The GitHub Actions workflow pr_autoupdate.yaml checks out untrusted code, potentially allowing attackers to execute arbitrary code in a privileged context.

Improper handling of inputs in GitHub Actions with privileged context could allow attackers to execute arbitrary code.

The homeassistant-tapo-control repository was vulnerable to code injection in the issues.yml GitHub Actions workflow.

A code injection vulnerability was identified in the GitHub Actions workflow migrator.yml of the ansys/pymapdl project on the latest main branch, enabling potential attackers to execute arbitrary code with privileged context and leak repository secrets. This could lead to unauthorized access, exposure of sensitive information, and further exploitation.

The int128/datadog-actions-metrics project is vulnerable in its latest main branch due to improper validation in a GitHub Actions workflow, where checking out untrusted code could potentially lead to secret leakage.

The performance workflow in the ag-grid/ag-grid project’s latest branch is vulnerable to unauthorized code execution due to the insecure checkout of untrusted code in GitHub Actions, potentially exposing secrets and compromising the privileged context.

A code injection vulnerability (GHSL-2025-089) was identified in the validate-pr-description GitHub Actions workflow of the ydb-platform/ydb project on the latest main branch, allowing attackers to execute arbitrary code by manipulating input processed by the workflow.

A code injection vulnerability was identified in the PX4/PX4-Autopilot project within the docs_pr_comment.yml GitHub Actions workflow on the latest main branch. An attacker could exploit this issue in a privileged context to execute arbitrary code, potentially compromising the CI/CD pipeline.

The beeware/beeware.github.io project is vulnerable in its CI pipeline (ci.yml) to untrusted actions checkout, potentially allowing supply chain attacks.

Checking out of untrusted code in validate-lut-files.yml workflow may lead to code execution in privileged runner

GPT-SoVITS is vulnerable to multiple unsafe deserializations, which lead to remote code execution.

GPT-SoVITS is vulnerable to multiple command injections.

Ant-design-web3 is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.

Ant-design-blazor is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.

Several vulnerabilities were found in Camaleon CMS. Three vulnerabilities (GHSL-2024-182, GHSL-2024-183, GHSL-2024-184) can be exploited by "normal" authenticated users. Camaleon CMS instances where self-registration is enabled (e.g. to leave comments on posts) are especially endangered by these vulnerabilities.

Applio 3.2.7 is vulnerable to unsafe deserialization, SSRFs and arbitrary file writes, arbitrary file read and arbitrary file removal.

Apache Superset is vulnerable to a Poisoned Pipeline Execution (PPE) attack which may lead to a full compromise of the apache/superset repository.

Appsmith is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.

Cilium push-chart-ci.yaml and build-images-base.yaml workflows are vulnerable to script injection.

A snap with a crafted yaml file can cause a Denial of Service (DoS) in snapcraft.

remove_html_tags uses a regex that has a ReDoS vulnerability.

The pr-website-deploy-comment workflow of Microsoft FluentUI is vulnerable to Poisoned Pipeline Execution (PPE).

Amplification is vulnerable to Poisoned Pipeline Execution (PPE) allowing malicious actors to take over the repository.

Checking out of untrusted branch allows code execution in trusted context in the pr-comment-validate Action

Sickchill is vulnerable to an open redirect vulnerability.

Feign's comment-pr.yml workflow is vulnerable to Environment Variable injection which may lead to Repository takeover.

Secret exfiltration on GitHub's Azure/api-management-developer-portal repository.

Azure/azure-cli is vulnerable to Environment Variable Injection which may allow a malicious actor to exfiltrate the CLI_BOT secret.

Multiple reflected XSS vulnerabilities exist in the registration and login forms of habitica, giving the attacker control of the victim's account when a victim registers or logins with a specially crafted link.

angular/angular-ja repository is vulnerable to a code injection in its adev-preview-deploy.yml workflow which may an attacker to gain write permissions for the pull_request scope and leak the Firebase token.

aws/karpenter-provider-aws repository is vulnerable to Poisoned Pipeline Execution (PPE) which may lead to AWS Key exfiltration

Marimo is vulnerable to Poisoned Pipeline Execution (PPE) which may allow an attacker to get write permissions to the repository and exfiltrate secrets such as TURBO_TOKEN or NPM_TOKEN

PlexRipper's open CORS policy allows attackers to gain sensitive information from PlexRipper by getting the user to access the attacker's domain.

