GitPython 路径遍历漏洞

GitPython is a Python library developed by gitpython-developers, designed for interacting with Git repositories. Versions of GitPython prior to 3.1.48 contained a path traversal vulnerability. This vulnerability stemmed from insufficient validation of reference paths during reference creation,...

GHSA-5QHX-GWFJ-6JQR Gogs user can update repository content with read-only permission

Vulnerability Description The endpoint PUT /repos/:owner/:repo/contents/ does not require write permissions and allows access with read permission only via repoAssignment. After passing the permission check, PutContents invokes UpdateRepoFile, which results in: Commit creation Execution of git pu...

EUVD-2004-1435

Malware in sbrugna...

EUVD-2021-1119

Malware in sbrugna...

EUVD-2022-52993

Malicious code in bioql PyPI...

EUVD-2025-13599

Malicious code in bioql PyPI...

EUVD-2025-20825

Malicious code in bioql PyPI...

CVE-2025-4674

The go command may execute unexpected commands when operating in untrusted VCS repositories. This occurs when possibly dangerous VCS configuration is present in repositories. This can happen when a repository was fetched via one VCS e.g. Git, but contains metadata for another VCS e.g. Mercurial...

Security Bulletin: Vulnerabilities exists in IBM Netezza Analytics - NPS

Summary Vulnerabilities exist in IBM Netezza Analytics - NPS are addressed in 11.2.29 Vulnerability Details CVEID:CVE-2023-52425 DESCRIPTION: libexpat is vulnerable to a denial of service, caused by improper system resource allocation. By sending a specially crafted request using an overly large...

CVE-2023-0756

An issue has been discovered in GitLab affecting all versions before 15.9.6, all versions starting from 15.10 before 15.10.5, all versions starting from 15.11 before 15.11.1. The main branch of a repository with a specially crafted name allows an attacker to create repositories with malicious cod...

Ivy: Ivy Path traversal

A flaw was found in Apache Ivy. This may allow an attacker to place artifacts inside and outside of Ivy's repository and overwrite artifacts that the user will use later...

CVE-2021-32690

Helm is a tool for managing Charts packages of pre-configured Kubernetes resources. In versions of helm prior to 3.6.1, a vulnerability exists where the username and password credentials associated with a Helm repository could be passed on to another domain referenced by that Helm repository. Thi...

Origin Validation Error in Apache Maven

Apache Maven will follow repositories that are defined in a dependency’s Project Object Model pom which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository...

Gitlab -- Multiple Vulnerabilities

Gitlab reports: Path Traversal in NuGet Package Registry Workhorse Bypass Leads to File Disclosure OAuth Application Client Secrets Revealed Code Owners Approval Rules Are Not Updated for Existing Merge Requests When Source Branch Changes Code Owners Protection Not Enforced from Web UI Repository...

CVE-2017-17458

In Mercurial before 4.4.1, it is possible that a specially malformed repository can cause Git subrepositories to run arbitrary code in the form of a .git/hooks/post-update script checked into the repository. Typical use of Mercurial prevents construction of such repositories, but they can be...

USN-3243-1: Git vulnerability

It was discovered that Git incorrectly sanitized branch names in the PS1 variable when configured to display the repository status in the shell prompt. If a user were tricked into exploring a malicious repository, a remote attacker could use this issue to execute arbitrary code...

Repository Security improvement - the default for creating a new repository should be restricted to admins until specifically configured.

I just noticed that when setting up repositories, they were created with 'default' which mean if public sign up was on, they were able to see the repos. For the sake of security, a fresh install should default to restricting access to admins, perhaps through a default-created group 'admins'. Anon...

CVE-2007-4739

reprepro 1.3.0 through 2.2.3 does not properly verify signatures when updating repositories, which allows remote attackers to construct and distribute an ostensibly valid Release.gpg file by signing it with an unknown key, related to the update command...