Arbitrary Code Injection

Overview Affected versions of this package are vulnerable to Arbitrary Code Injection in the process that handles environment variable allowlisting in repository-local configuration. An attacker can access sensitive environment variables, including API tokens and credentials, by forwarding them...

CVE-2026-41654

Weblate is a web based localization tool. Prior to version 5.17.1, an authenticated user with project.add permission default on hosted Weblate SaaS and for any user holding an active billing/trial plan can import a crafted project backup ZIP whose components/.json contains an attacker-chosen repo...

GitPython: Newline injection in config_writer().set_value() enables RCE via core.hooksPath

GitConfigParser.setvalue passes values to Python's configparser without validating for newlines. GitPython's own write converts embedded newlines into indented continuation lines e.g. \n becomes \n\t, but Git still accepts an indented core stanza as a section header — so the injected core.hooksPa...

curl: Exposed .git/config File Leading to Potential Sensitive Information Disclosure

Summary: The .git/config file is publicly accessible on the target server, which may expose sensitive repository configuration details. This indicates that the .git directory is improperly exposed, potentially allowing attackers to reconstruct the entire source code repository and extract sensiti...

HSEC-2025-0005 cabal-install dependency confusion

cabal-install dependency confusion For cabal-install 3.4.0.0 and where multiple repositories are configured, the resolver picks the highest available version across all repositories. Where a package is only defined in a private repository, this behaviour leads to a dependency confusionblog supply...

EUVD-2024-46657

Malicious code in bioql PyPI...

EUVD-2023-23385

Malicious code in bioql PyPI...

Ensure That GPG Verification Is Configured for the Yum Repositories

Software packages may be tampered with by attackers during network transmission or local storage. If the integrity verification is not performed on the software packages, software tampered with by attackers may be installed. As a result, the server or even the entire network cluster is attacked. ...

ROS-20250924-01

The vulnerability of the pip module of the Python programming language is related to the failure to clean data at the control layer. Exploitation of the vulnerability could allow an attacker to change the repository configuration...

Claude Code 代码注入漏洞

Claude Code is an open source proxy coding tool from Anthropic. A code injection vulnerability exists in Claude Code versions prior to 1.0.105, which originates from a malicious user mailbox in the git configuration could lead to arbitrary code execution...

PT-2025-30608 · Hackage · Cabal-Install

cabal-install dependency confusion For cabal-install 3.4.0.0 and where multiple repositories are configured, the resolver picks the highest available version across all repositories. Where a package is only defined in a private repository, this behaviour leads to a dependency confusionblog supply...

AZL-40346 CVE-2024-2746 affecting package dnf5 for versions less than 5.1.11-3

Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit...

CVE-2024-2746

CVE-2024-2746 is an incomplete fix for CVE-2024-1929 affecting dnf5/libdnf5 where the D-Bus interface accepts untrusted configuration overrides, enabling local root control by loading user-supplied plugins or manipulating privileged files. Public reports describe potential DoS via large/blocked f...

CVE-2024-2746 Incomplete fix for CVE-2024-1929

Incomplete fix for CVE-2024-1929 The problem with CVE-2024-1929 was that the dnf5 D-Bus daemon accepted arbitrary configuration parameters from unprivileged users, which allowed a local root exploit by tricking the daemon into loading a user controlled "plugin". All of this happened before Polkit...

CVE-2023-42509

JFrog Artifactory later than version 7.17.4 but prior to version 7.77.0 is vulnerable to an issue whereby a sequence of improperly handled exceptions in repository configuration initialization steps may lead to exposure of sensitive data...

CVE-2023-42509 JFrog Artifactory Sensitive Data Leakage in Repository configuration process

JFrog Artifactory later than version 7.17.4 but prior to version 7.77.0 is vulnerable to an issue whereby a sequence of improperly handled exceptions in repository configuration initialization steps may lead to exposure of sensitive data...

CVE-2023-42509 JFrog Artifactory Sensitive Data Leakage in Repository configuration process

JFrog Artifactory later than version 7.17.4 but prior to version 7.77.0 is vulnerable to an issue whereby a sequence of improperly handled exceptions in repository configuration initialization steps may lead to exposure of sensitive data...

git: On multi-user machines Git users might find themselves unexpectedly in a Git worktree

A vulnerability was found in Git. This flaw occurs due to Git not checking the ownership of directories in a local multi-user system when running commands specified in the local repository configuration. This allows the owner of the repository to cause arbitrary commands to be executed by other...

GHSA-W67G-6GJV-C599 Powerline Gitstatus vulnerable to arbitrary code execution

powerline-gitstatus aka Powerline Gitstatus before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs gi...

Powerline Gitstatus vulnerable to arbitrary code execution

powerline-gitstatus aka Powerline Gitstatus before 1.3.2 allows arbitrary code execution. git repositories can contain per-repository configuration that changes the behavior of git, including running arbitrary commands. When using powerline-gitstatus, changing to a directory automatically runs gi...