Malicious code in web3-helpers (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 8d6102ae402b2583a01da47e71f41cccba99fb7826dcf360004d8924557e1760 During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...

Malicious code in math-array-tools (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 1b6411ce9c35210436bef6dadb284e5d89ec85c2cc17f970509aa4b5f30c2440 During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...

MAL-2026-3701 Malicious code in api-request-helpers (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 c8e8b70ac4deca30691d583ac6891034222b7458bf5ba9e7b86cf5e6627d8abb During installation, package exfiltrates some basic info to a GitHub issue comment, and then attempt to set up a persistent infostealer focused on exfiltrating...

summary-awi-poc

summary-awi-poc Public proof-of-concept repository for valida...

CVE-2026-34243

CVE-2026-34243 affects the Wenxian tool (versions up to 0.3.1 and earlier) where a GitHub Actions workflow uses untrusted input from issue_comment.body directly inside a shell command, enabling command injection and potential arbitrary code execution on the runner. The vulnerability stems from in...

CVE-2026-34243 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

wenxian is a tool to generate BIBTEX files from given identifiers DOI, PMID, arXiv ID, or paper title. In versions 0.3.1 and prior, a GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code...

GHSA-R4FJ-R33X-8V88 wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

Summary A GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. Details The workflow is triggered by issuecomment, which can be controlled by external users. In the...

wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

Summary A GitHub Actions workflow uses untrusted user input from issuecomment.body directly inside a shell command, allowing potential command injection and arbitrary code execution on the runner. Details The workflow is triggered by issuecomment, which can be controlled by external users. In the...

PT-2026-28615

Name of the Vulnerable Software and Affected Versions njzjz/wenxian affected versions not specified Description A command injection flaw exists in a GitHub Actions workflow due to the direct use of untrusted user input from issue comment.body within a shell command. The workflow is triggered by...

CVE-2025-54430 dedupe is vulnerable to secret exfiltration via `issue_comment`

dedupe is a python library that uses machine learning to perform fuzzy matching, deduplication and entity resolution quickly on structured data. Before commit 3f61e79, a critical severity vulnerability has been identified within the .github/workflows/benchmark-bot.yml workflow, where a issuecomme...

Dedupe Python Library 操作系统命令注入漏洞

Dedupe Python Library is an open source Python library for accurate and scalable fuzzy matching, de-duplication from Dedupe.io. Dedupe Python Library suffers from an operating system command injection vulnerability that stems from issuecomment triggering the execution of untrusted code in the...

Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`

Summary Using Issuecomment on .github/workflows/scalafmt-fix.yml an attacker can inject malicious code using github.event.comment.body. By exploiting the vulnerability, it is possible to exfiltrate high privileged GITHUBTOKEN which can be used to completely overtake the repo since the token has...

Privilege Escalation

projen is vulnerable to privilege escalation. The vulnerability exists due to workflow being able to be triggered the issuecomment on the pull request...

Design/Logic Flaw

projen is a project generation tool that synthesizes project configuration files such as package.json, tsconfig.json, .gitignore, GitHub Workflows, eslint, jest, and more, from a well-typed definition written in JavaScript. Users of projen's NodeProject project type including any project type...

Code injection

The execute function in in the Atlassian gajira-comment GitHub Action before version 2.0.2 allows remote attackers to execute arbitrary code in the context of a GitHub runner by creating a specially crafted GitHub issue comment...

Information Disclosure

github.com/go-gitea/gitea is vulnerable to information disclosure attacks. The vulnerability exists where all users emails would be disclosed when an issue comment mail is sent out when it was not supposed to, causing the information disclosure vulnerability...