokens and publish malicious package versions under a trusted identity...

GHSA-MF9V-MFXR-J63J vulnerabilities

Vulnerabilities for packages: jwt-tool, jupyter-base-notebook, datadog-agent, py3-cassandra-medusa, confluent-docker-utils, httpie, airflow, kubeflow-pipelines-visualization-server, ggshield, kubeflow-pipelines, mlflow, az, py3-pip, open-webui, neuvector-manager, kubeflow-volumes-web-app, aws-cli...