GHSA-JG4P-7FHP-P32P vulnerabilities

Vulnerabilities for packages: opensearch-dashboards, wazuh-dashboard, opensearch-dashboards-fips, kibana...

Malicious code in apl-github-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc746d95b286b0c3dde3aa7d5d3287da638b8a02ceed430f372112f1f563686a The package apl-github-test was found to contain malicious code...

MAL-2026-2729 Malicious code in apl-github-test (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fc746d95b286b0c3dde3aa7d5d3287da638b8a02ceed430f372112f1f563686a The package apl-github-test was found to contain malicious code...

PT-2026-33378

Summary The proxyUi template engine uses Go's text/template which performs no HTML escaping instead of html/template. The GitHub OAuth callback handlers in both publicProxy and dynamicProxy embed the attacker-controlled refreshInterval query parameter verbatim into an error message when...

CVE-2026-40316

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pullrequesttarget trigger to run wit...

CVE-2026-40316 OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pullrequesttarget trigger to run wit...

CVE-2026-40316 OWASP BLT has RCE in Github Actions via untrusted Django model execution in workflow

OWASP BLT is a QA testing and vulnerability disclosure platform that encompasses websites, apps, git repositories, and more. Versions prior to 2.1.1 contain an RCE vulnerability in the .github/workflows/regenerate-migrations.yml workflow. The workflow uses the pullrequesttarget trigger to run wit...

CVE-2026-40316

CVE-2026-40316 (OWASP BLT) affects versions prior to 2.1.1. A RCE exists in the .github/workflows/regenerate-migrations.yml workflow due to using pull_request_target with full GITHUB_TOKEN write permissions. The workflow copies attacker-controlled files from untrusted PRs into the trusted runner ...

GHSA-78X4-6X83-JX75

creationtimestamp| type| source ---|---|--- 2026-04-15 19:21:23+00:00| seen| Telegram/7Ck-SXA1c6Vf9FqVW81avKVix-fYO39OzelndhESQPxXBQ...

How to Harden GitHub Actions: An Updated Guide

Build resilient GitHub Actions workflows with lessons from recent attacks like TeamPCP and Axios...

SUSE CVE-2026-35580

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflowdispatch inputs were interpolated directly into shell commands via $ expression syntax. An attacker with repository write access could...

CVE-2026-41244

creationtimestamp| type| source ---|---|--- 2026-04-15 08:23:19+00:00| published-proof-of-concept| https://github.com/notamitgamer/mojic/security/advisories/GHSA-wqq3-wfmp-v85g...

vuln-poc-generate-skill

vuln-poc-generate-skill A Codex skill project for generating...

CVE-2026-41232

creationtimestamp| type| source ---|---|--- 2026-04-15 06:39:05+00:00| published-proof-of-concept| https://github.com/froxlor/froxlor/security/advisories/GHSA-vmjj-qr7v-pxm6...

GHSA-J2HF-X4Q5-47J3

creationtimestamp| type| source ---|---|--- 2026-04-15 01:19:29+00:00| seen| Telegram/4QaIVP4Z6j7I04jn6w3qCKrQ76Fz4EXtpUCBPkRfgX1dqr4...

GHSA-J6M5-2CC7-3WHC

creationtimestamp| type| source ---|---|--- 2026-04-15 01:19:21+00:00| published-proof-of-concept| Telegram/GYbH54sRbOOqgznzSrvNbIPKqa8TpEiUvDUzTYtUUyxy-E...

OWASP BLT 安全漏洞

OWASP BLT is an open-source gamified crowdsourcing platform for testing and disclosing vulnerabilities. Versions of OWASP BLT prior to 2.1.1 contained security vulnerabilities. These vulnerabilities were caused by a remote code execution issue in the.github/workflows/regenerate-migrations.yml...

Insufficient Session Expiration

Overview pyload-ng is a The free and open-source Download Manager written in pure Python Affected versions of this package are vulnerable to Insufficient Session Expiration due to improper session management when user permissions are changed. An attacker can retain unauthorized access to resource...

Heap-based Buffer Overflow

Overview Affected versions of this package are vulnerable to Heap-based Buffer Overflow via the magnify when an unrecognized magnify:method value is provided. An attacker can cause a denial of service by triggering an out-of-bounds read during image processing. Remediation A fix was pushed into t...

CVE-2026-41061

creationtimestamp| type| source ---|---|--- 2026-04-14 23:22:21+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-8pv3-29pp-pf8f...