EUVD-2026-8803

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow release.yml vulnerable to OS command injection through direct use of $ github.event.pullrequest.body inside a run: shell block. When a pull request...

CVE-2026-27938

The CVE-2026-27938 entry documents a command injection flaw in the WPGraphQL repository (wp-graphql/wp-graphql) prior to version 2.9.1, stemming from an unsafe use of ${{ github.event.pull_request.body }} inside the release.yml shell run block. When a PR from develop to master is merged, the PR b...

CVE-2026-27938

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow release.yml vulnerable to OS command injection through direct use of $ github.event.pullrequest.body inside a run: shell block. When a pull request...

CVE-2026-27938 WPGraphQL Repo Vulnerable to Command Injection via Unsanitized GitHub Actions Expression in Release Workflow

WPGraphQL provides a GraphQL API for WordPress sites. Prior to version 2.9.1, the wp-graphql/wp-graphql repository contains a GitHub Actions workflow release.yml vulnerable to OS command injection through direct use of $ github.event.pullrequest.body inside a run: shell block. When a pull request...

PT-2026-22080

Name of the Vulnerable Software and Affected Versions WPGraphQL versions prior to 2.9.1 Description The WPGraphQL software includes a GraphQL API for WordPress sites. A GitHub Actions workflow file release.yml in the wp-graphql/wp-graphql repository is susceptible to OS command injection. This...

PT-2026-22081

Name of the Vulnerable Software and Affected Versions OpenLIT versions prior to 1.37.1 Description OpenLIT, an open source AI engineering platform, has an issue in GitHub Actions workflows prior to version 1.37.1. These workflows use the pull request target event and execute untrusted code from...

0.2-ui (=0.0.1), 0xgank-tea-advice-pull (=1.0.0) +15830 more potentially affected by CVE-2026-27606 via rollup (>=0.10.0 <=2.7.6)

rollup NPM version =0.10.0, =2.7.6 is affected by a known vulnerability. The following packages have a transitive dependency on rollup and may be impacted: - 0.2-ui =0.0.1 - 0xgank-tea-advice-pull =1.0.0 - 0xgank-tea-balance-pencil =1.0.0 - 0xgank-tea-brick-bell =1.0.0 - 0xgank-tea-cake-victory...

Ollama Model Registry Path Traversal RCE

Ollama before 0.1.34 is vulnerable to a path traversal attack via the model pull mechanism CVE-2024-37032. When pulling a model, the digest field in OCI manifests is not validated, allowing an attacker to inject path traversal sequences to write arbitrary files on the server. This module starts a...

EUVD-2026-8645

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's i18n-update-pull GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated...

CVE-2026-27701

LiveCode vulnerability CVE-2026-27701 affects the i18n-update-pull GitHub Actions workflow. Before commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, the PR title is interpolated into a GitHub Script block, allowing an attacker who opens a PR with a crafted title to inject JavaScript that runs with...

CVE-2026-27701 LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's i18n-update-pull GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated...

CVE-2026-27701

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's i18n-update-pull GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated...

CVE-2026-27701 LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's i18n-update-pull GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated...

CVE-2026-27701 LiveCodes vulnerable to JavaScript Injection via untrusted PR title in i18n-update-pull workflow

LiveCode is an open-source, client-side code playground. Prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11, LiveCode's i18n-update-pull GitHub Actions workflow is vulnerable to JavaScript injection. The title of the Pull Request associated with the triggering issue comment is interpolated...

CVE-2026-27643

free5GC UDR is the user data repository UDR for free5GC, an an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, the NEF component reliably leaks internal parsing error details e.g., invalid character 'n' after top-level value to remote clients...

PT-2026-21922

Name of the Vulnerable Software and Affected Versions LiveCode versions prior to commit e151c64c2bd80d2d53ac1333f1df9429fe6a1a11 Description LiveCode is an open-source, client-side code playground. The i18n-update-pull GitHub Actions workflow is susceptible to JavaScript injection prior to commit...

LiveCode 代码注入漏洞

LiveCode is a multi-platform programming tool developed by the LiveCode team. It can run on iOS, Android, OS X, Windows 95 through Windows 10, Raspberry Pi, and various Unix variants including Linux, Solaris, and BSD. LiveCode has a code injection vulnerability. This vulnerability stems from the...

📄 Ollama Model Registry Path Traversal / Remote Code Execution

Ollama versions prior to 0.1.34 are vulnerable to a path traversal attack via the model pull mechanism CVE-2024-37032. When pulling a model, the digest field in OCI manifests is not validated, allowing an attacker to inject path traversal sequences to write arbitrary files on the server. This...

CVE-2026-27643

free5GC UDR is the user data repository UDR for free5GC, an an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, the NEF component reliably leaks internal parsing error details e.g., invalid character 'n' after top-level value to remote clients...

CVE-2026-27642

free5gc UDM provides Unified Data Management UDM for free5GC, an open-source project for 5th generation 5G mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters e.g., %00 into the supi parameter, triggering internal URL parsing errors net/url:...