PT-2026-7152

Name of the Vulnerable Software and Affected Versions Super-linter versions 6.0.0 through 8.3.0 Description Super-linter is susceptible to command injection through specially crafted filenames. When used in GitHub Actions workflows, an attacker submitting a pull request with a file containing she...

Malicious code in @sev-ui-verse/workflow-context (npm)

The package @sev-ui-verse/workflow-context was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b34fd25464abdc87cdcff95770eff1bf8f142ad5407a6487236fcc5c76f72f14 Any computer that has this package installed or running should be...

MAL-2025-47548 Malicious code in @sev-ui-verse/workflow-context (npm)

The package @sev-ui-verse/workflow-context was found to contain malicious code. --- -= Per source details. Do not edit below this line.=- Source: ghsa-malware b34fd25464abdc87cdcff95770eff1bf8f142ad5407a6487236fcc5c76f72f14 Any computer that has this package installed or running should be...

Malicious Package

Overview @sev-ui-verse/workflow-context is a malicious package. This package contains malicious code, and its content was removed from the official package manager. While this package might be attempting to impersonate a valid organization, there is no connection between that organization and thi...

GHSA-VXMW-7H4F-HQXH PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps

Summary gh-action-pypi-publish makes use of GitHub Actions expression expansions i.e. $ ... in contexts that are potentially attacker controllable. Depending on the trigger used to invoke gh-action-pypi-publish, this may allow an attacker to execute arbitrary code within the context of a workflow...

CVE-2025-49013 WilderForge vulnerable to code Injection via GitHub Actions Workflows

WilderForge is a Wildermyth coremodding API. A critical vulnerability has been identified in multiple projects across the WilderForge organization. The issue arises from unsafe usage of $ github.event.review.body and other user controlled variables directly inside shell script contexts in GitHub...

Improper Neutralization of Special Elements Used in a Template Engine

Overview Affected versions of this package are vulnerable to Improper Neutralization of Special Elements Used in a Template Engine via the formatblockparametertemplatefromworkflowruncontext function in the block.py file. An attacker can access sensitive information by exploiting the Jinja runtime...

github-workflows 代码注入漏洞

github-workflows is a shared reusable workflow for GitHub Actions for Kartverket individual developers. A security vulnerability exists in github-workflows versions prior to 2.7.5, which stems from being affected by code injection, where a malicious actor may send a PR with a malicious load, whic...