CVE-2026-34729

creationtimestamp| type| source ---|---|--- 2026-03-31 17:23:49+00:00| published-proof-of-concept| https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-cv2g-8cj8-vgc7 2026-03-31 17:23:49+00:00| published-proof-of-concept|...

CVE-2026-34974

creationtimestamp| type| source ---|---|--- 2026-03-31 17:23:15+00:00| published-proof-of-concept| https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg...

CVE-2026-34243

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

CVE-2026-34243

CVE-2026-34243 affects the Wenxian tool (versions up to 0.3.1 and earlier) where a GitHub Actions workflow uses untrusted input from issue_comment.body directly inside a shell command, enabling command injection and potential arbitrary code execution on the runner. The vulnerability stems from in...

CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

CVE-2026-34243

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

GHSA-PX3P-VGH9-M57C

creationtimestamp| type| source ---|---|--- 2026-03-31 15:18:14+00:00| published-proof-of-concept| Telegram/glZc2MUrWDW1orrk5KZxOV-1RuNHXXM8No2M1-1yJOvNvE...

GHSA-37CH-88JC-XWX2 vulnerabilities

Vulnerabilities for packages: json-server, kubeflow-centraldashboard, kubeflow-pipelines, sqlpad, argo-workflows...

CVE-2026-34042

act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and...

CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...

CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection

act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...

PT-2026-29421

Name of the Vulnerable Software and Affected Versions: FastMCP versions prior to 3.2.0 Description: FastMCP is susceptible to a Confused Deputy issue within its GitHubProvider OAuth integration. The OAuthProxy component fails to properly validate user consent when receiving authorization codes fr...

wenxian 操作系统命令注入漏洞

Wenxian is a tool developed by Jinzhe Zeng as a reference format generator based on document identifiers. Versions of Wenxian 0.3.1 and earlier contained a vulnerability related to operating system command injection. This vulnerability stemmed from the use of unvalidated user input directly in...

OpenAI Codex Vulnerability Allowed Attackers to Steal GitHub Tokens

OpenAI Codex vulnerability allowed attackers to steal GitHub tokens via malicious branch names using hidden Unicode command injection flaw...

CVE-2026-34715

creationtimestamp| type| source ---|---|--- 2026-03-30 19:31:23+00:00| published-proof-of-concept| https://github.com/vshakitskiy/ewe/security/advisories/GHSA-x2w3-23jr-hrpf 2026-03-30 19:31:23+00:00| published-proof-of-concept|...

GHSA-Q9VP-3WCG-8P4X

creationtimestamp| type| source ---|---|--- 2026-03-30 19:17:51+00:00| published-proof-of-concept| Telegram/fjirMqbI7HbDe3OLZhJWgKP9iQtg8z94oAYRFGU8rTUaV0...

Telnyx has malicious code in PyPI versions 4.87.1 and 4.87.2

Summary On March 27, 2026, a threat actor used compromised PyPI credentials to publish malicious versions 4.87.1 and 4.87.2 of the telnyx Python package directly to PyPI. These versions contain credential-stealing malware and were not published through the legitimate GitHub release pipeline...

CVE-2026-34523

creationtimestamp| type| source ---|---|--- 2026-03-30 17:31:58+00:00| published-proof-of-concept| https://github.com/SillyTavern/SillyTavern/security/advisories/GHSA-525j-2hrj-m8fp 2026-03-30 17:31:58+00:00| published-proof-of-concept|...