CVE-2026-1999

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enableautomerge mutation for pull requests. This issue only affect...

GO-2026-4392 malcontent OCI image pull credential exfiltration via malicious registry token realm in github.com/chainguard-dev/malcontent

malcontent OCI image pull credential exfiltration via malicious registry token realm in github.com/chainguard-dev/malcontent...

pypdf possibly has long runtimes for malformed FlateDecode streams

Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires a malformed /FlateDecode stream, where the byte-by-byte decompression is used. Patches This has been fixed in pypdf==6.7.1. Workarounds If you cannot upgrade yet, consider applying the chang...

pypdf has possible long runtimes/large memory usage for large /ToUnicode streams

Impact An attacker who uses this vulnerability can craft a PDF which leads to long runtimes and large memory consumption. This requires parsing the /ToUnicode entry of a font with unusually large values, for example during text extraction. Patches This has been fixed in pypdf==6.7.1. Workarounds ...

CVE-2026-1999

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enableautomerge mutation for pull requests. This issue only affect...

CVE-2026-1999 Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized merging of pull requests

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enableautomerge mutation for pull requests. This issue only affect...

CVE-2026-1999 Incorrect Authorization vulnerability was identified in GitHub Enterprise Server that allowed unauthorized merging of pull requests

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enableautomerge mutation for pull requests. This issue only affect...

CVE-2026-1999

CVE-2026-1999 affects GitHub Enterprise Server and is an incorrect authorization vulnerability in the enable_auto_merge mutation for pull requests. An attacker could merge their own PR into a repository without push access under specific conditions: the repository must allow forking, a clean PR s...

GitHub Enterprise Server 安全漏洞

GitHub Enterprise Server is an open-source application developed by GitHub in the United States. It provides a scalable and easy-to-manage platform by allowing users to set their GitHub instances as virtual devices. There are security vulnerabilities in versions of GitHub Enterprise Server prior ...

PT-2026-20504

An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable auto merge mutation for pull requests. This issue only...

GHSA-R79C-PQJ3-577X Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action

Summary The Super-linter GitHub Action is vulnerable to command injection via crafted filenames. When this action is used in downstream GitHub Actions workflows, an attacker can submit a pull request that introduces a file whose name contains shell command substitution syntax, such as $.... In...

Panic in `libcrux-psq` on decryption of malformed AES-GCM ciphertext

The latest releases of the libcrux-psq crate contains the following bug-fix: 1319: Propagate AEADError instead of panicking The issue fixed in 1319 was first reported by Nadim Kobeissi...

SUSE CVE-2026-20800

Gitea's notification API does not re-validate repository access permissions when returning notification details. After a user's access to a private repository is revoked, they may still view issue and pull request titles through previously received notifications...

FrankenPHP has delayed propagation of security fixes in upstream base images

Delayed propagation of security fixes in upstream base images Summary Vulnerability in base Docker images PHP, Go, and Alpine not automatically propagating to FrankenPHP images. FrankenPHP's container images were previously built only when specific version tags were updated or when manual trigger...

Missing Authorization

Overview Affected versions of this package are vulnerable to Missing Authorization in the attribute handling logic in restHandler/AttributesRestHandlder.go‎, which is accessible over the /attributes endpoint with /orchestrator/attributes?key=apiTokenSecret. A user can obtain the global API Token...

melange affected by potential host command execution via license-check YAML mode patch pipeline

An attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values series paths, patch filenames, and numeric parameters into shell scripts without proper quoting or...

GO-2026-4362 Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea

Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea...

CVE-2026-1699

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pullrequesttarget trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to...

Linux Distros Unpatched Vulnerability : CVE-2026-24480

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - QGIS is a free, open source, cross platform geographical information system GIS The repository contains a GitHub Actions workflow called pre-commit checks that,...

EUVD-2026-5004

Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with runIn: local, a malicious actor who...