GHSA-5WXR-W449-57CM Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions

Impact This affects only workflows that pin an exact affected Composer semver version through setup-php, for example tools: composer:2.9.7. Workflows using the default Composer version, composer:v2, or no pinned Composer version are not affected through setup-php, because those Composer URLs have...

GHSA-PQWM-Q9PV-PH8R Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...

Command Injection

Overview setup-php is a Setup PHP for use with GitHub Actions Affected versions of this package are vulnerable to Command Injection via the process that resolves PHP version from repository-controlled files such as .php-version, composer.lock, or composer.json and incorporates the value into the...

GHSA-6X5C-84VM-5J56

creationtimestamp| type| source ---|---|--- 2026-05-20 14:58:37+00:00| seen| https://gist.github.com/Atomics-hub/546bf5d8d27b37858eec964a75f37206...

GitHub Breach: TeamPCP Steals 3,800 Repositories via VS Code Extension

GitHub Breach: TeamPCP stole 3,800 internal repositories through a malicious VS Code extension and is now selling the data online for $95,000...

Webworm Deploys EchoCreep and GraphWorm Backdoors Using Discord and MS Graph API

Cybersecurity researchers have flagged fresh activity from a China-aligned threat actor known as Webworm in 2025, deploying custom backdoors that employ Discord and Microsoft Graph API for command-and-control C2 or C&C communications. Webworm, first publicly documented by Broadcom-owned Symantec ...

GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos

GitHub on Tuesday said it's investigating unauthorized access to its internal repositories after the notorious threat actor known as TeamPCP listed the platform's source code and internal organizations for sale on a cybercrime forum. "While we currently have no evidence of impact to customer...

ROOT-APP-GOBINARY-CVE-2026-34986 CVE-2026-34986 in rootio-github.com/go-jose/go-jose/v4 - Patched by Root

Root has patched CVE-2026-34986 in the rootio-github.com/go-jose/go-jose/v4 package for Root:Go. Multiple fixed versions available...

CVE-2026-47668

creationtimestamp| type| source ---|---|--- 2026-05-20 09:31:29+00:00| published-proof-of-concept| https://github.com/dbgate/dbgate/security/advisories/GHSA-8v3q-9vmx-36vc 2026-05-20 13:24:13+00:00| confirmed|...

CVE-2026-47670

creationtimestamp| type| source ---|---|--- 2026-05-20 09:31:12+00:00| published-proof-of-concept| https://github.com/dbgate/dbgate/security/advisories/GHSA-wm5r-5qp3-5vxf...

CVE-2026-47669

creationtimestamp| type| source ---|---|--- 2026-05-20 09:30:38+00:00| published-proof-of-concept| https://github.com/dbgate/dbgate/security/advisories/GHSA-h535-j5hr-mv56...

CVE-2026-46372

creationtimestamp| type| source ---|---|--- 2026-05-20 08:35:00+00:00| confirmed| https://github.com/projectdiscovery/nuclei-templates/tree/main/http/cves/2026/CVE-2026-46372.yaml 2026-05-29 23:00:43+00:00| seen| https://bsky.app/profile/thehackerwire.bsky.social/post/3mmznc7rrtw23...

GHSA-FMXF-PM6P-7XGM vulnerabilities

Vulnerabilities for packages: tez, druid, apache-pulsar...

GHSA-VRQ8-3X54-8JJ3 vulnerabilities

Vulnerabilities for packages: chromium...

GHSA-V77Q-JQJ8-8VVQ vulnerabilities

Vulnerabilities for packages: chromium...

GHSA-J89Q-H74W-5C2Q vulnerabilities

Vulnerabilities for packages: chromium...

GHSA-VRQ8-3X54-8JJ3 vulnerabilities

Vulnerabilities for packages: chromium...

GHSA-7W4V-J6PR-V8HV vulnerabilities

Vulnerabilities for packages: chromium...

Astra Linux - уязвимость в vim

Heap-based Buffer Overflow in the GitHub repository vim/vim before version 8.2.4968...

Astra Linux - уязвимость в grunt

The file.copy operations in GruntJS are vulnerable to a TOCTOU race condition, which can lead to arbitrary file writes in the GitHub repository gruntjs/grunt before version 1.5.3. This vulnerability allows for arbitrary file writes that can lead to local privilege escalation to the GruntJS user...