CVE-2026-42284

GitPython (Python Git library) is affected by CVE-2026-42284 due to unsafe handling of multi_options in _clone() before 3.1.47. The code validates multi_options as the original list, then performs shlex.split(" ".join(multi_options)), which can allow a crafted string like "--branch main --config ...

GitPython 参数注入漏洞

GitPython is a Python library developed by gitpython-developers, designed for interacting with Git repositories. Versions of GitPython prior to 3.1.47 contained a parameter injection vulnerability. This vulnerability stemmed from the use of clone to validate multioptions, followed by the executio...

GHSA-X2QX-6953-8485 GitPython: Unsafe option check validates multi_options before shlex.split transformation

Summary clone validates multioptions as the original list, then executes shlex.split" ".joinmultioptions. A string like "--branch main --config core.hooksPath=/x" passes validation starts with --branch, but after split becomes "--branch", "main", "--config", "core.hooksPath=/x". Git applies the...

GitPython: Unsafe option check validates multi_options before shlex.split transformation

Summary clone validates multioptions as the original list, then executes shlex.split" ".joinmultioptions. A string like "--branch main --config core.hooksPath=/x" passes validation starts with --branch, but after split becomes "--branch", "main", "--config", "core.hooksPath=/x". Git applies the...

CVE-2026-34935

PraisonAI is a multi-agent teams system. From version 4.5.15 to before version 4.5.69, the --mcp CLI argument is passed directly to shlex.split and forwarded through the call chain to anyio.openprocess with no validation, allowlist check, or sanitization at any hop, allowing arbitrary OS command...

CVE-2026-26514

An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags e.g., -w, -q via the q parameter. This can be exploited to cause a Denial of Service D...

CVE-2026-26514

CVE-2026-26514 affects bird-lg-go prior to commit 6187a4e3afce6d8c29568f8c72ca497d1f5a2b56. The traceroute module parses user input with shlex.Split without validation, enabling an attacker to inject arbitrary flags (e.g., -w, -q) via the q parameter. This can lead to Denial of Service (DoS) by e...

CVE-2026-26514

An Argument Injection vulnerability exists in bird-lg-go before commit 6187a4e. The traceroute module uses shlex.Split to parse user input without validation, allowing remote attackers to inject arbitrary flags e.g., -w, -q via the q parameter. This can be exploited to cause a Denial of Service D...

Security update for rust-keylime

This update for rust-keylime fixes the following issues: CVE-2025-55159: slab: incorrect bounds check in getdisjointmut function can lead to undefined behavior or potential crash due to out-of-bounds access bsc1248006 CVE-2025-3416: openssl: Use-After-Free in Md::fetch and Cipher::fetch in...

SLED15 / SLES15 Security Update : gstreamer-plugins-rs (SUSE-SU-2025:03459-1)

The remote openSUSE host has packages installed that are affected by a vulnerability as referenced in the SUSE- SU-2025:03459-1 advisory. - Update crate shlex to 1.3.0: RUSTSEC-2024-0006: Fixed multiple issues involving quote API bsc1230028 Tenable has extracted the preceding description block...

SUSE-SU-2025:03459-1 Security update for gstreamer-plugins-rs

This update for gstreamer-plugins-rs fixes the following issues: - Update crate shlex to 1.3.0: RUSTSEC-2024-0006: Fixed multiple issues involving quote API bsc1230028...

Security update for gstreamer-plugins-rs

This update for gstreamer-plugins-rs fixes the following issues: Update crate shlex to 1.3.0: RUSTSEC-2024-0006: Fixed multiple issues involving quote API bsc1230028 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper...

EUVD-2024-54826

Malicious code in bioql PyPI...

EUVD-2025-29427

Malicious code in bioql PyPI...

SUSE-SU-2025:20717-1 Security update for rust-keylime

This update for rust-keylime fixes the following issues: - Update vendored crate slab to version 0.4.11 CVE-2025-55159: Fixed incorrect bounds check in getdisjointmut function leading to undefined behavior or potential crash due to out-of-bounds access bsc1248006 - Update to version 0.2.8+12:...

Security update for rust-keylime

This update for rust-keylime fixes the following issues: Update vendored crate slab to version 0.4.11 CVE-2025-55159: Fixed incorrect bounds check in getdisjointmut function leading to undefined behavior or potential crash due to out-of-bounds access bsc1248006 Update to version 0.2.8+12:...

Security update for rav1e

This update for rav1e fixes the following issues: Update crate shlex to 1.3.0: CVE-2024-58266: Fixed command injection bsc1247207 RUSTSEC-2024-0006: Fixed multiple issues involving quote API bsc1230028 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods...

SUSE-SU-2025:03092-1 Security update for rav1e

This update for rav1e fixes the following issues: - Update crate shlex to 1.3.0: CVE-2024-58266: Fixed command injection bsc1247207 RUSTSEC-2024-0006: Fixed multiple issues involving quote API bsc1230028...

SUSE SLED15 / SLES15 / openSUSE 15 Security Update : rav1e (SUSE-SU-2025:03077-1)

The remote SUSE Linux SLED15 / SLEDSAP15 / SLES15 / SLESSAP15 / openSUSE 15 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2025:03077-1 advisory. - CVE-2024-58266: shlex: Fixed certain bytes allowed to appear unquoted and unescaped in command argumen...

Security update for rav1e

This update for rav1e fixes the following issues: CVE-2024-58266: shlex: Fixed certain bytes allowed to appear unquoted and unescaped in command arguments bsc1247207 Patch Instructions: To install this SUSE update use the SUSE recommended installation methods like YaST onlineupdate or "zypper...