Adobe's react-spectrum-charts GitHub repository is vulnerable to Poisoned Pipeline Execution via Environment Variable Injection in its pr-sonar.yml workflow. A malicious actor could gain full-write permissions to the repository and access to the https://github/adobe organization secrets.

aws-cli has two regexes with ReDoS vulnerabilities.

Cloudflare workers-sdk write-prerelease-comment.yml workflow is vulnerable to environment variable injection which may allow an attacker to leak secrets and gain write access to the repository.

Cilium push-chart-ci.yaml workflow is vulnerable to a Poisoned Pipeline Execution (PPE) attack which may lead to the exfiltration of the QUAY_CHARTS_DEV_PASSWORD and QUAY_CHARTS_DEV_USERNAME secrets. Additionally, it is also vulnerable to Cache Poisoning attack which may allow an attacker to gain elevated privileges in a different workflow.

Multiple Code Injection vulnerabilities exist in the check_properties.yml workflow, allowing an external user to gain write permissions to the repository.

Several vulnerabilities were found in MarkUs, a web application for the submission and grading of student assignments. They can lead up to Remote Code Execution (RCE) via the submission of a student.

Hoverfly is a lightweight service virtualization/API simulation/API mocking tool for developers and testers. The hoverfly server is vulnerable to command injection, server-side request forgery (SSRF) and arbitrary file read.

The gruber regex in transformation.py has a ReDoS vulnerability, which could potentially lead to a denial of service in Giskard.

Multiple Eclipse repositories are vulnerable to Poisoned Pipeline Execution (PPE) via Code Injection allowing a malicious actor to exfiltrate the Eclipse's Personal Access Token with organization write permission.

docker-mailserver docs-preview-deploy.yml workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation.

Univer uses multiple actions workflows vulnerable to actions injections.

The comment-on-pr.yml workflow is vulnerable to Poisoned Pipeline Execution (PPE) which may allow a malicious actor to gain write access to the repository and exfiltrate secrets.

Trino's upload-test-results.yml workflow is vulnerable to Code Injection which may allow a malicious actor to gain write access to the repository and exfiltrate secrets.

Hibernate ORM is vulnerable to Poisoned Pipeline Execution (PPE) allowing malicious actors to exfiltrate their Develocity access keys.

Zephyr doc-publish-pr.yml workflow is vulnerable to environment variable injection which may allow an attacker to leak secrets and gain write access to the repository.

A universal XSS is present in the Edge and Firefox versions of Smartup, allowing another extension to execute arbitrary code in the context of the active tab.

Astro contains Actions workflows that are vulnerable to Code Injection and Execution of Untrusted Code which could be leverage to steal secrets and poison the cache.

RSSHub's docker-test-cont.yml workflow is vulnerable to Artifact Poisoning which may lead to a full repository takeover.

Gradio contains multiple Workflows vulnerables to Execution of untrusted code enabling an attacker to steal secret tokens and gain write access to the Gradio repository.

Kong is vulnerable to Actions expression injection allowing an attacker to takeover the repository and steal secrets.

A reflected Cross-Site Scripting (XSS) vulnerability exists in Alist that may allow unauthenticated users to steal the JWT token of users that click on a specially crafted link. In the worst case, this may allow an unauthenticated user to copy, delete and read arbitrary files on connected services or locally.

Arduino-esp32 is vulnerable to Poisoned Pipeline Execution (PPE) allowing malicious actors to take over the repository.

Milvus is vulnerable to Actions code injection allowing an attacker to alter the repository and steal secrets.

The QGIS repository is vulnerable to Poisoned Pipeline Execution (PPE) which may allow a malicious actor to take over the repository.

Several vulnerabilities were found in OpenHAB's CometVisu addon, which is part of OpenHAB's Web UI project.

Using CodeQL to scan repos to find SQL injections.

A command injection vulnerability in the IndieAuth functionality of the Haven blog web application leads to code execution when an authenticated administrator is tricked to access a crafted link.

Litestar docs-preview.yml workflow is vulnerable to Environment Variable injection which may lead to secret exfiltration and repository manipulation.

Element+ is vulnerable to Poisoned Pipeline Execution (PPE) which may allow an attacker to gain write acces to the repository and the CROWDIN_TOKEN token.

starrocks is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

Infinispan is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

OpenIM is vulnerable to Actions expression injection allowing attackers to take over the GitHub Runner and steal the BOT_GITHUB_TOKEN secret.

