GitHub Advisory Database

Security vulnerability database inclusive of CVEs and GitHub originated security advisories from the world of open source software.

Filter advisories

GitHub reviewed advisories

Unreviewed advisories

All unreviewed 310,671

CC-BY-4.0 License

Language support

About GitHub Advisory Database

54 advisories

githubtoplanguages: Command Injection via Issue Title in Discord Notification Workflow High

GHSA-c3xh-98xp-6qhf was published for gouef/githubtoplanguages (GitHub Actions)

👁 choseogyeong

Claude Code Action: Malicious MCP Server Configuration in PRs Enables Remote Code Execution and Secret Exfiltration Moderate

CVE-2026-47751 was published for anthropics/claude-code-action (GitHub Actions)

Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions Moderate

GHSA-5wxr-w449-57cm was published for shivammathur/setup-php (GitHub Actions)

Setup PHP: Command Injection in Repository-Derived PHP Version Resolution Moderate

CVE-2026-46420 was published for shivammathur/setup-php (GitHub Actions)

Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses Critical

GHSA-wpqr-6v78-jr5g was published for @google/gemini-cli (GitHub Actions)

👁 DanusMinimus
👁 EladMeged-Novee

actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow Moderate

GHSA-6p2j-742g-835f was published for Tiryoh/actions-mkdocs (GitHub Actions)

👁 choseogyeong

wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body` Critical

CVE-2026-34243 was published for njzjz/wenxian (GitHub Actions)

👁 choseogyeong

Trivy ecosystem supply chain was briefly compromised Critical

CVE-2026-33634 was published for aquasecurity/setup-trivy (GitHub Actions)

Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow Critical

GHSA-f67f-hcr6-94mf was published for SHAdd0WTAka/Zen-Ai-Pentest (GitHub Actions)

👁 nekros1xx

Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier) Moderate

CVE-2026-32947 was published for step-security/harden-runner (GitHub Actions)

👁 devanshbatham

Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier) Moderate

CVE-2026-32946 was published for step-security/harden-runner (GitHub Actions)

👁 devanshbatham

xygeni-action v5 tag poisoned with C2 backdoor Critical

CVE-2026-31976 was published for xygeni/xygeni-action (GitHub Actions)

👁 Nick2bad4u

Black's vulnerable version parsing leads to RCE in GitHub Action High

CVE-2026-31900 was published for psf/black (GitHub Actions)

👁 ParzivalHack

Trivy Action has a script injection via sourced env file in composite action Moderate

CVE-2026-26189 was published for aquasecurity/trivy-action (GitHub Actions)

👁 1seal
👁 DmitriyLewen
👁 simar7

Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action High

CVE-2026-25761 was published for super-linter/super-linter (GitHub Actions)

👁 izefoea

Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier) Moderate

CVE-2026-25598 was published for step-security/harden-runner (GitHub Actions)

👁 devanshbatham

j178/prek-action vulnerable to arbitrary code injection in composite action Critical

GHSA-pwf7-47c3-mfhx was published for j178/prek-action (GitHub Actions)

👁 mondeja

Argument injection vulnerability in SonarQube Scan Action High

CVE-2025-59844 was published for SonarSource/sonarqube-scan-action (GitHub Actions)

PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps Low

GHSA-vxmw-7h4f-hqxh was published for pypa/gh-action-pypi-publish (GitHub Actions)

👁 woodruffw

Command Injection via sonarqube-scan-action GitHub Action High

CVE-2025-58178 was published for SonarSource/sonarqube-scan-action (GitHub Actions)

👁 Torbjorn-Svensson

lychee link checking action affected by arbitrary code injection in composite action Moderate

CVE-2024-48908 was published for lycheeverse/lychee-action (GitHub Actions)

👁 mondeja

m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials Critical

GHSA-x6gv-2rvh-qmp6 was published for BoldestDungeon/steam-workshop-deploy (GitHub Actions)

👁 Gamebuster19901

tj-actions/branch-names has a Command Injection Vulnerability Critical

CVE-2025-54416 was published for tj-actions/branch-names (GitHub Actions)

👁 tutasla

RageAgainstThePixel/setup-steamcmd leaked authentication token in job output logs High

GHSA-c5qx-p38x-qf5w was published for RageAgainstThePixel/setup-steamcmd (GitHub Actions)

👁 BrknRobot

buildalon/setup-steamcmd leaked authentication token in job output logs High

GHSA-mj96-mh85-r574 was published for buildalon/setup-steamcmd (GitHub Actions)

👁 BrknRobot

Previous1…3 Next

Previous 1 2 3 Next

ProTip! Advisories are also available from the GraphQL API

CC-BY-4.0 License

Language support

About GitHub Advisory Database

URL: https://github.com/advisories?query=type%3Areviewed+ecosystem%3Aactions