Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`

Summary Using Issuecomment on .github/workflows/scalafmt-fix.yml an attacker can inject malicious code using github.event.comment.body. By exploiting the vulnerability, it is possible to exfiltrate high privileged GITHUBTOKEN which can be used to completely overtake the repo since the token has...

GHSA-PHF6-HM3H-X8QP Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`

Summary Using Issuecomment on .github/workflows/scalafmt-fix.yml an attacker can inject malicious code using github.event.comment.body. By exploiting the vulnerability, it is possible to exfiltrate high privileged GITHUBTOKEN which can be used to completely overtake the repo since the token has...

CVE-2025-24362

In some circumstances, debug artifacts uploaded by the CodeQL Action after a failed code scanning workflow run may contain the environment variables from the workflow run, including any secrets that were exposed as environment variables to the workflow. Users with read access to the repository...

CVE-2023-49291

tj-actions/branch-names is a Github action to retrieve branch or tag names with support for all events. The tj-actions/branch-names GitHub Actions improperly references the github.event.pullrequest.head.ref and github.headref context variables within a GitHub Actions run step. The head ref variab...

CVE-2025-47928 Spotipy repo vulnerable to secrets exfiltration via `pull_request_target`

Spotipy is a Python library for the Spotify Web API. As of commit 4f5759dbfb4506c7b6280572a4db1aabc1ac778d, using pullrequesttarget on .github/workflows/integrationtests.yml followed by the checking out the head.sha of a forked PR can be exploited by attackers, since untrusted code can be execute...

CVE-2025-46820

phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUBTOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the...

CVE-2025-46820

phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUBTOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the...

CVE-2025-46820 phpgt/Dom exposes the GITHUB_TOKEN in Dom workflow run artifact

phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUBTOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the...

CVE-2025-46820 phpgt/Dom exposes the GITHUB_TOKEN in Dom workflow run artifact

phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUBTOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the...

CVE-2025-46820

phpgt/Dom (versions before 4.1.8) exposes the GITHUB_TOKEN in the Dom workflow run artifact. The ci.yml workflow uploads the build artifact as a zip of the current directory, including the generated .git/config with the run’s token. An attacker can download the artifact during the workflow window...

CVE-2025-46820 phpgt/Dom exposes the GITHUB_TOKEN in Dom workflow run artifact

phpgt/Dom provides access to modern DOM APIs. Versions of phpgt/Dom prior to 4.1.8 expose the GITHUBTOKEN in the Dom workflow run artifact. The ci.yml workflow file uses actions/upload-artifact@v4 to upload the build artifact. This artifact is a zip of the current directory, which includes the...

CVE-2025-32953

z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU. In version 1.38 and prior, the makefile-ubuntu.yml workflow file uses actions/upload-artifact@v4 to upload the z80pack-ubuntu artifact. This artifact is a zip of the current directory, which includes the automatically...

CVE-2025-32958

Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file...

CVE-2025-32958 Adept exposed the GITHUB_TOKEN in workflow run artifact

Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file...

CVE-2025-32958 Adept exposed the GITHUB_TOKEN in workflow run artifact

Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file...

CVE-2025-32958

Adept (prior to commit a1a41b7) exposed the GITHUB_TOKEN via the mac-standalone artifact created by remoteBuild.yml using actions/upload-artifact@v4. The artifact was a zip of the current directory that included the generated .git/config containing the run’s token, enabling an attacker to extract...

CVE-2025-32958 Adept exposed the GITHUB_TOKEN in workflow run artifact

Adept is a language for general purpose programming. Prior to commit a1a41b7, the remoteBuild.yml workflow file uses actions/upload-artifact@v4 to upload the mac-standalone artifact. This artifact is a zip of the current directory, which includes the automatically generated .git/config file...

CVE-2025-32953

CVE-2025-32953 affects z80pack (versions 1.38 and earlier). The root cause is in the makefile-ubuntu.yml workflow, which uses actions/upload-artifact@v4 to package z80pack-ubuntu as an artifact that zip-compresses the current directory and includes the generated .git/config containing the run’s G...

CVE-2025-32953 z80pack Vulnerable to Exposure of the GITHUB_TOKEN in Workflow Run Artifact

z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU. In version 1.38 and prior, the makefile-ubuntu.yml workflow file uses actions/upload-artifact@v4 to upload the z80pack-ubuntu artifact. This artifact is a zip of the current directory, which includes the automatically...

CVE-2025-32953 z80pack Vulnerable to Exposure of the GITHUB_TOKEN in Workflow Run Artifact

z80pack is a mature emulator of multiple platforms with 8080 and Z80 CPU. In version 1.38 and prior, the makefile-ubuntu.yml workflow file uses actions/upload-artifact@v4 to upload the z80pack-ubuntu artifact. This artifact is a zip of the current directory, which includes the automatically...