OSV - Open Source Vulnerabilities

GHSA-v53h-f6m7-xcgm

GitHub Actions/psf/black

Black's vulnerable version parsing leads to RCE in GitHub Action

3 days ago

Fix available
Severity - 8.7 (High)

GHSA-9p44-j4g5-cfx5

GitHub Actions/aquasecurity/trivy-action

Trivy Action has a script injection via sourced env file in composite action

18 Feb

Fix available
Severity - 5.9 (Medium)

GHSA-r79c-pqj3-577x

GitHub Actions/super-linter/super-linter
GitHub Actions/super-linter/super-linter/slim

Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action

09 Feb

Fix available
Severity - 8.8 (High)

GHSA-cpmj-h4f6-r6pq

GitHub Actions/step-security/harden-runner

Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)

09 Feb

Fix available
Severity - 6.0 (Medium)

GHSA-pwf7-47c3-mfhx

GitHub Actions/j178/prek-action

j178/prek-action vulnerable to arbitrary code injection in composite action

29 Sep 2025

Fix available
Severity - 9.9 (Critical)

GHSA-5xq9-5g24-4g6f

GitHub Actions/SonarSource/sonarqube-scan-action

Argument injection vulnerability in SonarQube Scan Action

26 Sep 2025

Fix available
Severity - 7.7 (High)

GHSA-vxmw-7h4f-hqxh

GitHub Actions/pypa/gh-action-pypi-publish

PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps

04 Sep 2025

Fix available

GHSA-f79p-9c5r-xg88

GitHub Actions/SonarSource/sonarqube-scan-action

Command Injection via sonarqube-scan-action GitHub Action

02 Sep 2025

Fix available
Severity - 7.8 (High)

GHSA-65rg-554r-9j5x

GitHub Actions/lycheeverse/lychee-action

lychee link checking action affected by arbitrary code injection in composite action

28 Aug 2025

Fix available
Severity - 6.9 (Medium)

GHSA-x6gv-2rvh-qmp6

GitHub Actions/BoldestDungeon/steam-workshop-deploy
GitHub Actions/m00nl1ght-dev/steam-workshop-deploy

m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials

13 Aug 2025

Fix available
Severity - 10.0 (Critical)

GHSA-gq52-6phf-x2r6

GitHub Actions/tj-actions/branch-names

tj-actions/branch-names has a Command Injection Vulnerability

25 Jul 2025

Fix available
Severity - 9.1 (Critical)

GHSA-c5qx-p38x-qf5w

GitHub Actions/RageAgainstThePixel/setup-steamcmd

RageAgainstThePixel/setup-steamcmd leaked authentication token in job output logs

21 Jul 2025

Fix available
Severity - 8.7 (High)

GHSA-mj96-mh85-r574

GitHub Actions/buildalon/setup-steamcmd

buildalon/setup-steamcmd leaked authentication token in job output logs

21 Jul 2025

Fix available
Severity - 8.7 (High)

GHSA-phf6-hm3h-x8qp

GitHub Actions/broadinstitute/cromwell

Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`

28 May 2025

Fix available
Severity - 9.1 (Critical)

GHSA-m32f-fjw2-37v3

GitHub Actions/bullfrogsec/bullfrog

Bullfrog's DNS over TCP bypasses domain filtering

15 May 2025

Fix available
Severity - 6.2 (Medium)

GHSA-2487-9f55-2vg9

GitHub Actions/OZI-Project/publish

OZI-Project/ozi-publish Code Injection vulnerability

12 May 2025

Fix available
Severity - 6.3 (Medium)

Load more...(2 pages left)