actions
Security Advisories in actions
Moderate
11 days ago
Setup PHP: GitHub tokens configured by setup-php may be exposed through pinned affected Composer versions
actions
shivammathur/setup-php
Moderate
11 days ago
Setup PHP: Command Injection in Repository-Derived PHP Version Resolution
actions
shivammathur/setup-php
Critical
about 1 month ago
Gemini CLI: Remote Code Execution via workspace trust and tool allowlisting bypasses
actions, npm
google-github-actions/run-gemini-cli, @google/gemini-cli
Moderate
about 2 months ago
actions-mkdocs: Command Injection via issue title in internal GitHub Actions workflow
actions
Tiryoh/actions-mkdocs
Critical
2 months ago
wenxian: Command Injection in GitHub Actions Workflow via `issue_comment.body`
actions
njzjz/wenxian
Critical
2 months ago
Trivy ecosystem supply chain was briefly compromised
actions, go
aquasecurity/setup-trivy, aquasecurity/trivy-action, github.com/aquasecurity/trivy
Critical
2 months ago
Zen-AI-Pentest has Shell Injection via untrusted issue title in ZenClaw Discord Integration workflow
actions
SHAdd0WTAka/Zen-Ai-Pentest
Moderate
2 months ago
Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier)
actions
step-security/harden-runner
Moderate
2 months ago
Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier)
actions
step-security/harden-runner
High
3 months ago
Black's vulnerable version parsing leads to RCE in GitHub Action
actions
psf/black
Moderate
3 months ago
Trivy Action has a script injection via sourced env file in composite action
actions
aquasecurity/trivy-action
High
4 months ago
Super-linter is vulnerable to command injection via crafted filenames in Super-linter Action
actions
super-linter/super-linter/slim, super-linter/super-linter
Moderate
4 months ago
Harden-Runner: Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier)
actions
step-security/harden-runner
Critical
8 months ago
j178/prek-action vulnerable to arbitrary code injection in composite action
actions
j178/prek-action
High
8 months ago
Argument injection vulnerability in SonarQube Scan Action
actions
SonarSource/sonarqube-scan-action
Low
9 months ago
PyPI publish GitHub Action vulnerable to injectable expression expansions in action steps
actions
pypa/gh-action-pypi-publish
High
9 months ago
Command Injection via sonarqube-scan-action GitHub Action
actions
SonarSource/sonarqube-scan-action
Moderate
9 months ago
lychee link checking action affected by arbitrary code injection in composite action
actions
lycheeverse/lychee-action
Critical
10 months ago
m00nl1ght-dev/steam-workshop-deploy: Exposure of Version-Control Repository to an Unauthorized Control Sphere and Insufficiently Protected Credentials
actions
BoldestDungeon/steam-workshop-deploy, m00nl1ght-dev/steam-workshop-deploy
Critical
10 months ago
tj-actions/branch-names has a Command Injection Vulnerability
actions
tj-actions/branch-names
High
10 months ago
RageAgainstThePixel/setup-steamcmd leaked authentication token in job output logs
actions
RageAgainstThePixel/setup-steamcmd
High
10 months ago
buildalon/setup-steamcmd leaked authentication token in job output logs
actions
buildalon/setup-steamcmd
Critical
about 1 year ago
Cromwell GitHub Actions Secrets exfiltration via `Issue_comment`
actions
broadinstitute/cromwell
Moderate
about 1 year ago
Bullfrog's DNS over TCP bypasses domain filtering
actions
bullfrogsec/bullfrog
Moderate
about 1 year ago
OZI-Project/ozi-publish Code Injection vulnerability
actions
OZI-Project/publish
Moderate
about 1 year ago
Harden-Runner allows evasion of 'disable-sudo' policy
actions
step-security/harden-runner
High
about 1 year ago
canonical/get-workflow-version-action can leak a partial GITHUB_TOKEN in exception output
actions
canonical/get-workflow-version-action
High
about 1 year ago
Multiple Reviewdog actions were compromised during a specific time period
actions
reviewdog/action-setup
High
about 1 year ago
tj-actions changed-files through 45.0.7 allows remote attackers to discover secrets by reading actions logs.
