GHSA-XJR7-3C3G-M763 Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file

Summary The user-provided string depName in the gleam manager is appended to the gleam deps update command without proper sanitization. Details Adversaries can provide a maliciously crafted gleam.toml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrar...

EUVD-2026-2094

Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file...

Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file

Summary The user-provided string depName in the gleam manager is appended to the gleam deps update command without proper sanitization. Details Adversaries can provide a maliciously crafted gleam.toml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrar...

Arbitrary Command Injection

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Arbitrary Command Injection due to the improper sanitazation of user-supplied depName in the packagesToUpdate functions of gleam manager. An attacker can execute arbitrary commands on the host system by...