Lucene search
K

229 matches found

Positive Technologies
Positive Technologies
added 2026/06/01 12:0 a.m.16 views

PT-2026-45467

Name of the Vulnerable Software and Affected Versions CloudPirates Open Source Helm Charts versions prior to commit fcf9302 Description A GitHub Actions workflow in the pull-request.yaml file executes attacker-controlled code from fork pull requests within a privileged context. This allows for th...

10CVSS5.5AI score0.00275EPSS
Exploits0References6
CVE
CVE
added 2026/05/28 4:20 p.m.26 views

CVE-2026-45261

GitButler desktop app (Tauri-based) is affected prior to version 0.19.7. The issue is a link-injection/remote script execution vector where an attacker can inject a malicious link into a pull request body; if a user clicks it, arbitrary script execution occurs in the Tauri webview. The vulnerabil...

9.3CVSS6.3AI score0.00515EPSS
Exploits0References1
EUVD
EUVD
added 2026/05/28 2:28 p.m.11 views

EUVD-2026-32908

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary...

8.2CVSS6AI score0.00181EPSS
Exploits0References2
CNNVD
CNNVD
added 2026/05/28 12:0 a.m.10 views

Espressif Shared GitHub DangerJS 安全漏洞

Espressif Shared GitHub DangerJS is a code review tool developed by Espressif Systems for automatically checking the format of pull requests. Versions of Espressif Shared GitHub DangerJS prior to version 1.0.1 contained security vulnerabilities. These vulnerabilities stemmed from entrypoint.sh...

8.2CVSS5.9AI score0.00181EPSS
Exploits0References3
Packet Storm News
Packet Storm News
added 2026/05/20 12:0 a.m.10 views

Quality and Security Signals in AI-Generated Python Refactoring Pull Requests

As AI agents increasingly contribute to code development and maintenance, there is still limited empirical evidence on the quality and risk characteristics of their changes in real-world projects, particularly for refactoring-oriented contributions. It remains unclear how agent-authored refactori...

5.9AI score
Exploits0
EUVD
EUVD
added 2026/05/11 6:31 p.m.12 views

EUVD-2026-29081

Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's...

9.9CVSS6.1AI score0.00455EPSS
Exploits0References3
Vulnrichment
Vulnrichment
added 2026/05/11 2:35 p.m.12 views

CVE-2026-7813 pgAdmin 4: Cross-user data access and shared-server privilege escalation in server mode

Authorization vulnerability in pgAdmin 4 server mode affecting Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fetched user-owned objects without filtering by the requesting user's identity. An authenticated user could access another user's...

9.9CVSS6.1AI score0.00455EPSS
Exploits0References2
Positive Technologies
Positive Technologies
added 2026/05/11 12:0 a.m.12 views

PT-2026-39623

Name of the Vulnerable Software and Affected Versions pgAdmin 4 versions prior to 9.15 Description An authorization issue in server mode affects the Server Groups, Servers, Shared Servers, Background Processes, and Debugger modules. Multiple endpoints fail to filter user-owned objects by the...

9.9CVSS6AI score0.00455EPSS
Exploits0References12
SUSE CVE
SUSE CVE
added 2026/04/28 1:34 a.m.19 views

SUSE CVE-2026-41414

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIMRSBOTPRIVATEKEY and GITHUBTOKEN contents:write. No gates prevent exploitation - any...

7.4CVSS5.4AI score0.00281EPSS
Exploits1References3
NVD
NVD
added 2026/04/24 7:17 p.m.7 views

CVE-2026-41414

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIMRSBOTPRIVATEKEY and GITHUBTOKEN contents:write. No gates prevent exploitation - any...

7.4CVSS0.00281EPSS
Exploits1References3
AlpineLinux
AlpineLinux
added 2026/04/24 6:32 p.m.9 views

CVE-2026-41414

Skim is a fuzzy finder designed to through files, lines, and commands. The generate-files job in .github/workflows/pr.yml checks out attacker-controlled fork code and executes it via cargo run, with access to SKIMRSBOTPRIVATEKEY and GITHUBTOKEN contents:write. No gates prevent exploitation - any...

7.4CVSS5.9AI score0.00281EPSS
Exploits1References3
Packet Storm News
Packet Storm News
added 2026/04/21 12:0 a.m.24 views

Insights into Security-Related AI-Generated Pull Requests

Recent years have experienced growing contributions of AI coding agents that assist human developers in various software engineering tasks. However, this growing AI-assisted autonomy raises questions about security and trust. In this paper, we analyze more than 33,000 AI-generated pull requests P...

5.8AI score
Exploits0
Positive Technologies
Positive Technologies
added 2026/04/15 12:0 a.m.9 views

PT-2026-33183

Name of the Vulnerable Software and Affected Versions OWASP BLT versions prior to 2.1.1 Description An issue exists in the '.github/workflows/regenerate-migrations.yml' workflow where the 'pull request target' trigger runs with full GITHUB TOKEN write permissions. The workflow copies files from...

8.8CVSS6.3AI score0.00411EPSS
Exploits1References6
GithubExploit
GithubExploit
added 2026/04/12 4:23 p.m.93 views

patchbot

patchbot patchbot is an AI-assisted security reviewer for p...

6.1AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/26 3:0 p.m.5 views

CVE-2026-33075

FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vulnerable to arbitrary code execution and secret exfiltration by any external contributor. It uses pullrequesttarget which runs with access to repository secrets but checks out cod...

9.4CVSS6.4AI score0.00297EPSS
Exploits1References1
RedhatCVE
RedhatCVE
added 2026/03/26 2:59 p.m.4 views

CVE-2026-31852

Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions nearly all write permissions, this vulnerability enables...

10CVSS6.5AI score0.00445EPSS
Exploits0References1
Veracode
Veracode
added 2026/03/20 10:9 a.m.6 views

Improper Access Control.

code.gitea.io/gitea is vulnerable to improper access control. The vulnerability is due to inadequate enforcement of branch deletion permissions after merging a pull request, which allows an attacker to delete branches without proper authorization...

5.3CVSS7.3AI score0.00251EPSS
Exploits0References6Affected Software3
Packet Storm News
Packet Storm News
added 2026/03/19 12:0 a.m.20 views

Measuring and Exploiting Confirmation Bias in LLM-Assisted Security Code Review

Security code reviews increasingly rely on systems integrating Large Language Models LLMs, ranging from interactive assistants to autonomous agents in CI/CD pipelines. We study whether confirmation bias i.e., the tendency to favor interpretations that align with prior expectations affects LLM-bas...

5.9AI score
Exploits0
Cvelist
Cvelist
added 2026/03/11 7:44 p.m.30 views

CVE-2026-31976 xygeni-action v5 tag poisoned with C2 backdoor

xygeni-action is the GitHub Action for Xygeni Scanner. On March 3, 2026, an attacker with access to compromised credentials created a series of pull requests 46, 47, 48 injecting obfuscated shell code into action.yml. The PRs were blocked by branch protection rules and never merged into the main...

9.3CVSS0.00496EPSS
Exploits0References2
NVD
NVD
added 2026/03/11 5:16 p.m.6 views

CVE-2026-31852

Jellyfin is an open-source media system. The code-quality.yml GitHub Actions workflow in jellyfin/jellyfin-ios is vulnerable to arbitrary code execution via pull requests from forked repositories. Due to the workflow's elevated permissions nearly all write permissions, this vulnerability enables...

10CVSS0.00445EPSS
Exploits0References2
Rows per page
Query Builder