13 matches found
@jamietanna/renovate-graph (=0.36.0), @secustor/backstage-plugin-renovate-backend-module-runtime-direct (=3.1.1) potentially affected by unknown CVE via renovate (>=42.92.4 <=42.92.5)
renovate NPM version =42.92.4, =42.92.5 is affected by a known vulnerability. The following packages have a transitive dependency on renovate and may be impacted: - @jamietanna/renovate-graph =0.36.0 - @secustor/backstage-plugin-renovate-backend-module-runtime-direct =3.1.1 Source cves: unknown C...
GHSA-8WC6-VGRQ-X6CF Child processes spawned by Renovate incorrectly have full access to environment variables
When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to. Since 42.68.1 2025-12-30, this filtering had been inadvertently removed, and so any child...
GHSA-7H2J-956F-4VF2 vulnerabilities
Vulnerabilities for packages: sqlpad, lerna, renovate, pulumi, librechat, npm, actions-runner, drupal, node-gyp...
@cenk1cenk2/renovate-config (>=2.0.0 <=2.3.148), @jamietanna/patch-testing (>=0.1.0 <=0.2.28) +9 more potentially affected by unknown CVE via renovate (>=31.97.3 <=40.21.2)
renovate NPM version =31.97.3, =2.0.0, =0.1.0, =0.1.0, =0.5.0, =0.1.0, =0.1.0, =1.1.130, =0.0.1, =0.19.0 - @zotero-chinese/renovate-config =1.0.3 Source cves: unknown CVE Source advisory: SNYK:JS-RENOVATE-14927384...
GHSA-3F44-XW83-3PMG Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file
Summary The user-provided string repository in the helmv3 manager is appended to the helm registry login command without proper sanitization. Details Adversaries can provide a maliciously crafted Chart.yaml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute...
Arbitrary Command Injection
Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Arbitrary Command Injection due to the improper sanitazation of user-supplied depName in the packagesToUpdate functions of gleam manager. An attacker can execute arbitrary commands on the host system by...
Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file
Summary The user-provided string depName in the gleam manager is appended to the gleam deps update command without proper sanitization. Details Adversaries can provide a maliciously crafted gleam.toml in conjunctions with a tweaked Renovate configuration file to trick Renovate to execute arbitrar...
@jamietanna/renovate-graph (>=0.24.0 <=0.30.0), @secustor/backstage-plugin-renovate-backend-module-runtime-direct (>=0.5.1 <=1.0.1) potentially affected by unknown CVE via renovate (>=39.22.0 <=40.21.2)
renovate NPM version =39.22.0, =0.24.0, =0.5.1, =1.0.1 Source cves: unknown CVE Source advisory: SNYK:JS-RENOVATE-14927387...
@cenk1cenk2/renovate-config (>=2.0.0 <=2.3.148), @jamietanna/patch-testing (>=0.1.0 <=0.2.28) +8 more potentially affected by unknown CVE via renovate (>=32.241.11 <=42.66.1)
renovate NPM version =32.241.11, =2.0.0, =0.1.0, =0.1.0, =0.5.0, =0.1.0, =0.1.0, =0.0.1, =0.19.0 - @zotero-chinese/renovate-config =1.0.3 Source cves: unknown CVE Source advisory: SNYK:JS-RENOVATE-14927386...
EUVD-2026-2098
Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious distributionUrl...
Command Injection
Overview renovate is a dependency updater. Affected versions of this package are vulnerable to Command Injection via the distributionUrl parameter in the Gradle Wrapper update process. An attacker can execute arbitrary commands within the runtime environment by injecting shell command substitutio...
Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl`
Summary Renovate can be tricked into executing shell code while updating the Gradle Wrapper. A malicious distributionUrl in gradle/wrapper/gradle-wrapper.properties can lead to command execution in the Renovate runtime. Details When Renovate handles Gradle Wrapper artifacts, it may run a wrapper...
GHSA-RQGV-292V-5QGR Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases
Summary Attackers with commit access to the default branch of a repo using Renovate could manipulate helmv3 registryAliases to execute arbitrary commands. Details Since 26848, registryAliases has become mergeable. This means that the helmv3 manager started honoring its value and uses a helm repo...