5 matches found
CVE-2026-39866
CVE-2026-39866 affects Lawnchair for Android. The bug is in the release_update.yml GitHub Actions workflow: an unquoted input (artifactName) is injected into a bash command, allowing command execution on the runner. A patch commit fcba413f55dd47f8a3921445252849126c6266b2 fixes the issue; affected...
CVE-2026-39866 Lawnchair vulnerable to Command Injection via unquoted workflow dispatch input in release_update.yml
Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in releaseupdate.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue...
CVE-2026-39866
Lawnchair is a free, open-source home app for Android. Prior to commit fcba413f55dd47f8a3921445252849126c6266b2, command injection in releaseupdate.yml workflow dispatch input allows arbitrary code execution. Commit fcba413f55dd47f8a3921445252849126c6266b2 patches the issue...
EUVD-2026-19728
Emissary has GitHub Actions Shell Injection via Workflow Inputs...
CVE-2026-35580
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, GitHub Actions workflow files contained shell injection points where user-controlled workflowdispatch inputs were interpolated directly into shell commands via $ expression syntax. An attacker with repository write access could...