Lucene search
+L

220 matches found

OSV
OSV
added 2026/07/03 8:19 p.m.3 views

CVE-2026-26231 Gitea maintainer-edit permissions allow unauthorized commits to readable repositories

Gitea versions up to and including 1.26.1 allow the Allow edits from maintainers permission path to authorize commits to repositories that the user can read but should not be able to write...

8.5CVSS7.1AI score0.00291EPSS
Exploits0References7
OSV
OSV
added 2026/06/25 10:34 p.m.5 views

GO-2026-5510 Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo in code.gitea.io/gitea

Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo in code.gitea.io/gitea...

8.5CVSS5.8AI score0.00291EPSS
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/06/25 12:0 a.m.9 views

PT-2026-52199

Name of the Vulnerable Software and Affected Versions GitLab CE/EE versions 8.3 through 18.11.5 GitLab CE/EE versions 19.0 through 19.0.2 GitLab CE/EE versions 19.1 through 19.1.0 Description Improper URL validation in mirror synchronization allows an authenticated user with maintainer-role...

3.1CVSS5.8AI score0.00161EPSS
Exploits0References6
Filippo.io
Filippo.io
added 2026/06/23 1:0 p.m.18 views

Vulnerability Reports Are Not Special Anymore

A requirement for staying sane while working in public as an open source maintainer is realizing that every issue, PR, and piece of feedback is a present, not an obligation. You can accept it, ignore it, and use it partially or not at all. Except… For years, as lead of the Go Security team at the...

5.9AI score
Exploits0
Snyk
Snyk
added 2026/06/16 11:41 p.m.4 views

Incorrect Authorization

Overview Affected versions of this package are vulnerable to Incorrect Authorization through the improper enforcement of access controls in the pull request creation and push authorization processes. An attacker can gain unauthorized write access to repositories by abusing the "Allow edits from...

8.5CVSS6.1AI score0.00291EPSS
Exploits0References2
OSV
OSV
added 2026/06/16 11:41 p.m.7 views

GHSA-MM7C-RHG6-QR4R Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo

Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: 1. The web UI PR-create...

8.5CVSS5.5AI score0.00291EPSS
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/06/16 11:41 p.m.10 views

Gitea: Authorization Bypass via "Allow edits from maintainers" allows unauthorized commits to any readable repo

Summary Any authenticated low-privilege user with read access to a repository can push arbitrary commits directly to that repository, bypassing all write-access checks. Vulnerability Gitea's "Allow edits from maintainers" PR option can be abused via reverse-fork PRs: 1. The web UI PR-create...

8.5CVSS5.5AI score0.00291EPSS
Exploits0References2Affected Software1
Positive Technologies
Positive Technologies
added 2026/06/16 12:0 a.m.20 views

PT-2026-50136

Name of the Vulnerable Software and Affected Versions Gitea affected versions not specified Description An authorization bypass allows any authenticated low-privilege user with read access to a repository to push arbitrary commits directly to that repository, bypassing write-access checks. This...

8.5CVSS6AI score0.00291EPSS
Exploits0References12
Tenable Nessus
Tenable Nessus
added 2026/05/21 12:0 a.m.10 views

Multiple Node.js Modules compromised in self-spreading npm supply chain attack (mini-Shai-Hulud) (05/11/2026)

The remote host has a version of one or more Node.js modules installed known to be compromised in the self-spreading 'mini-Shai-Hulud' npm supply chain attack reported on 05/11/2026. This wave is tracked separately from the original Shai-Hulud campaign because of distinct compromised maintainers...

9.6CVSS7.4AI score0.02342EPSS
Exploits3References4
Snyk
Snyk
added 2026/05/18 9:0 p.m.7 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/05/18 9:0 p.m.9 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/05/18 9:0 p.m.8 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References3
Snyk
Snyk
added 2026/05/18 9:0 p.m.10 views

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code that conceals a credential-stealing payload and worm propagation logic. A malicious actor associated with the "TeamPCP" or "Mini Shai-Hulud" campaign compromised a maintainer's access token; this allowed the...

9.8CVSS5.9AI score
Exploits0References2
EUVD
EUVD
added 2026/05/14 5:36 a.m.10 views

EUVD-2026-30223

GitLab has remediated an issue in GitLab EE affecting all versions from 16.10 before 18.9.7, 18.10 before 18.10.6, and 18.11 before 18.11.3 that when instance-level approval rule editing prevention was enabled, could have allowed an authenticated user with Maintainer permissions to modify or dele...

2.7CVSS5.8AI score0.00219EPSS
Exploits0References3
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.11 views

PT-2026-40860

Name of the Vulnerable Software and Affected Versions GitLab EE versions 16.10 through 18.9.6 GitLab EE versions 18.10 through 18.10.5 GitLab EE versions 18.11 through 18.11.2 Description An issue exists where missing authorization checks could allow an authenticated user with Maintainer...

2.7CVSS5.8AI score0.00219EPSS
Exploits0References5
EUVD
EUVD
added 2026/05/11 12:32 p.m.35 views

EUVD-2026-29049

ATutor is vulnerable to Reflected XSS in /install/install.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

5.1CVSS6AI score0.00391EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/11 9:40 a.m.7 views

CVE-2026-6909 Reflected XSS in ATutor

ATutor is vulnerable to Reflected XSS in /install/upgrade.php endpoint. An attacker can provide a specially crafted URL that, when opened, results in arbitrary JavaScript execution in the victim's browser. Product is no longer actively supported. Maintainers of this project were notified early...

5.1CVSS6AI score0.00391EPSS
Exploits0References2
OSV
OSV
added 2026/04/24 4:37 p.m.7 views

GHSA-RP7V-4384-HFRP k8sGPT has Prompt Injection through its k8sGPT-Operator

Summary In the auto-remediation pipeline, objecttoexecution.go was deserializing the AI-generated YAML directly into a Deployment object, but there was lack of validation from the original Deployment object. Details This issue was fixed after coordination with Alex Jones. PoC To minimize the...

8.7CVSS5.8AI score
Exploits0References2
HackRead
HackRead
added 2026/04/04 4:13 p.m.4 views

UNC1069 Targets Node.js Maintainers via Fake LinkedIn, Slack Profiles

North Korean group UNC1069 targets Node.js maintainers using fake LinkedIn and Slack profiles to spread malware and compromise open source packages...

5.9AI score
Exploits0
OSV
OSV
added 2026/04/02 6:42 p.m.11 views

GO-2026-4892 A Fleet team maintainer can transfer hosts from any team via missing source team authorization in github.com/fleetdm/fleet

A Fleet team maintainer can transfer hosts from any team via missing source team authorization in github.com/fleetdm/fleet...

8.8CVSS5.9AI score0.00315EPSS
Exploits0References3
Rows per page
Query Builder