An AsyncAPI organization-wide workflow is vulnerable to Actions expression injection allowing an attacker to take over the repositories and steal secrets.

Cromwell is vulnerable to an Actions expression injection allowing an attacker to take over the repository and steal secrets.

EVE is vulnerable to Actions expression injection allowing an attacker to take over the GitHub Runner and potentially approve any Pull Requests.

Infinispan is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

Casdoor is vulnerable to a CORS misconfiguration and a reflected Cross-Site Scripting (XSS) vulnerability, both of which may allow an attacker to take actions on behalf of the signed-in user.

Insecure usage of pull_request_target and PR title make fabric.js repository vulnerable to an unauthorized repository modification or secrets exfiltration.

HertzBeat is vulnerable to unsafe deserialization and SQL injection.

Stencil's pack-and-comment.yml and tech-debt-burndown.yml workflows are vulnerable to Poisoned Pipeline Execution (PPE).

Monkeytype is vulnerable to Poisoned Pipeline Execution through Code Injection in its ci-failure-comment.yml GitHub Workflow, enabling attackers to gain pull-requests write access.

The unit-tests.yml GitHub's workflow is vulnerable to arbitrary code execution.

Excalidraw is vulnerable to Poisoned Pipeline Execution (PPE) on its autorelease-preview.yml workflow allowing an external attacker to gain write access to the repository.

Ant-Design is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.

JupyterLab is vulnerable to checkout and execution of untrusted code in the GitHub workflows allowing attacker to gain write access and read secrets from the repository.

Quarkus is vulnerable to Actions expression injection and Artifact Poisoning allowing an attacker to alter the repository and steal secrets.

Streamlit-geospatial project contains several remote code execution and blind server-side request forgery vulnerabilities.

Discord.js is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

A retest of GHSL-2023-239/CVE-2024-28212 uncovered that the endpoint /script/api/github/validate of ngrinder remained susceptible to unsafe YAML deserialization.

fishaudio/Bert-VITS2 v2.3 is vulnerable to command injections and limited file write vulnerabilties.

Insecure usage of pull_request_target makes docfx repository vulnerable to secrets exfiltration.

Several GitHub workflow may leak secret API Keys (OpenAI, Azure, Bing, etc.) when triggered by any Pull Request.

Several vulnerabilities were discovered in the ngrinder web application from Naver, including two unauthenticated remote code execution (RCE) vulnerabilities.

Flowise is vulnerable to path injection, cross site scripting and CORS misconfiguration vulnerabilities.

BioDrop is vulnerable to Actions expression injection allowing an attacker to manipulate repository issues.

A denial of service (DoS) vulnerability was found in the helpdesk software Zammad. An authenticated attacker could have prevented the web application from handling any requests.

A SQL injection vulnerability in Meshery up to v0.7.22 allows a remote attacker to obtain sensitive information, alter database registries, or create arbitrary files via the order and sort parameters of two HTTP endpoints.

DuckDB is vulnerable to Actions expression injection allowing attackers to take over the repository and steal secrets.

Hedy is vulnerable to Actions expression injection allowing attackers to take over the repository and steal secrets.

Misskey is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

Simple Icons is vulnerable to an Actions expression injection, allowing an attacker to take over the repository and steal secrets.

KubeBlocks is vulnerable to Actions expression injection allowing an attacker to take over the repository and steal secrets.

Kolibri is vulnerable to Actions expression injection allowing an attacker to alter the repository and steal secrets.

Open-webui is vulnerable to authenticated blind server-side request forgery.

Kohya_ss v22.6.1 is vulnerable to multiple command injections and path injections.

Plane v0.13-dev is vulnerable to authenticated blind server-side request forgery vulnerability.

A reflected XSS vulnerability exists in the openrasp cloud interface that allows an unauthenticated attacker to gain the session of users.

DocsGPT is vulnerable to unauthenticated limited file write.

Multiple SSRF vulnerabilities exist in the memos API service that allow unauthenticated and authenticated users to enumerate and read from the internal network. In addition, one SSRF vulnerability leads to a reflected XSS vulnerability, which may allow an attacker complete control over the administrator account.

Stable-diffusion-webui 1.7.0 is vulnerable to a limited file write affecting Windows systems.

Owncast in version 0.1.2 allows remote attackers with administrator privileges to delete arbitrary files by making a malicious POST request to /api/admin/emoji/delete.

Mealie v1.0.0-RC1.1 is vulnerable to multiple SSRF and DoS vulnerabilities. These vulnerabilities can be leveraged to identify, map, and retrieve the contents of webservers on Mealie's local network as well as being the victim of, or launching point for, a denial of service attack against a target of the attacker's choice.

Apache Submarine is vulnerable to unsafe deserialization due to the use of SnakeYaml's default constructor when parsing user-supplied data.

A SQL injection vulnerability in Meshery up to v0.6.181 allows a remote attacker to obtain sensitive information via the order parameter of GetMeshSyncResources.

A lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password.

OpenMetadata is vulnerable to several SpEL Expression Injections and an authentication bypass leading to pre-authentication Remote Code Execution (RCE).

The service worker of the codeium-chrome extension doesn't check the sender when receiving an external message. This allows an attacker to host a website that will steal the user's Codeium api-key, and thus impersonate the user on the backend autocomplete server.

Treasure Data's digdag workload automation system was susceptible to a path traversal vulnerability if it's configured to store log files locally.

We have recently begun research on using static analysis tools to find Spectre-v1 gadgets. During this research, we discovered two gadgets, one in do_prlimit (CVE-2023-0458) and one in copy_from_user (CVE-2023-0459). In this writeup, we explain these issues and how we found them.

A SQL injection vulnerability was found in FarmBot’s web app that allowed authenticated attackers to extract arbitrary data from its database (including the user table).

A SQL injection vulnerability was found in TaxonWorks that allowed authenticated attackers to extract arbitrary data from the TaxonWorks database (including the user table).

A reflected XSS vulnerability and a CORS issue are present on the tamagui website, tamagui.dev. These vulnerabilities may allow an attacker to leak the cookies of users, and thus impersonate users on the website.

The home-assistant/actions helpers/version workflow is vulnerable to a command injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.

Whoogle-search is vulnerable to Server-Side Request Forgery (SSRFs), Cross-Site Scripting (XSS) and a limited file write vulnerability.

The tj-actions/verify-changed-files workflow allows for command injection in changed filenames, potentially allowing an attacker to leak secrets.

The tj-actions/changed-files workflow allows for command injection in changed filenames, allowing an attacker to execute arbitrary code and potentially leak secrets.

Nginx-UI is a web interface to manage Nginx configurations. It is vulnerable to arbitrary command execution by abusing the configuration settings, and is also vulnerable to SQL injection.

Audiobookshelf is vulnerable to blind server-side request forgery (SSRF) vulnerabilities.

Dtale 3.8.1 is vulnerable to server-side request forgery (SSRF) vulnerability.

MkDocs is vulnerable to an unsafe deserialization when parsing configuration files.

Medusa contains two unauthenticated blind server-side request forgery (SSRF) vulnerabilities.

Three vulnerabilities that can be exploited by unauthenticated users were found in MindsDB: a Server-side request forgery (SSRF) vulnerability, an arbitrary file write vulnerability and a limited file write vulnerability.

Finding five CVEs in usage of the Java TrustManager and HostnameVerifier classes.

Bazarr is vulnerable to unauthenticated arbitrary file reads in two endpoints and a blind server-side request forgery (SSRF).

Two reflected Cross-Site Scripting (XSS) vulnerabilities exist in scrypted that may allow an attacker to impersonate any user who clicks on specially crafted links. In the worst case, an attacker may be able to impersonate an administrator and run arbitrary commands.

Audiobookshelf is vulnerable to server-side request forgery (SSRF), arbitrary file read (AFR) and arbitrary file deletion (AFD) depending on the permissions of the user.

A user with administrator permissions is able to run arbitrary code on the jellyfin server via the /System/MediaEncoder/Path endpoint.

Unsafe deserialization, Reflected XSS, Cross-site request forgery, and Cross-site scripting vulnerabilities found in Frigate.

Two Tar Slip vulnerabilities were found in Autolab. Those vulnerabilities could have allowed attackers to create or replace files on the file system that in the worst case could have been executed by the application or system itself.

Two vulnerabilities were found in Autolab: File disclosure due to path traversal (GHSL-2022-100) and Authenticated Remote Code Execution (GHSL-2022-124).

A server-side request forgery (SSRF), which can only be exploited by authenticated users, was found in Posthog.

