Lucene search
+L

191 matches found

RedhatCVE
RedhatCVE
added 2026/05/30 2:12 a.m.13 views

CVE-2026-44358

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary...

8.2CVSS6AI score0.00181EPSS
Exploits0References1
SUSE CVE
SUSE CVE
added 2026/05/29 1:20 a.m.29 views

SUSE CVE-2026-45321

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

9.6CVSS6AI score0.02342EPSS
Exploits3References3
Cvelist
Cvelist
added 2026/05/28 2:28 p.m.37 views

CVE-2026-44358 Espressif Shared GitHub DangerJS: Untrusted Search Path in DangerJS Action Entrypoint

Espressif Shared GitHub DangerJS is a reusable GitHub Action CI DangerJS workflow for Espressif GitHub projects. Prior to 1.0.1, the action's entrypoint.sh invoked DangerJS from the caller's workspace after copying the fork's checkout into it, creating an untrusted search path for both binary...

8.2CVSS0.00181EPSS
Exploits0References2
NVD
NVD
added 2026/05/27 8:16 p.m.21 views

CVE-2026-44590

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is vulnerable to command injection via the pullrequesttarget trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltra...

9.3CVSS0.01141EPSS
Exploits1References1
OSV
OSV
added 2026/05/27 8:16 p.m.19 views

UBUNTU-CVE-2026-44590

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is vulnerable to command injection via the pullrequesttarget trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltra...

9.3CVSS6.1AI score0.01141EPSS
Exploits1References4
RedhatCVE
RedhatCVE
added 2026/05/27 8:13 p.m.44 views

CVE-2026-45321

On 2026-05-11, between approximately 19:20 and 19:26 UTC, 84 malicious versions across 42 @tanstack/ packages were published to the npm registry. The publishes were authenticated via the legitimate GitHub Actions OIDC trusted-publisher binding for TanStack/router, but the publish workflow itself...

9.6CVSS7.5AI score0.02342EPSS
Exploits3References1
Vulnrichment
Vulnrichment
added 2026/05/27 7:23 p.m.12 views

CVE-2026-44590 Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is vulnerable to command injection via the pullrequesttarget trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltra...

9.3CVSS6.1AI score0.01141EPSS
Exploits1References1
ATTACKERKB
ATTACKERKB
added 2026/05/27 7:23 p.m.12 views

CVE-2026-44590

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is vulnerable to command injection via the pullrequesttarget trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltra...

9.3CVSS6.1AI score0.01141EPSS
Exploits1References2Affected Software1
CVE
CVE
added 2026/05/27 7:23 p.m.31 views

CVE-2026-44590

The CVE-2026-44590 entry concerns the Sherlock project’s GitHub Actions workflow validate_modified_targets.yml. Before version 0.16.1, a command-injection vulnerability in the pull_request_target flow allowed any GitHub user to execute arbitrary commands on the CI runner and exfiltrate the workfl...

9.3CVSS6.1AI score0.01141EPSS
Exploits1References1
EUVD
EUVD
added 2026/05/27 7:23 p.m.15 views

EUVD-2026-32638

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is vulnerable to command injection via the pullrequesttarget trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltra...

9.3CVSS6.1AI score0.01141EPSS
Exploits1References1
Cvelist
Cvelist
added 2026/05/27 7:23 p.m.44 views

CVE-2026-44590 Sherlock: Command Injection via pull_request_target in validate_modified_targets.yml

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validatemodifiedtargets.yml is vulnerable to command injection via the pullrequesttarget trigger. Any GitHub user can execute arbitrary commands on the CI runner and exfiltra...

9.3CVSS0.01141EPSS
Exploits1References1
Positive Technologies
Positive Technologies
added 2026/05/27 12:0 a.m.16 views

PT-2026-44083

Sherlock hunts down social media accounts by username across social networks. Prior to 0.16.1, the GitHub Actions workflow validate modified targets.yml is vulnerable to command injection via the pull request target trigger. Any GitHub user can execute arbitrary commands on the CI runner and...

9.3CVSS6.1AI score0.01141EPSS
Exploits1References2
CNNVD
CNNVD
added 2026/05/27 12:0 a.m.15 views

sherlock 操作系统命令注入漏洞

Sherlock is an open-source username search tool developed by Sherlock. Versions of Sherlock prior to 0.16.1 contained a vulnerability related to operating system command injection. This vulnerability originated from the pullrequesttarget trigger in the GitHub Actions workflow...

9.3CVSS6.1AI score0.01141EPSS
Exploits1References1
OSV
OSV
added 2026/05/20 3:31 p.m.22 views

GHSA-PQWM-Q9PV-PH8R Setup PHP: Command Injection in Repository-Derived PHP Version Resolution

Summary A command injection vulnerability was identified in shivammathur/setup-php when the action resolves the PHP version from repository-controlled files and uses that value while generating the platform setup script. In affected versions, setup-php may read the PHP version from: - .php-versio...

5.6CVSS6.2AI score0.01576EPSS
Exploits1References3
GithubExploit
GithubExploit
added 2026/05/18 9:16 a.m.207 views

Exploit for Embedded Malicious Code in Tanstack Tanstack\/Arktype-Adapter

TanStack Supply Chain Compromise - IOC Checker bash curl -...

9.6CVSS7.6AI score0.02342EPSS
Exploits3
Positive Technologies
Positive Technologies
added 2026/05/18 12:0 a.m.17 views

PT-2026-41685

Name of the Vulnerable Software and Affected Versions Faraday versions 2.0.0 through 2.14.1 Description Faraday is an HTTP client library abstraction layer. A flaw exists where protocol-relative host override is possible when the request target is passed as a URI object instead of a String to the...

5.8AI score0.00272EPSS
Exploits1References6
OSV
OSV
added 2026/05/14 1:18 p.m.8 views

GHSA-Q58J-G3F4-H26H CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration

Summary The GitHub Actions workflow .github/workflows/static.yml uses the pullrequesttarget trigger but dangerously checks out the unverified code from the pull request head ref: $ github.event.pullrequest.head.ref . Subsequently, it executes a script bin/console from this untrusted checkout. Thi...

8.2CVSS6.1AI score0.00433EPSS
Exploits0References5
Github Security Blog
Github Security Blog
added 2026/05/14 1:18 p.m.11 views

CoreShop Vulnerable to Remote Code Execution (RCE) via Insecure `pull_request_target` Configuration

Summary The GitHub Actions workflow .github/workflows/static.yml uses the pullrequesttarget trigger but dangerously checks out the unverified code from the pull request head ref: $ github.event.pullrequest.head.ref . Subsequently, it executes a script bin/console from this untrusted checkout. Thi...

8.2CVSS6.1AI score0.00433EPSS
Exploits0References5Affected Software1
Positive Technologies
Positive Technologies
added 2026/05/14 12:0 a.m.15 views

PT-2026-40973

Name of the Vulnerable Software and Affected Versions CoreShop versions 5.0.1 through 5.1.0-beta.1 Description The GitHub Actions workflow located at .github/workflows/static.yml uses the pull request target trigger and checks out unverified code from the pull request head using the variable ref:...

8.2CVSS5.8AI score0.00433EPSS
Exploits0References8
CNNVD
CNNVD
added 2026/05/12 12:0 a.m.13 views

TanStack Query 安全漏洞

TanStack Query is an open-source library developed by TanStack, featuring a complete set of functions and supporting TypeScript. There is a security vulnerability in TanStack Query. This vulnerability stems from attackers exploiting configuration errors in the pullrequesttarget, GitHub Actions...

9.6CVSS7.5AI score0.02342EPSS
Exploits3References2
Rows per page
Query Builder