j178/prek-action vulnerable to arbitrary code injection in composite action

Argument injection vulnerability in SonarQube Scan Action

PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps

Command Injection via sonarqube-scan-action GitHub Action

lychee link checking action affected by arbitrary code injection in composite action

m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials

tj-actions/branch-names has a Command Injection Vulnerability

RageAgainstThePixel/setup-steamcmd leaked authentication token in job output logs

buildalon/setup-steamcmd leaked authentication token in job output logs

Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`

Bullfrog's DNS over TCP bypasses domain filtering

OZI-Project/ozi-publish Code Injection vulnerability

Harden-Runner allows evasion of 'disable-sudo' policy

canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output

Multiple Reviewdog actions were compromised during a specific time period

tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.

GitHub PAT written to debug artifacts

Artifact poisoning vulnerability in action-download-artifact v5 and earlier

Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`

@actions/download-artifact has an Arbitrary File Write via artifact extraction