Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies

Summary The user-provided string depName in the hermit manager is appended to the ./hermit install and ./hermit uninstall commands without proper sanitization. Details Adversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick...

Arbitrary Command Injection

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Arbitrary Command Injection due to the improper sanitazation of user-supplied depName in the packagesToInstall and packagesToUninstall functions of hermit manager. An attacker can execute arbitrary...

GHSA-36J9-MX87-2CFF Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies

Summary The user-provided string depName in the hermit manager is appended to the ./hermit install and ./hermit uninstall commands without proper sanitization. Details Adversaries can provide a maliciously named hermit dependency in conjunctions with a tweaked Renovate configuration file to trick...

EUVD-2026-2095

Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies...