11 matches found
SUSE CVE-2026-34041
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
SUSE CVE-2026-34042
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and...
CVE-2026-34042
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and...
CVE-2026-34042
act: The CVE-2026-34042 flaw in the act project’s actions/cache server lets connections from any interface create caches with arbitrary keys and read existing caches, potentially enabling arbitrary remote code execution inside the local Docker container. The issue stems from listening on all inte...
CVE-2026-34042 act: actions/cache server allows malicious cache injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and...
CVE-2026-34042 act: actions/cache server allows malicious cache injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and...
CVE-2026-34042 act: actions/cache server allows malicious cache injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitrary keys and...
CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
CVE-2026-34041
act: Unrestricted set-env and add-path command processing enables environment injection in github.com/nektos/act. Prior to version 0.2.86, act unconditionally processes deprecated ::set-env:: and ::add-path:: commands, allowing an attacker to inject environment variables or modify PATH for subseq...
CVE-2026-34041 act: Unrestricted set-env and add-path command processing enables environment injection
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted data to stdout, an...
Missing Authorization
Overview Affected versions of this package are vulnerable to Missing Authorization via the actions/cache server process. An attacker can inject malicious cache entries and retrieve all existing caches by connecting to the server and predicting cache keys, potentially leading to execution of...