CVE-2026-48501

GitHub CLI (gh) prior to 2.93.0 contains a token leakage vulnerability: a shared HTTP client with an authentication layer attaches user tokens to outgoing requests without proper host detection. The host normalization collapses any *.github.com subdomain to github.com, causing requests to tuf-rep...

CVE-2026-48501

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

CVE-2026-48501 GitHub CLI tokens leak via `gh attestation` commands

GitHub CLI gh is GitHub’s official command line tool. Prior to 2.93.0, GitHub CLI incorrectly includes authorization header in API requests to TUF repository mirrors via gh attestation, gh release verify, and gh release verify-asset commands. The CLI uses a shared HTTP client with an authenticati...

CVE-2026-44492

creationtimestamp| type| source ---|---|--- 2026-05-29 06:32:41+00:00| published-proof-of-concept| https://github.com/axios/axios/security/advisories/GHSA-pjwm-pj3p-43mv 2026-06-11 18:00:59+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mnzsmajacl2n...

CVE-2026-50287

creationtimestamp| type| source ---|---|--- 2026-05-29 02:43:29+00:00| published-proof-of-concept| https://github.com/agenticmail/agenticmail/security/advisories/GHSA-63gr-g7jc-v8rg...

SUSE CVE-2026-45321

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

GHSA-JF3X-2PF6-C45W vulnerabilities

Vulnerabilities for packages: systemd...

Linux Distros Unpatched Vulnerability : CVE-2026-44590

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is...

PT-2026-44921

A vulnerability was found in macrozheng mall up to 1.0.3. This affects an unknown function of the file /admin/update/ of the component Super Admin Password Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The vendor deleted the...

OPENSUSE-SU-2026:10902-1 golang-github-teddysun-v2ray-plugin-5.49.0-1.1 on GA media

These are all security issues fixed in the golang-github-teddysun-v2ray-plugin-5.49.0-1.1 package on the GA media of openSUSE Tumbleweed...

GitHub CLI 安全漏洞

GitHub CLI is an open-source command-line interface for GitHub. Prior to version 2.93.0 of GitHub CLI, there was a security vulnerability. This vulnerability stemmed from incorrect authorization headers in API requests to the TUF repository via the gh attestation, gh release verify, and gh releas...

PT-2026-44905

Name of the Vulnerable Software and Affected Versions GitHub CLI versions prior to 2.93.0 Description GitHub CLI incorrectly includes authorization headers in API requests to TUF repository mirrors when using the gh attestation, gh release verify, and gh release verify-asset commands. The tool...

a2a-sigstore (=0.4.0), aiogithubapi (>=23.9.0 <=23.11.0) +68 more potentially affected by unknown CVE via tuf (>=1.0.0 <=6.0.0)

tuf PYPI version =1.0.0, =23.9.0, =0.2.0, =0.14.0, =0.0.1, =0.1.0, =0.1.9, =0.1.9, =0.1.9, =0.1.20 - floe-catalog-glue =0.1.0a1 - floe-catalog-polaris =0.1.0a1 - floe-compute-duckdb =0.1.0a1 and more Source cves: unknown CVE Source advisory: OSV:GHSA-QP9X-WP8F-QGJJ...

CVE-2026-42563

creationtimestamp| type| source ---|---|--- 2026-05-28 21:43:22+00:00| published-proof-of-concept| https://github.com/jelmer/dulwich/security/advisories/GHSA-9277-mp7x-85jf...

CVE-2026-46345

creationtimestamp| type| source ---|---|--- 2026-05-28 17:44:03+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-4q5v-7g7x-j79w...

CVE-2026-45287

creationtimestamp| type| source ---|---|--- 2026-05-28 17:19:10+00:00| published-proof-of-concept| https://github.com/advisories/GHSA-995v-fvrw-c78m...

CVE-2026-44358

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary...

EUVD-2026-32908

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary...

CVE-2026-44723

Vowpal Wabbit is a machine learning system. The workflow .github/workflows/pythonchecks.yml embeds $ github.event.pullrequest.title directly inside double-quoted bash strings in four separate steps across four jobs, each passing it as a CLI argument to the Python test script...

Supply Chain Compromises Impact Nx Console and GitHub Repositories

CISA is prioritizing the response to multiple emerging software supply chain intrusion campaigns targeting developer ecosystems Continuous Integration/Continuous Development CI/CD pipelines. These recent incidents, including the GitHub compromise via a malicious Nx Console Visual Studio Code VS...