Search Vulnerabilities

Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses

actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow

wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`

Trivy ecosystem supply chain was briefly compromised

Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow

Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)

Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)

xygeni-action v5 tag poisoned with C2 backdoor

Black's vulnerable version parsing leads to RCE in GitHub Action

Trivy Action has a script injection via sourced env file in composite action

Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action

Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)

j178/prek-action vulnerable to arbitrary code injection in composite action

Argument injection vulnerability in SonarQube Scan Action

PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps

Command Injection via sonarqube-scan-action GitHub Action

lychee link checking action affected by arbitrary code injection in composite action

m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials

tj-actions/branch-names has a Command Injection Vulnerability

RageAgainstThePixel/setup-steamcmd leaked authentication token in job output logs