Nocodb contains SQL injection vulnerability, that allows an authenticated attacker with creator access to query the underlying database.

Stash repository is vulnerable to an Actions command injection in e2e.yml.

Attackers may be able to connect to the server and provide malicious serialized objects that, once deserialized, force it to execute arbitrary code.

An arbitrary file read exists in the /api/Image/WithPath endpoint that would allow unauthenticated attackers to read arbitrary files on Windows systems.

Redisson is a Java Redis client that uses the Netty framework. Some of the messages received from the Redis server contain Java objects that the client deserializes without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running in.

Common Voice is vulnerable to Cross-Site Scripting (XSS).

Bitbucket Push and Pull Request Plugin provides a webhook endpoint at /bitbucket-hook/ that can be used to trigger builds of jobs configured to use a specified repository.In Bitbucket Plugin 2.8.3 and earlier, when a build is triggered in this way, attackers can force a connection to an arbitrary URL using the configured Bitbucket credentials.

The pytorch/pytorch filter-test-configs workflow is vulnerable to an expression injection in Actions, allowing an attacker to potentially leak secrets and alter the repository using the workflow.

Pay, a payments engine for Ruby on Rails, comes with a payment info page which is susceptible to Cross-site scripting.

Decidim, a platform for digital citizen participation, is vulnerable to non-public data exfiltration.

Decidim, a platform for digital citizen participation is vulnerable to Cross-site scripting. An attacker could impersonate other users and endorse or support proposals on their behalf.

Several Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/maven-artifact-choicelistprovider-plugin allow the leak of sensitive credentials to an attacker-controlled server.

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/servicenow-devops-plugin allows the leak of sensitive credentials to an attacker-controlled server.

A CSRF/SSRF vulnerability in jenkinsci/blueocean-plugin allows the leak of sensitive credentials (including GitHub credentials) to an attacker-controlled server.

If an authenticated user using CasaOS is able to successfully connect to a controlled SMB server, they are able to execute arbitrary commands.

Potential injection from the github.event.comment.body context, which may be controlled by an external user.

Attackers can use an improper SAML signature validation to impersonate any OpenAM user, including the administrator.

TDesign Vue Next repository is vulnerable to an Actions command injection in auto-release.yml.

Jenkins MathWorks Polyspace Plugin 1.0.5 and earlier does not restrict a file path in a job parameter, allowing attackers with the Job/Configure permission to exfiltrate arbitrary files from the Jenkins controller by sending them in an email notification.

A Server-Side Request Forgery (SSRF) vulnerability was found in the miniorange-saml-sp-plugin. The vulnerability resides in the org.miniorange.saml.MoSAMLAddIdp#doValidateMetadataUrl method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.

A Server-Side Request Forgery (SSRF) vulnerability was found in the benchmark-evaluator-plugin. The vulnerability resides in the io.jenkins.plugins.benchmark.BenchmarkBuilder#doCheckFilepath method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.

A Server-Side Request Forgery (SSRF) vulnerability was found in the sumologic-publisher-plugin. The vulnerability resides in the com.sumologic.jenkins.jenkinssumologicplugin.PluginDescriptorImpl#doTestURL method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/elasticbox-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the endpointUrl parameter in multiple web methods such as SlaveConfiguration$DescriptorImpl#doGetInstances. These methods read arbitrary credentials from the credentials storage using hardcoded ACL.System permission and send them to attacker-controlled servers.

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/datadog-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the targetApiURL parameter in the DatadogGlobalConfiguration#doTestConnection. These methods read arbitrary credentials from the credentials storage using hardcoded ACL.System permission and send them to attacker-controlled servers.

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/macstadium-orka-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the orkaEndpoint parameter in the OrkaAgent#doFillNodeItems. This method hardcodes an ACL.System access to the credentials storage and leak the secrets to attacker-controlled servers.

Several Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/mabl-integration-plugin allow the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the apiBaseUrl parameter in the MablStepBuilder#doFillEnvironmentIdItems, MablStepBuilder#doFillApplicationIdItem and MablStepBuilder#doValidateForm. These methods use the ACL.System permission to access the credentials storage and can be abused to leak arbitrary secrets to attacker-controlled servers.

A Cross-Site Request Forgery (CSRF) and a Server-Side Request Forgery (SSRF) vulnerabilities in jenkinsci/pipeline-restful-api-plugin may allow an attacker to retrieve a token to impersonate its victim.