actions
tj-actions/changed-files
High
over 1 year ago
Artifact poisoning vulnerability in action-download-artifact v5 and earlier
actions
dawidd6/action-download-artifact
Low
over 1 year ago
Harden-Runner has a command injection weaknesses in `setup.ts` and `arc-runner.ts`
actions
step-security/harden-runner
High
over 1 year ago
@actions/download-artifact has an Arbitrary File Write via artifact extraction
actions
actions/download-artifact
High
almost 2 years ago
GitHub Actions Script Injection in `ultralytics/actions`
actions
ultralytics/actions
Moderate
almost 2 years ago
fish-shop/syntax-check Improper Neutralization of Delimiters
actions
fish-shop/syntax-check
Moderate
over 2 years ago
github-slug-action use of `set-env` Runner commands which are processed via stdout
actions
rlespinasse/github-slug-action
High
over 2 years ago
Potential Actions command injection in output filenames (GHSL-2023-275)
actions
tj-actions/verify-changed-files
High
over 2 years ago
tj-actions/changed-files has Potential Actions command injection in output filenames (GHSL-2023-271)
actions
tj-actions/changed-files
Critical
over 2 years ago
memory overflow vulnerability in OpenEXR-viewer
actions
afichet/openexr-viewer
Critical
over 2 years ago
tj-actions/branch-names's Improper Sanitization of Branch Name Leads to Arbitrary Code Injection
actions
tj-actions/branch-names
Moderate
over 2 years ago
Actions expression injection in `filter-test-configs` (`GHSL-2023-181`)
actions
https://github.com/pytorch/pytorch/.github/actions/filter-test-configs
High
about 3 years ago
Data written to GitHub Actions Cache may expose secrets
actions
gradle/gradle-build-action
High
about 3 years ago
github-slug-action vulnerable to arbitrary code execution
actions
rlespinasse/github-slug-action
Low
about 3 years ago
Azure/setup-kubectl: Escalation of privilege vulnerability for v3 and lower
actions
Azure/setup-kubectl
High
over 3 years ago
run-terraform allows for RCE via terraform plan
actions
kartverket/github-workflows
Critical
over 3 years ago
gajira-create GitHub action vulnerable to arbitrary code execution
actions
atlassian/gajira-create
Moderate
over 3 years ago
ghas-to-csv vulnerable to Improper Neutralization of Formula Elements in a CSV File
actions
some-natalie/ghas-to-csv
Critical
almost 4 years ago
check-spelling workflow vulnerable to token leakage via symlink attack
actions
check-spelling/check-spelling
High
about 4 years ago
Vault GitHub Action did not correctly mask multi-line secrets in output
actions
hashicorp/vault-action
Filter by Severity
Filter by Package
step-security/harden-runner
5
tj-actions/changed-files
2
rlespinasse/github-slug-action
2
aquasecurity/trivy-action
2
shivammathur/setup-php
2
tj-actions/branch-names
2
SonarSource/sonarqube-scan-action
2
github.com/aquasecurity/trivy
1
actions/download-artifact
1
fish-shop/syntax-check
1
aquasecurity/setup-trivy
1
ultralytics/actions
1
m00nl1ght-dev/steam-workshop-deploy
1
google-github-actions/run-gemini-cli
1
OZI-Project/publish
1
embano1/wip
1
kartverket/github-workflows
1
Azure/setup-kubectl
1
xygeni/xygeni-action
1
some-natalie/ghas-to-csv
1
check-spelling/check-spelling
1
SHAdd0WTAka/Zen-Ai-Pentest
1
@google/gemini-cli
1
super-linter/super-linter/slim
1
super-linter/super-linter
1
Tiryoh/actions-mkdocs
1
atlassian/gajira-create
1
bullfrogsec/bullfrog
1
https://github.com/pytorch/pytorch/.github/actions/filter-test-configs
1
buildalon/setup-steamcmd
1
afichet/openexr-viewer
1
hashicorp/vault-action
1
broadinstitute/cromwell
1
njzjz/wenxian
1
RageAgainstThePixel/setup-steamcmd
1
psf/black
1
actions/runner
1
canonical/get-workflow-version-action
1
gradle/gradle-build-action
1
BoldestDungeon/steam-workshop-deploy
1
tj-actions/verify-changed-files
1
lycheeverse/lychee-action
1
github/codeql-action
1
dawidd6/action-download-artifact
1
reviewdog/action-setup
1
j178/prek-action
1
pypa/gh-action-pypi-publish
1
Filter by Repository
https://github.com/tj-actions/changed-files
2
https://github.com/tj-actions/branch-names
2
https://github.com/rlespinasse/github-slug-action
2
https://github.com/step-security/harden-runner
2
https://github.com/SonarSource/sonarqube-scan-action
2
https://github.com/kartverket/github-workflows
1
https://github.com/OZI-Project/publish
1
https://github.com/fish-shop/syntax-check
1
https://github.com/ultralytics/actions
1
https://github.com/pytorch/pytorch
1
https://github.com/j178/prek-action
1
https://github.com/buildalon/setup-steamcmd
1
https://github.com/actions/download-artifact
1
https://github.com/embano1/wip
1
https://github.com/hashicorp/vault-action
1
https://github.com/check-spelling/check-spelling
1
https://github.com/lycheeverse/lychee-action
1
https://github.com/broadinstitute/cromwell
1
https://github.com/Azure/setup-kubectl
1
https://github.com/RageAgainstThePixel/setup-steamcmd
1
https://github.com/github/codeql-action
1
https://github.com/pypa/gh-action-pypi-publish
1
https://github.com/dawidd6/action-download-artifact
1
https://github.com/atlassian/gajira-create
1
https://github.com/tj-actions/verify-changed-files
1
https://github.com/actions/runner
1
https://github.com/afichet/openexr-viewer
1
https://github.com/bullfrogsec/bullfrog
1
https://github.com/some-natalie/ghas-to-csv
1
https://github.com/gradle/gradle-build-action
1
https://github.com/BoldestDungeon/steam-workshop-deploy
1
https://github.com/reviewdog/reviewdog
1
https://github.com/canonical/get-workflow-version-action
1