CVE-2026-50141

Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agentid value into outgoing gRPC metadata. The server correctl...

CVE-2026-50141

Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agentid value into outgoing gRPC metadata. The server correctl...

CVE-2026-50141 Woodpecker gRPC agent_id metadata can be spoofed- cross-tenant agent impersonation

Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agentid value into outgoing gRPC metadata. The server correctl...

EUVD-2026-37897

Woodpecker is a CI/CD engine. Starting in version 3.0.0 and prior to version 3.14.1, a vulnerability in Woodpecker CI's gRPC layer allowed any authenticated agent to impersonate any other agent on the same server by injecting a forged agentid value into outgoing gRPC metadata. The server correctl...

CVE-2026-50141

CVE-2026-50141 affects Woodpecker CI prior to 3.14.1, where the gRPC layer allowed an authenticated agent to impersonate another by forging agent_id in outgoing metadata. The server verified the JWT but then ignored it in favor of the client-supplied agent_id, enabling cross-tenant impersonation....

Malicious code in pantheon-toolsets (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3f2d24843d0caf23a36f07f7bd7b3adb7163463404856654f1745c7e75017be The wheel installs pantheontoolsets-setup.pth, which Python automatically executes at every interpreter startup before any user import. The.pth...

Malicious code in dynamo-release (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 a4e35bea632f7363e7a1cc6ccbfb9227eca2c4720b0a689edc1bc3ce64c9d85c Versions 1.5.4 were compromised. Compromised packages start an obfuscated infostealer. The infostealer is a heavily obfuscated JavaScript code executed using B...

Malicious code in synago (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector a3e1bae7957cb735edd8424c1d2efe54b597c3a484ba77c9239e9ff8ec06327f The package installs synago-setup.pth, which Python auto-executes on every interpreter startup not only on import synago. The.pth contains an...

Malicious code in coolbox (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector c55bfdad112134e980af7568a9138be1e4b940f7bfbeebad2b0f85d9337a0f44 The wheel installs coolbox-setup.pth, a Python path-configuration file that Python auto-loads at every interpreter startup any python invocation...

Malicious code in executor-engine (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 7fee580000475783e657a2e66ca6a4a4bd4369aa0bc9f87152b003dca6f34848 executor-engine 0.3.4 ships a malicious site-packages.pth file executorengine-setup.pth that Python's site initialization auto-executes on every...

MAL-2026-5300 Malicious code in funcdesc (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 4a5756a79331cdda67721e39889609f5c0b5e342b678dbce2de97c94ec2dbe29 The package installs funcdesc-setup.pth, which Python auto-executes at interpreter startup for any environment where this package is installed. The.p...

MAL-2026-5296 Malicious code in magique (PyPI)

--- -= Per source details. Do not edit below this line.=- Source: kam193 f5d3bf9e3bbd5c258d251ade5a15f3383a47a53ddd399d7cd3db2aee5cec45c4 Versions 0.6.8, 0.6.9 were compromised. Compromised packages start an obfuscated infostealer. The infostealer is a heavily obfuscated JavaScript code executed...

CVE-2025-13967

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formname' parameter of the woodpecker-connector shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for...

WordPress Woodpecker for WordPress plugin <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute vulnerability

Authenticated Contributor+ Stored Cross-Site Scripting via 'formname' Shortcode Attribute vulnerability discovered by Gilang - DJ in WordPress Plugin Woodpecker for WordPress versions = 3.0.4...

CVE-2025-13967

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formname' parameter of the woodpecker-connector shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13967

CVE-2025-13967 (Woodpecker for WordPress) details (from connected doc): The Woodpecker for WordPress plugin is affected by a stored XSS in the woodpecker-connector shortcode’s form_name parameter. This vulnerability exists in all versions up to and including 3.0.4. Exploitation requires authentic...

CVE-2025-13967 Woodpecker for WordPress <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formname' parameter of the woodpecker-connector shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2025-13967 Woodpecker for WordPress <= 3.0.4 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_name' Shortcode Attribute

The Woodpecker for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'formname' parameter of the woodpecker-connector shortcode in all versions up to, and including, 3.0.4 due to insufficient input sanitization and output escaping. This makes it possible for...

CVE-2023-40034

Woodpecker is a community fork of the Drone CI system. In affected versions an attacker can post malformed webhook data witch lead to an update of the repository data that can e.g. allow the takeover of an repo. This is only critical if the CI is configured for public usage and connected to a for...

CVE-2024-41121

Woodpecker is a simple yet powerful CI/CD engine with great extensibility. The server allow to create any user who can trigger a pipeline run malicious workflows: 1. Those workflows can either lead to a host takeover that runs the agent executing the workflow. 2. Or allow to extract the secrets w...