68 matches found
EUVD-2025-18904
Malicious code in bioql PyPI...
EUVD-2025-14654
Malicious code in bioql PyPI...
EUVD-2022-6338
Malicious code in bioql PyPI...
EUVD-2025-20825
Malicious code in bioql PyPI...
EUVD-2024-32806
Malicious code in bioql PyPI...
EUVD-2025-9624
Malicious code in bioql PyPI...
CVE-2025-54430
dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...
CVE-2025-54430 dedupe is vulnerable to secret exfiltration via `issue_comment`
dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...
CVE-2025-54415
CVE-2025-54415 affects the dag-factory project (Apache Airflow) for versions ≤ 0.23.0a8. The vulnerability lies in the cicd.yml workflow configured in the astronomer/dag-factory GitHub repository, which, when triggered by pull_request_target, can be exploited to execute arbitrary code in the GitH...
CVE-2025-53546
Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...
CVE-2025-53546
Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...
CVE-2025-53546 Folo allows secrets exfiltration via `pull_request_target`
Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...
CVE-2025-53546 Folo allows secrets exfiltration via `pull_request_target`
Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...
CVE-2025-53546
CVE-2025-53546 affects Folo. The vulnerability arises from using pull_request_target in the GitHub Actions workflow (.github/workflows/auto-fix-lint-format-commit.yml), allowing untrusted code in the base repository to access secrets. Exploitation can exfiltrate the GITHUB_TOKEN, which has high p...
CVE-2025-53546 Folo allows secrets exfiltration via `pull_request_target`
Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...
CVE-2025-52467
pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...
CVE-2025-52467
pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...
CVE-2025-52467 pgai secrets exfiltration via `pull_request_target`
pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...
CVE-2025-52467
CVE-2025-52467 affects the pgai Python library that converts PostgreSQL into a retrieval engine for RAG/Agentic apps. The issue enables exfiltration of secrets used in a workflow, notably the GITHUB_TOKEN with write permissions, allowing an attacker to tamper with the repository (e.g., push code/...
CVE-2025-52467 pgai secrets exfiltration via `pull_request_target`
pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...