Lucene search
K

13 matches found

vulnersOsv
vulnersOsv
added 2026/02/13 8:53 p.m.6 views

@jamietanna/renovate-graph (=0.36.0), @secustor/backstage-plugin-renovate-backend-module-runtime-direct (=3.1.1) potentially affected by unknown CVE via renovate (>=42.92.4 <=42.92.5)

renovate NPM version =42.92.4, =42.92.5 is affected by a known vulnerability. The following packages have a transitive dependency on renovate and may be impacted: - @jamietanna/renovate-graph =0.36.0 - @secustor/backstage-plugin-renovate-backend-module-runtime-direct =3.1.1 Source cves: unknown C...

5.8AI score
Exploits0
OSV
OSV
added 2026/02/13 8:53 p.m.3 views

GHSA-8WC6-VGRQ-X6CF Child processes spawned by Renovate incorrectly have full access to environment variables

When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to. Since 42.68.1 2025-12-30, this filtering had been inadvertently removed, and so any child...

5.5CVSS5.6AI score
Exploits0References4
Chainguard
Chainguard
added 2026/02/05 1:17 a.m.3 views

GHSA-7H2J-956F-4VF2 vulnerabilities

Vulnerabilities for packages: sqlpad, lerna, renovate, pulumi, librechat, npm, actions-runner, drupal, node-gyp...

5.9AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/01/13 8:29 p.m.6 views

@cenk1cenk2/renovate-config (>=2.0.0 <=2.3.148), @jamietanna/patch-testing (>=0.1.0 <=0.2.28) +9 more potentially affected by unknown CVE via renovate (>=31.97.3 <=40.21.2)

renovate NPM version =31.97.3, =2.0.0, =0.1.0, =0.1.0, =0.5.0, =0.1.0, =0.1.0, =1.1.130, =0.0.1, =0.19.0 - @zotero-chinese/renovate-config =1.0.3 Source cves: unknown CVE Source advisory: SNYK:JS-RENOVATE-14927384...

5.8AI score
Exploits0
OSV
OSV
added 2026/01/13 8:29 p.m.3 views

GHSA-3F44-XW83-3PMG Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file

Summary The user-provided string repository in the helmv3 manager is appended to the helm registry login command without proper sanitization. Details Adversaries can provide a maliciously crafted Chart.yaml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute...

6.7CVSS8.1AI score
Exploits0References2
Snyk
Snyk
added 2026/01/13 8:29 p.m.5 views

Arbitrary Command Injection

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Arbitrary Command Injection due to the improper sanitazation of user-supplied depName in the packagesToUpdate functions of gleam manager. An attacker can execute arbitrary commands on the host system by...

8.4CVSS7.7AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/01/13 8:29 p.m.9 views

Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file

Summary The user-provided string depName in the gleam manager is appended to the gleam deps update command without proper sanitization. Details Adversaries can provide a maliciously crafted gleam.toml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrar...

8.2AI score
Exploits0References2Affected Software1
vulnersOsv
vulnersOsv
added 2026/01/13 7:57 p.m.8 views

@jamietanna/renovate-graph (>=0.24.0 <=0.30.0), @secustor/backstage-plugin-renovate-backend-module-runtime-direct (>=0.5.1 <=1.0.1) potentially affected by unknown CVE via renovate (>=39.22.0 <=40.21.2)

renovate NPM version =39.22.0, =0.24.0, =0.5.1, =1.0.1 Source cves: unknown CVE Source advisory: SNYK:JS-RENOVATE-14927387...

5.8AI score
Exploits0
vulnersOsv
vulnersOsv
added 2026/01/13 7:54 p.m.8 views

@cenk1cenk2/renovate-config (>=2.0.0 <=2.3.148), @jamietanna/patch-testing (>=0.1.0 <=0.2.28) +8 more potentially affected by unknown CVE via renovate (>=32.241.11 <=42.66.1)

renovate NPM version =32.241.11, =2.0.0, =0.1.0, =0.1.0, =0.5.0, =0.1.0, =0.1.0, =0.0.1, =0.19.0 - @zotero-chinese/renovate-config =1.0.3 Source cves: unknown CVE Source advisory: SNYK:JS-RENOVATE-14927386...

5.8AI score
Exploits0
EUVD
EUVD
added 2026/01/13 7:54 p.m.12 views

EUVD-2026-2098

Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious distributionUrl...

7.2AI score
Exploits0References3
Snyk
Snyk
added 2026/01/13 7:54 p.m.4 views

Command Injection

Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Command Injection via the distributionUrl parameter in the Gradle Wrapper update process. An attacker can execute arbitrary commands within the runtime environment by injecting shell command substitutio...

8.4CVSS7.8AI score
Exploits0References2
Github Security Blog
Github Security Blog
added 2026/01/13 7:54 p.m.10 views

Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl`

Summary Renovate can be tricked into executing shell code while updating the Gradle Wrapper. A malicious distributionUrl in gradle/wrapper/gradle-wrapper.properties can lead to command execution in the Renovate runtime. Details When Renovate handles Gradle Wrapper artifacts, it may run a wrapper...

7.6AI score
Exploits0References3Affected Software1
OSV
OSV
added 2024/04/23 4:21 p.m.21 views

GHSA-RQGV-292V-5QGR Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases

Summary Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands. Details Since 26848, registryAliases has become mergeable. This means that the helmv3 manager started honoring its value and uses a helm repo...

5.4CVSS7.9AI score
Exploits0References4
Rows per page
Query Builder