A Server-Side Request Forgery (SSRF) vulnerability was found in the test-results-aggregator-plugin. The vulnerability resides in the com.jenkins.testresultsaggregator.TestResultsAggregator#doTestApiConnection method and can be exploited without authentication. An attacker can leverage this vulnerability to send requests to arbitrary hosts.

Jenkins External Monitor Job Plugin 203.v683c09d993b_9 and earlier does not configure its XML parser to prevent XML external entity (XXE) attacks. This allows authenticated attackers with Job Build permissions to send specific HTTP requests that force Jenkins to download and parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller or server-side request forgery.

Gradle 8.1.1 does not ensure that paths constructed from TAR archive entries are validated. This allows attackers who are able to manipulate a TAR file which is unpacked by a Gradle script to overwrite arbitrary files. It also allows attackers who are able to manipulate a TAR file which is read by a Gradle script to read arbitrary files.

The Aerospike Java client is a Java application that implements a network protocol to communicate with an Aerospike server. Some of the messages received from the server contain Java objects that the client deserializes when it encounters them without further validation. Attackers that manage to trick clients into communicating with a malicious server can include especially crafted objects in its responses that, once deserialized by the client, force it to execute arbitrary code. This can be abused to take control of the machine the client is running on.

The jellyfin/jellyfin repository is vulnerable to a command injection in Actions, allowing an attacker to take over the GitHub Actions runner and leak secrets.

Apache Doris repository is vulnerable to a Command Injection in the CI workflow auto_trigger_teamcity.yml.

A stored Cross-Site Scripting (XSS) vulnerability was found in the template-workflows-plugin project.

The winglang/wing repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.

The textualize/rich repository is vulnerable to a command injection in Actions.

The hashicorp/terraform-cdk repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.

The zcash/zcash repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.

The iluwatar/java-design-patterns repository is vulnerable to a command injection in Actions, allowing an attacker to take over the contents of the repository and leak secrets.

A stored Cross-Site Scripting (XSS) vulnerability was found in the maven-repository-plugin project.

Multiple reflected Cross-Site Scripting (XSS) were found in the Jenkins Sonargraph integration plugin

A Server-Side Request Forgery (SSRF) vulnerability in jenkinsci/dimensionsscm-plugin allows the leak of sensitive credentials to an attacker-controlled server. The issue arises from a lack of proper input validation/sanitization of the dimensionsscm.serverPlugin parameter in the DimensionsScm#doCheckServerConfig method and the ACL.System access to the credentials storage.

AWS CodeCommit Trigger Jenkins Plugin 3.0.12 and earlier does not restrict a file name path parameter in an HTTP endpoint, allowing authenticated attackers to read arbitrary files on the Jenkins controller file system.

Blind SQL injections are present in rudderlabs/rudder-server that allows unauthenticated users to achieve Remote Code Execution.

SRS's 'api-server' server is vulnerable to a drive-by command injection.

The Omni-Notes Android app has an insufficient path validation vulnerability when displaying the details of a note received through an externally-provided intent. The paths of the note's attachments are not properly validated, allowing malicious or compromised applications on the same device to force Omni-notes to copy files from its internal storage to its external storage directory, where they become accessible to any component with permission to read the external storage.

Ombi, an application that allows users to request specific media from popular self-hosted streaming servers, contains a vulnerability that allows administrators to read arbitrary files on the Ombi host.

Brook's tproxy server is vulnerable to a drive-by command injection.

Apache Cloudstack is vulnerable to a Command Injection in sonar-check.yml.

Jenkins File Parameters Plugin 285.v757c5b_67a_c25 and earlier does not restrict a file path in a job parameter, allowing attackers with the Job/Configure permission to upload arbitrary files to the Jenkins controller.

Sidebar Link Plug-in for Jenkins 2.2.1 and earlier does not restrict a file path parameter in an HTTP endpoint, allowing authenticated attackers to enumerate arbitrary files on the Jenkins controller file system.

A Server-Side Request Forgery (SSRF) vulnerability was found in the AppSpider Jenkins plugin. An unauthenticated attacker can leverage this vulnerability to send requests to arbitrary hosts.

Several Server-Side Request Forgery (SSRF) vulnerabilities were found in the Codedx Jenkins plugin. An unauthenticated attacker can leverage this vulnerabilities to send requests to arbitrary hosts.

