CVE-2026-7860

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...

CVE-2026-7860 Possible information disclosure of environment variables in Vaadin Build Plugins via Failed Frontend Build

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...

CVE-2026-7860

CVE-2026-7860 describes an information-disclosure risk in Vaadin build tools: Vaadin Maven/Gradle plugins can print the full set of environment variables to build logs when a frontend build fails (non-zero exit). This can expose credentials/secrets in CI logs and artifacts. Affected ranges and fi...

PT-2026-41882

A possible information disclosure vulnerability exists in the Vaadin Maven plugin and Vaadin Gradle plugin that exposes the full set of environment variables in build logs whenever the frontend build process exits with a non-zero status. Because the build environment may contain credentials...

EUVD-2026-1980

Malicious code in gradle-plugin npm...

Malicious code in gradle-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2250213d706eee1473dafe9b75172ac8e22adbf885bf28e4b2b85270de1ffbc8 The package gradle-plugin was found to contain malicious code. Source: ghsa-malware 0d6c8dc0207f1992c957598d80609ff61b750f041d94dde7984a3e0a6133d54e...

Malicious Package

Overview gradle-plugin is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and this package...

MAL-2026-221 Malicious code in gradle-plugin (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 2250213d706eee1473dafe9b75172ac8e22adbf885bf28e4b2b85270de1ffbc8 The package gradle-plugin was found to contain malicious code. Source: ghsa-malware 0d6c8dc0207f1992c957598d80609ff61b750f041d94dde7984a3e0a6133d54e...

CVE-2020-7599

All versions of com.gradle.plugin-publish before 0.11.0 are vulnerable to Insertion of Sensitive Information into Log File. When a plugin author publishes a Gradle plugin while running Gradle with the --info log level flag, the Gradle Logger logs an AWS pre-signed URL. If this build log is public...

EUVD-2021-0678

Malware in sbrugna...

EUVD-2023-2118

Malicious code in bioql PyPI...

EUVD-2022-3634

Malicious code in bioql PyPI...

EUVD-2023-3004

Malicious code in bioql PyPI...

CVE-2023-39152

Always-incorrect control flow implementation in Jenkins Gradle Plugin 2.8 may result in credentials not being masked i.e., replaced with asterisks in the build log in some circumstances...

CVE-2021-21361

The com.bmuschko:gradle-vagrant-plugin Gradle plugin contains an information disclosure vulnerability due to the logging of the system environment variables. When this Gradle plugin is executed in public CI/CD, this can lead to sensitive credentials being exposed to malicious actors. This is fixe...

Linux Distros Unpatched Vulnerability : CVE-2019-16370

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - The PGP signing plugin in Gradle before 6.0 relies on the SHA-1 algorithm, which might allow an attacker to replace an artifact with a different one that has th...

OS Command Injection

snyk-gradle-plugin is vulnerable to OS Command Injection. The vulnerability is due to the Snyk CLI's failure to correctly sanitize or validate the current working directory name, allowing for potential code injection when running scans on untrusted projects...

@adobe/git-server (>=0.9.17 <=1.0.5), @adobe/helix-cli (>=0.3.0-SNAPSHOT.293 <=6.1.0) +69 more potentially affected by CVE-2024-48964 via snyk-gradle-plugin (>=1.0.2 <=3.9.0)

snyk-gradle-plugin NPM version =1.0.2, =0.9.17, =0.3.0-SNAPSHOT.293, =2.6.0, =1.0.5-SNAPSHOT.105, =0.0.4, =8.0.36, =5.0.22, =3.10.42, =0.0.70, =0.5.8, =3.2.4, =0.1.3, =0.0.2, =0.0.3 and more Source cves: CVE-2024-48964 Source advisory: OSV:GHSA-QQQW-GM93-QF6M...

GHSA-QQQW-GM93-QF6M OS Command Injection in Snyk gradle plugin

The Snyk gradle plugin is vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrusted project due to the improper handling of the current working directory name. Snyk recommends only scanning trusted projects...

Code Injection

Overview snyk-gradle-plugin is a plugin for the Snyk CLI tool, providing dependency metadata for Gradle projects. Affected versions of this package are vulnerable to Code Injection when scanning an untrusted Gradle project. The vulnerability can be triggered if Snyk test is run inside the untrust...