Lucene search
K

69 matches found

Cvelist
Cvelist
added 2026/06/26 4:46 p.m.35 views

CVE-2026-55448 mise: Local credential_command executes untrusted config

mise manages dev tools like node, python, cmake, and terraform. From 2026.3.15 until 2026.6.4, mise loads github.credentialcommand from local project config before any trust decision, then executes that value with sh -c when resolving a GitHub token. An attacker who can place a .mise.toml in a...

6.3CVSS0.00159EPSS
Exploits0References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.8 views

EUVD-2025-14654

Malicious code in bioql PyPI...

7.1CVSS6.5AI score0.00163EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2022-6338

Malicious code in bioql PyPI...

9.9CVSS8.9AI score0.02334EPSS
Exploits0References5
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2025-18904

Malicious code in bioql PyPI...

9.1CVSS6.5AI score0.00339EPSS
Exploits0References3
EUVD
EUVD
added 2025/10/03 8:7 p.m.4 views

EUVD-2024-32806

Malicious code in bioql PyPI...

7.1CVSS7AI score0.0047EPSS
Exploits1References1
EUVD
EUVD
added 2025/10/03 8:7 p.m.6 views

EUVD-2025-20825

Malicious code in bioql PyPI...

9.1CVSS6.5AI score0.00305EPSS
Exploits0References2
EUVD
EUVD
added 2025/10/03 8:7 p.m.7 views

EUVD-2025-9624

Malicious code in bioql PyPI...

8.2CVSS6.4AI score0.00589EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/08/02 8:22 p.m.3 views

CVE-2025-54430

dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...

9.1CVSS6.4AI score0.00343EPSS
Exploits0References1
Vulnrichment
Vulnrichment
added 2025/07/30 1:41 p.m.2 views

CVE-2025-54430 dedupe is vulnerable to secret exfiltration via `issue_comment`

dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...

9.1CVSS7.2AI score0.00343EPSS
Exploits0References2
CVE
CVE
added 2025/07/26 3:33 a.m.62 views

CVE-2025-54415

CVE-2025-54415 affects the dag-factory project (Apache Airflow) for versions ≤ 0.23.0a8. The vulnerability lies in the cicd.yml workflow configured in the astronomer/dag-factory GitHub repository, which, when triggered by pull_request_target, can be exploited to execute arbitrary code in the GitH...

10CVSS7.4AI score0.00631EPSS
Exploits0References4
RedhatCVE
RedhatCVE
added 2025/07/11 2:33 p.m.5 views

CVE-2025-53546

Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...

9.1CVSS7.2AI score0.00305EPSS
Exploits0References1
NVD
NVD
added 2025/07/09 3:15 p.m.9 views

CVE-2025-53546

Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...

9.1CVSS0.00305EPSS
Exploits0References2
Vulnrichment
Vulnrichment
added 2025/07/09 2:27 p.m.3 views

CVE-2025-53546 Folo allows secrets exfiltration via `pull_request_target`

Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...

9.1CVSS7.1AI score0.00305EPSS
Exploits0References2
Cvelist
Cvelist
added 2025/07/09 2:27 p.m.9 views

CVE-2025-53546 Folo allows secrets exfiltration via `pull_request_target`

Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...

9.1CVSS0.00305EPSS
Exploits0References2
OSV
OSV
added 2025/07/09 2:27 p.m.5 views

CVE-2025-53546 Folo allows secrets exfiltration via `pull_request_target`

Folo organizes feeds content into one timeline. Using pullrequesttarget on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets from the base repo. By exploiting the vulnerability is possible to...

9.1CVSS7.1AI score0.00305EPSS
Exploits0References4
CVE
CVE
added 2025/07/09 2:27 p.m.18 views

CVE-2025-53546

CVE-2025-53546 affects Folo. The vulnerability arises from using pull_request_target in the GitHub Actions workflow (.github/workflows/auto-fix-lint-format-commit.yml), allowing untrusted code in the base repository to access secrets. Exploitation can exfiltrate the GITHUB_TOKEN, which has high p...

9.1CVSS7.1AI score0.00305EPSS
Exploits0References2
RedhatCVE
RedhatCVE
added 2025/06/23 8:39 a.m.5 views

CVE-2025-52467

pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...

9.1CVSS7.6AI score0.00339EPSS
Exploits0References1
NVD
NVD
added 2025/06/19 3:15 a.m.8 views

CVE-2025-52467

pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...

9.1CVSS0.00339EPSS
Exploits0References3
CVE
CVE
added 2025/06/19 2:50 a.m.28 views

CVE-2025-52467

CVE-2025-52467 affects the pgai Python library that converts PostgreSQL into a retrieval engine for RAG/Agentic apps. The issue enables exfiltration of secrets used in a workflow, notably the GITHUB_TOKEN with write permissions, allowing an attacker to tamper with the repository (e.g., push code/...

9.1CVSS9.4AI score0.00339EPSS
Exploits0References3
Cvelist
Cvelist
added 2025/06/19 2:50 a.m.18 views

CVE-2025-52467 pgai secrets exfiltration via `pull_request_target`

pgai is a Python library that transforms PostgreSQL into a retrieval engine for RAG and Agentic applications. Prior to commit 8eb3567, the pgai repository was vulnerable to an attack allowing the exfiltration of all secrets used in one workflow. In particular, the GITHUBTOKEN with write permissio...

9.1CVSS0.00339EPSS
Exploits0References3
Rows per page
Query Builder