This page collects WhisperX intelligence signals tagged #open source security. It is designed for humans, search engines, and AI agents: each item links to a canonical source-backed record with sector, source, timestamp, credibility, and exportable structured data.
A critical security contact channel for the Woodpecker CI project is broken. A security researcher attempting to follow the project's official responsible disclosure policy found that emails to `[email protected]` are being rejected by the mail server with a "Refused by local policy. No SPAM please!" error. Th...
开源容器安全工具 Kubescape 的 GitHub Actions 工作流中被发现存在潜在的脚本注入漏洞(INJ-001),尽管自动化渗透测试代理将其原始严重性标记为“高危”,但后续验证却将其降级为“低危”,这一过程揭示了开源项目安全评估中的关键盲点。该漏洞涉及对 `github.refname` 等不可信输入的处理,理论上可能允许攻击者通过注入恶意命令来破坏 CI/CD 流水线。然而,验证结果表明,所有报告的注入点要么位于未使用的复合操作中(如 `tag-action` 在仓库中无调用者),要么依赖于未定义的环境变量(如 `DOCKERCMD` 从未被设置),导致实际可被利用的攻击路径并不存在。 此次发现的核心在于 `sla...
A critical security exposure has been identified within the DimaMend/V-Achilles GitHub repository. The project's dependency on the `latest-version-5.1.0.tgz` package introduces two known vulnerabilities, with the highest severity rated at 5.3 on the CVSS scale. Crucially, these vulnerabilities are flagged as 'reachable...
A newly identified vulnerability, CVE-2026-0994, is actively disrupting software development workflows by causing automated security scanners to block and fail critical build pipelines. This immediate operational impact signals a significant, unplanned disruption for teams relying on continuous integration and deployme...
A reachable cryptographic vulnerability has been confirmed in the main branch of the OpenBao plugins repository, exposing a critical flaw in a core security library. The govulncheck tool identified vulnerability GO-2026-4550 as "reachable," meaning the vulnerable code path is actively used within the project. This is n...
A high-severity command injection vulnerability has been identified in the Handlebars CLI precompiler, tracked as CVE-2026-33941. The flaw resides in the `bin/handlebars` and `lib/precompiler.js` components of the popular templating library. The core issue is that the precompiler concatenates user-controlled strings—sp...
A critical security infrastructure gap has been identified in GitHub repositories, particularly those serving the financial sector. While many projects maintain a formal `SECURITY.md` file, they often lack the native GitHub Security Advisory (GHSA) template and supporting features, creating a disconnect between policy ...
A critical oversight in Lernza's official security documentation is blocking private vulnerability reporting. The project's SECURITY.md file instructs researchers to "email the maintainers directly" but fails to provide any contact email address. This creates a direct path to public exposure of security flaws, as exter...
The SoroTask platform currently operates without a formal vulnerability disclosure policy, creating a critical gap in its security posture. An open issue on the project's GitHub repository explicitly calls for the establishment of a structured process for security researchers and users to report security flaws. The abs...
A severe code injection vulnerability in the popular `happy-dom` Node.js library has been disclosed, enabling attackers to achieve Remote Code Execution (RCE). The flaw, tracked as CVE-2026-33943, resides within the library's `ECMAScriptModuleCompiler` component. It allows an attacker to inject and execute arbitrary Ja...
A critical security vulnerability has been patched in the widely-used Drizzle ORM library. The patch, released in version 0.45.2, addresses a SQL Injection flaw (CWE-89) within the `sql.identifier()` and `sql.as()` functions. The vulnerability stemmed from improper escaping of values passed to these functions, creating...
A newly disclosed vulnerability, CVE-2025-4690, has been flagged within the ManageIQ/manageiq-ui-classic repository, exposing a potential security flaw in a core dependency. The medium-severity issue is tied directly to the `angular-sanitize-1.8.3.tgz` library, an AngularJS module responsible for sanitizing HTML to pre...
A proposed code change for the OpenStreetMap iD Editor seeks to remove a specific folder to prevent automated security scanners from flagging a known vulnerability. The pull request explicitly targets the 'node_modules/leaflet-draw/docs/examples-0.7.x' directory, which contains an HTML file linking to an outdated and v...
A critical vulnerability in GitHub's handling of temporary directories, tracked as CVE-2025-71176, has been patched after a previous security fix was found to be insufficient. The flaw stemmed from the system following symbolic links, which could allow an attacker to manipulate the temporary directory path and potentia...
Daytona has formally integrated a vulnerability disclosure program (VDP) into its core security documentation, establishing a structured channel for external researchers to report security flaws. The program, detailed in a newly updated public `SECURITY.md` file, offers monetary rewards ranging from $100 to $1,000 for ...
A security researcher has publicly flagged a critical gap in a project's security infrastructure on GitHub, revealing that the absence of a designated Security Advisory page is blocking the responsible disclosure of identified vulnerabilities. This public callout on the project's issue tracker is not a routine bug repo...
A critical security vulnerability, designated CVE-2025-55182, has been flagged by GitHub's CodeQL analysis in the `agentapi-plusplus` repository. The automated security scanning tool Trivy triggered the alert, which remains in an open state, indicating the identified flaw has not yet been remediated. This is not a rout...
A critical security vulnerability in Keycloak, the widely-used open-source identity and access management solution, has been disclosed. The flaw, tracked as CVE-2026-4282, resides in the SingleUseObjectProvider—a global key-value store that lacks proper type and namespace isolation. This architectural weakness creates ...
The open-source dependency management tool Vis has integrated Socket.dev's security intelligence platform, adding a new layer of automated supply chain risk assessment. This integration moves beyond basic vulnerability scanning to provide real-time security scoring, threat detection, and detailed risk analysis for soft...
Mapnik 开源地图渲染库被曝存在一个本地可利用的除零漏洞,影响 4.2.0 及更早版本。该漏洞位于 `src/value.cpp` 文件的 `mapnik::detail::mod<...>::operator` 函数中,攻击者可在本地通过低权限触发,导致程序可用性受到影响。尽管漏洞细节已公开披露,且项目方很早就通过问题报告获知此事,但截至目前,Mapnik 官方尚未作出正式回应或发布修复补丁。 该漏洞被分配了编号 CVE-2025-15564,其 CVSS 3.1 评分为 AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P/RL:X/RC:R。评分细节表明,这是一个本地攻击向量,攻击复杂度低,所需...