Lucene search
K

14 matches found

OSV
OSV
added 2026/06/23 5:10 p.m.4 views

GHSA-6P9M-Q3JP-47H4 Gogs: LFS dedupe path leaks private repo content across tenants

Summary Git LFS storage is content-addressed by OID alone /// but per-repo authorization lives in the lfsobject table keyed repoid, oid. serveUpload skips re-uploading when the OID file already exists on disk and inserts a new repoid, oid row pointing at it without verifying the request body hash...

7.1CVSS6AI score0.00236EPSS
Exploits0References5
OSV
OSV
added 2026/06/22 11:59 p.m.3 views

GHSA-P9F5-H3RX-J5QW Gogs Missing Authorization in Attachment Download

Summary In Gogs 0.14.1, GET /attachments/:uuid returns the raw attachment file without verifying whether the requester has view permission for the associated Issue/Comment/Release or the repository. In a test environment with REQUIRESIGNINVIEW = false, we confirmed that an unauthenticated user ca...

7.5CVSS5.8AI score0.00422EPSS
Exploits0References5
OSV
OSV
added 2026/06/09 4:4 p.m.10 views

MAL-2026-5397 Malicious code in create-docs-mcp (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector fd4381fd77419441a2eefe6b22adef6c9f5adfe1b92be5d071abd5908fdf8647 Package is published at version 9999.99.99 — the canonical high-version override used in dependency-confusion attacks against private/internal packag...

5.5AI score
Exploits0References1
Positive Technologies
Positive Technologies
added 2026/05/21 12:0 a.m.14 views

PT-2026-42520

Open ISES Tickets before 3.44.2 contains hardcoded MySQL database connection credentials host, username, password, database name in import mdb.php. The credentials are embedded in source code committed to the public repository, allowing any reader of the source to obtain valid configuration value...

9.2CVSS5.9AI score0.00297EPSS
Exploits0References4
The Hacker News
The Hacker News
added 2026/04/01 6:12 a.m.5 views

Claude Code Source Leaked via npm Packaging Error, Anthropic Confirms

Anthropic on Tuesday confirmed that internal code for its popular artificial intelligence AI coding assistant, Claude Code, had been inadvertently released due to a human error. "No sensitive customer data or credentials were involved or exposed," an Anthropic spokesperson said in a statement...

6.1AI score
Exploits0
RedhatCVE
RedhatCVE
added 2026/03/26 3:1 p.m.4 views

CVE-2026-33353

Soft Serve is a self-hostable Git server for the command line. From version 0.6.0 to before version 0.11.6, an authorization flaw in repo import allows any authenticated SSH user to clone a server-local Git repository, including another user's private repo, into a new repository they control. Thi...

7.1CVSS5.7AI score0.00364EPSS
Exploits1References1
GithubExploit
GithubExploit
added 2026/02/06 9:30 p.m.199 views

Exploit for Expression Language Injection in Siemens 6Bk1602-0Aa12-0Tp0_Firmware

ButtF - Backend Misconfiguration & Logic Flaw Exploitation Too...

10CVSS5.7AI score0.99999EPSS
Exploits442
OSV
OSV
added 2025/05/12 7:15 p.m.0 views

DEBIAN-CVE-2024-4981

A vulnerability was discovered in Pagure server. If a malicious user were to submit a git repository with symbolic links, the server could unintentionally show incorporate and make visible content from outside the git repo...

7.1CVSS5.3AI score0.00335EPSS
Exploits1References1
CNNVD
CNNVD
added 2025/05/12 12:0 a.m.3 views

Pagure 安全漏洞

Pagure is a Pagure open source Git repository written in Python that provides web services. A security vulnerability exists in Pagure that originates from a malicious user submitting a git repository containing a symbolic link, which could cause the server to accidentally display external content...

7.6CVSS6.3AI score0.00335EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2025/02/14 3:39 p.m.9 views

CVE-2025-1042

An insecure direct object reference vulnerability in GitLab EE affecting all versions from 15.7 prior to 17.6.5, 17.7 prior to 17.7.4, and 17.8 prior to 17.8.2 allows an attacker to view repositories in an unauthorized way...

7.5CVSS4.6AI score0.00406EPSS
Exploits0References1
CVE
CVE
added 2025/02/12 3:2 p.m.295 views

CVE-2025-1042

CVE-2025-1042 is an insecure direct object reference in GitLab EE that allowed viewing repositories without authorization in affected releases: 15.7 up to 17.6.5, 17.7 up to 17.7.4, and 17.8 up to 17.8.2. The vulnerability’s root cause is improper access control on repository data, with no exploi...

7.5CVSS4.8AI score0.00406EPSS
Exploits0References2Affected Software1
The Hacker News
The Hacker News
added 2023/03/24 11:6 a.m.4 views

GitHub Swiftly Replaces Exposed RSA SSH Key to Protect Git Operations

Cloud-based repository hosting service GitHub said it took the step of replacing its RSA SSH host key used to secure Git operations "out of an abundance of caution" after it was briefly exposed in a public repository. The activity, which was carried out at 05:00 UTC on March 24, 2023, is said to...

6.7AI score
Exploits0
Vulnrichment
Vulnrichment
added 2022/11/01 12:0 a.m.5 views

CVE-2022-23738 Incomplete cache verification issue in GitHub Enterprise Server leading to exposure of private repo files

An improper cache key vulnerability was identified in GitHub Enterprise Server that allowed an unauthorized actor to access private repository files through a public repository. To exploit this, an actor would need to already be authorized on the GitHub Enterprise Server instance, be able to crea...

5.5AI score0.00634EPSS
Exploits0References5
CNNVD
CNNVD
added 2022/11/01 12:0 a.m.75 views

GitHub Enterprise Server 安全漏洞

GitHub Enterprise Server is a U.S. GitHub open source application. It provides a platform for setting up your own GitHub instance as a virtual appliance, thus providing a scalable, easy-to-manage platform. A security vulnerability exists in GitHub Enterprise Server 3.6 and earlier versions, which...

5.7CVSS5.9AI score0.00634EPSS
Exploits0References6
Rows per page
Query Builder