github actions

Top products

The 15 most recently published vulnerabilities affecting github actions.

• CVE-2026-31976xygeni-action v5 tag poisoned with C2 backdoor9.8Mar 11, 2026
• CVE-2026-31900Black's vulnerable version parsing leads to RCE in GitHub Action9.8Mar 11, 2026
• CVE-2026-26189Trivy Action has a script injection via sourced env file in composite action5.9Feb 19, 2026
• CVE-2026-25761Command injection via crafted filenames in Super-linter Action8.8Feb 9, 2026
• CVE-2026-25598Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)5.3Feb 9, 2026
• CVE-2025-58178Command Injection via sonarqube-scan-action GitHub Action7.8Sep 2, 2025
• CVE-2025-54416tj-actions/branch-names Contains Command Injection Vulnerability9.1Jul 26, 2025
• CVE-2025-47775Bullfrog's DNS over TCP bypasses domain filtering6.2May 14, 2025
• CVE-2025-32955Harden-Runner Evasion of 'disable-sudo' policy6.0Apr 21, 2025
• CVE-2025-31479canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output8.2Apr 2, 2025
• CVE-2025-30154Multiple Reviewdog actions were compromised during a specific time periodKEV8.6Mar 19, 2025
• CVE-2025-30066tj-actions changed-files before 46 allows remote attackers to discover secrets by reading actions logs. (The tags v1 through v45.0.7 were affected on 2025-03-14 and 2025-03-15 because they were mod...KEV8.6Mar 15, 2025
• CVE-2024-52587Harden-Runner has command injection weaknesses in `setup.ts` and `arc-runner.ts`8.8Nov 18, 2024
• CVE-2024-42482fish-shop/syntax-check Improper Neutralization of Delimiters4.8Aug 12, 2024
• CVE-2023-52137GitHub Action tj-actions/verify-changed-files is vulnerable to command injection in output filenames7.7Dec 29, 2023