CVE-2026-47174 Duck Site: Untrusted pull request code can trigger privileged production deployment

In Duck Site before version 1.0.1, the repository has a deploy workflow that runs after the build workflow completes. The build workflow runs on pull requests, while the deploy workflow runs with package-write permissions and deployment secrets. If an attacker can make a pull request build satisf...

CVE-2026-47174

Technical details such as affected components, versions, exploit paths, and fixes are not provided in the supplied documents; monitor for updates.

CVE-2026-47172 Quest Bot: Untrusted pull request code can be built and deployed by privileged `workflow_run` deployment.

Quest Bot is an opensource modern Discord Bot built for moderation, utilities and support. Prior to version 1.0.3, the repository has a privileged deploy workflow that runs after the unprivileged build workflow completes. The build workflow runs on pull requests, and the deploy workflow checks ou...

CVE-2026-1699

In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pullrequesttarget trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository's CI environment with access to...

QGIS security vulnerabilities

QGIS is an open-source geographic information system developed by QGIS. QGIS has a security vulnerability that stems from the GitHub Actions workflow using a pullrequesttarget trigger and executing untrusted pull requests in privileged environments. This can lead to remote code execution and...

CVE-2025-54594

react-native-bottom-tabs is a library of Native Bottom Tabs for React Native. In versions 0.9.2 and below, the github/workflows/release-canary.yml GitHub Actions repository workflow improperly used the pullrequesttarget event trigger, which allowed for untrusted code from a forked pull request to...

Unsafe Dependency Resolution

Overview @nx/azure-cache is an A Nx plugin which provides a Nx cache which can be self hosted on Azure Blob Storage. Affected versions of this package are vulnerable to Unsafe Dependency Resolution via the build cache process. An attacker can inject compromised artifacts into trusted production...

GHSA-RRR2-JCR8-7Q3X @nx/azure-cache Vulnerable to Build Cache Poisoning via Untrusted Pull Requests

A critical security vulnerability exists in remote cache extensions for common build systems utilizing bucket-based remote cache such as those using Amazon S3, Google Cloud Storage, or similar object storage that allows any contributor with pull request privileges to inject compromised artifacts...

PT-2024-28639

Name of the Vulnerable Software and Affected Versions JupyterLab extension template versions prior to 4.3.0 Description The JupyterLab extension template has a remote code execution RCE vulnerability in the update-integration-tests.yml workflow. This issue affects repositories created using the...