@nx/azure-cache Vulnerable to Build Cache Poisoning via Untrusted Pull Requests

A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...

Unsafe Dependency Resolution

Overview @nx/azure-cache is an A Nx plugin which provides a Nx cache which can be self hosted on Azure Blob Storage. Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the build cache process. An attacker can inject compromised artifacts into trusted production...

GHSA-RRR2-JCR8-7Q3X @nx/azure-cache Vulnerable to Build Cache Poisoning via Untrusted Pull Requests

A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...

CVE-2025-36852 Build Cache Poisoning via Untrusted Pull Requests

A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...

Security update for docker-compose

This update for docker-compose fixes the following issues: Update to version 2.33.1: Improvements Add support for gwpriority, enableipv4 requires docker v28.0 by @thaJeztah in 12570 Fixes Run watch standalone if menu fails to start by @ndeloof in 12536 Report error using non-file secret|config wi...

CVE-2025-49013 WilderForge vulnerable to code Injection via GitHub Actions Workflows

WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of $ github.event.review.body and other user controlled variables directly inside shell script contexts in GitHub...

Exposing Hidden Backdoors in NFT Smart Contracts: a Static Security Analysis of Rug Pull Patterns

The explosive growth of Non-Fungible Tokens NFTs has revolutionized digital ownership by enabling the creation, exchange, and monetization of unique assets on blockchain networks. However, this surge in popularity has also given rise to a disturbing trend: the emergence of rug pulls - fraudulent...

Beyond the Protocol: Unveiling Attack Vectors in the Model Context Protocol Ecosystem

The Model Context Protocol MCP is an emerging standard designed to enable seamless interaction between Large Language Model LLM applications and external tools or resources. Within a short period, thousands of MCP services have already been developed and deployed. However, the client-server...

SUSE-SU-2025:20360-1 Security update for docker

This update for docker fixes the following issues: Update to docker-buildx v0.22.0: - CVE-2025-0495: buildx: credential leakage to telemetry endpoints when credentials allowed to be set as attribute values in cache-to/cache-from configuration bsc1239765. - CVE-2025-22868: golang.org/x/oauth2/jws:...

Containerd 2.1.x < 2.1.1 TOCTOU

The version of Containerd on the remote host is 2.1.x prior to 2.1.1. It is, therefore, affected by a vulnerability. A time-of-check to time-of-use TOCTOU vulnerability was found in containerd v2.1.0. While unpacking an image during an image pull, specially crafted container images could...

CVE-2024-56513

Karmada is a Kubernetes management system that allows users to run cloud-native applications across multiple Kubernetes clusters and clouds. Prior to version 1.12.0, the PULL mode clusters registered with the karmadactl register command have excessive privileges to access control plane resources...

CVE-2024-11716

While assignment of a user to a team bracket in CTFd should be possible only once, at the registration, a flaw in logic implementation allows an authenticated user to reset it's bracket and then pick a new one, joining another team while a competition is already ongoing. This issue impacts releas...

CVE-2024-51838

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in smajda Pull This pull-this allows DOM-Based XSS.This issue affects Pull This: from n/a through = 1.1...

CVE-2023-28431

Frontier is an Ethereum compatibility layer for Substrate. Frontier's modexp precompile uses num-bigint crate under the hood. In the implementation prior to pull request 1017, the cases for modulus being even and modulus being odd are treated separately. Odd modulus uses the fast Montgomery...

CVE-2023-31098

Weak Password Requirements vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.1.0 through 1.6.0. When users change their password to a simple password with any character or symbol, attackers can easily guess the user's password and access the accoun...

CVE-2023-31454

Incorrect Permission Assignment for Critical Resource Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.2.0 through 1.6.0. The attacker can bind any cluster, even if he is not the cluster owner. Users are advised to upgrade to Apache InLong's 1.7.0...

CVE-2023-49946

In Forgejo before 1.20.5-1, certain endpoints do not check whether an object belongs to a repository for which permissions are being checked. This allows remote attackers to read private issues, read private pull requests, delete issues, and perform other unauthorized actions...

CVE-2023-30623

embano1/wip is a GitHub Action written in Bash. Prior to version 2, the embano1/wip action uses the github.event.pullrequest.title parameter in an insecure way. The title parameter is used in a run statement - resulting in a command injection vulnerability due to string interpolation. This...

CVE-2023-24436

A missing permission check in Jenkins GitHub Pull Request Builder Plugin 1.42.2 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins...

CVE-2023-23766

An incorrect comparison vulnerability was identified in GitHub Enterprise Server that allowed commit smuggling by displaying an incorrect diff in a re-opened Pull Request. To do so, an attacker would need write access to the repository. This vulnerability affected all versions of GitHub Enterpris...