Jenkins Pipeline Utility Steps Plugin 2.15.1 and earlier allows attackers able to manipulate a TAR or ZIP file extracted by the plugin to create or replace any file on the file system.

Authenticated attackers can send specific HTTP requests that force Jenkins to download and parse a crafted file that uses external entities for extraction of secrets from the Jenkins controller, as well as server-side request forgery.

SQLparse has a ReDoS (regular expression denial of service) in the parser for SQL expressions.

The Archery project contains multiple SQL injection vulnerabilities, that may allow an attacker to query the connected databases.

React Native OneSignal SDK repository is vulnerable to a Command Injection in Zapier.yml.

Cocos Engine is vulnerable to a Command Injection in web-interface-check.yml.

GeoNode is vulnerable to an XML External Entity (XXE) injection in the style upload functionality of GeoServer leading to Arbitrary File Read.

The encode_file method may lead to remote code execution if invoked with untrusted user-controlled data.

validators contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

textacy contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

OWSLib does not disable entity resolution for XML parsing, leading to XML External Entities (XXE) injection.

Metersphere is vulnerable to Server-Side Request Forgery and Path Injection.

On 32 bit systems, an arithmetic overflow present in allocate_structures can be triggered when displaying activity data files and may lead to a variety of exploit primitives due to an incorrectly sized buffer.

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The Arches project contains multiple blind SQL injection vulnerabilities, that allow an attacker to query the underlying database.

codex-team/editor.js is vulnerable to XSS attacks when copy/pasting specially crafted input into the editor.

A denial of service vulnerability existed in Fat Free CRM where an authenticated attacker could have prevented the web application from handling any requests.

A remote code execution (RCE) vulnerability in CircuitVerse allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.

A remote code execution (RCE) vulnerability in the Arvados Workbench allowed authenticated attackers to execute arbitrary code via specially crafted JSON payloads.

A malicious or compromised application in the same device could force Tasks.org to copy files from its internal storage to the external storage directory, where they become accessible to any component with permission to read the external storage.

Nepxion/Discovery is vulnerable to SpEL Injection in discovery-commons and a potential SSRF in discovery-plugin-admin-center.

Jodit Editor 3 is vulnerable to XSS attacks when pasting specially constructed input.

Apache OFBiz up to version 18.12.05 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles URLs provided by external, unauthenticated users. Specially crafted URLs may cause catastrophic backtracking, taking exponential time to complete.

The nhn/tui.grid component is vulnerable to XSS attacks when pasting specially crafted content into editable cells.

The Azure SDK for Java up to version 1.5.0-beta2 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it validates tenant IDs. Specially crafted IDs may cause catastrophic backtracking, taking exponential time to complete.

Apache Ignite up to version 2.12.0 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles table names when requesting primary keys through its JDBC driver. Specially crafted table names may cause catastrophic backtracking, taking exponential time to complete.

Apache Tapestry up to version 5.8.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles Content Types. Specially crafted Content Types may cause catastrophic backtracking, taking exponential time to complete.

Apache Tika up to version 1.28.1 is vulnerable to Regular Expression Denial of Service (ReDoS) in the way it handles standard references in text files. Specially crafted files may cause catastrophic backtracking, taking exponential time to complete.

Deserialization of untrusted data allows for Server Side Request Forgery (SSRF) or arbitrary file truncation.

An exponential ReDoS (Regular Expression Denial of Service) can be triggered in the jquery-validation npm package, when an attacker is able to supply arbitrary input to the url2 method

The WordPress for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in WordPress for Android.

Dependency Parser contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

Copy-paste XSS in Microweber text editor

medium.js is prone to XSS when handling untrusted placeholder values.

Bad HTML sanitization in htmleditor.js may lead to cross-site scripting (XSS) issues.

The esdoc-publish-html-plugin HTML sanitizer can be bypassed which may lead to cross-site scripting (XSS) issues.

Copy-paste XSS in vditor text editor

Copy-paste XSS in textAngular text editor

There exists a command injection in the react-dev-utils npm package, which is a part of Facebook's facebook/create-react-app repository.

The Nextcloud Android app uses content providers to manage its data. The providers FileContentProvider and DiskLruImageCacheFileProvider have security issues (an SQL injection, and an insufficient permission control, respectively) that allow malicious apps in the same device to access Nextcloud's data bypassing the permission control system.

The Nextcloud News for Android app has a security issue by which a malicious application installed on the same device can send it an arbitrary Intent that gets reflected back, unintentionally giving read and write access to non-exported Content Providers in Nextcloud News for Android.

A user of the system can provide a specifically crafted search query string that will trigger a ReDoS vulnerability.

SentinelLabs discovered a heap overflow vulnerability in the TIPC module of the Linux Kernel.

parser_apache2 plugin in Fluentd v0.14.14 to v1.14.1 suffers from a regular expression denial of service (ReDoS) vulnerability. A broken apache log with a certain pattern of string can spend too much time in a regular expression, resulting in the potential for a DoS attack.

Zulip contains a regular expression that is vulnerable to ReDoS (Regular Expression Denial of Service).

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

Writing a query to find clipboard-based XSS bugs.

Emby Server allows unauthenticated file read.

Finding 4 CVEs with CodeQL

A user of the system can post a message on a forum containing a specifically crafted string that will trigger a ReDoS vulnerability.

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

Multiple vulnerabilities have been found in Apache Dubbo enabling attackers to compromise and run arbitrary system commands on both Dubbo consumers and providers.

A Path Injection issue was found in django that allows a malicious admin user to disclose the presence of files on the file-system if the module django.contrib.admindocs is enabled.

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

Dangerous usage of the template rendering API may lead to Cross Site Scripting (XSS), file disclosure, and Remote Code Execution (RCE).

node-notifier recently addressed a command injection vulnerability with an insufficient fix, resulting in command injection through malicious input still being possible.

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

A Command Injection vulnerability has been found in Open Modeling Framework (OMF)

A reflected Cross-Site scripting (XSS) vulnerability has been found in analytics-quarry-web

Jellyfin allows unauthenticated arbitrary file read.

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The project contains one or more regular expressions that are vulnerable to ReDoS (Regular Expression Denial of Service)

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.

The unsafe handling of symbolic links in an unpacking routine may enable attackers to read and/or write to arbitrary locations outside the designated target folder.

Variant analysis of the Sequoia bug discovered by the Qualys Research team, identified by CVE-2021-33909.

A Template Injection was identified in Cron-Utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability

A Server-Side Template Injection was identified in Corona Warn App Server enabling attackers to inject arbitrary Java EL expressions, leading to un-auth Remote Code Execution (RCE) vulnerability

Although code execution is part of the intended purpose of Opener, a crafted url can run an arbitrary shell command rather than just launching a browser.

There exists an `Open URL redirect` vulnerability in the 1.x.x branch of Orange Forum. An attacker can send an Orange Forum user a crafted link targeting the login page of Orange Forum, redirecting to a malicious site.

The `upload` method has a command injection vulnerability. Clients of the `codecov-node` library are unlikely to be aware of this, so they might unwittingly write code that contains a vulnerability.

Apache Camel FreeMarker, Velocity, MVEL and Moustache components are vulnerable to Server-Side Template Injection (SSTI) leading to Remote Code Execution (RCE) or Arbitrary File Disclosure.

Apache OfBiz is vulnerable to pre-auth Remote Code Execution (RCE) via unsafe deserialization.

Apache OfBiz is vulnerable to Reflected Cross-Site Scripting through POST request

The GitHub Security Lab team has identified several potential security vulnerabilities in Apache Syncope, including RCE and XSS.

The GitHub Security Labs team has identified a Server-Side template injection vulnerability in Apache Syncope, which leads to RCE.

By exploiting an open redirect vulnerability, an attacker could potentially redirect a victim to any arbitrary URL and access their OAUTH token.

Server-Side Template Injection in Dropwizard leading to Remote Code Execution (RCE).

High privileged users can bypass the existing mitigations and inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.

It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.

It is possible for a user with the right permissions to execute arbitrary groovy or javascript scripts resulting in remote code execution.

High privileged users can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.

An attacker with elevated privileges can create content selectors with a specially crafted name using the REST API, which when viewed by another user can execute arbitrary JavaScript in the context of the NXRM application.

Attackers can inject arbitrary Java EL expressions in Nexus Repository Manager, leading to a Remote Code Execution (RCE) vulnerability.

A Server-Side Template Injection was identified in Netflix Titus enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.

A Server-Side Template Injection was identified in Netflix Conductor enabling attackers to inject arbitrary Java EL expressions, leading to a pre-auth Remote Code Execution (RCE) vulnerability.