Application security news, updated daily (if there is any news to share).
Content is AI-assisted and reviewed by our team, but issues may be missed and best practices evolve rapidly, send corrections to [email protected]. Always consult official documentation and validate key implementation decisions before making design or security choices.
CVE-2026-40316 reports a High-severity GitHub Actions workflow RCE in OWASP BLT, enabling untrusted PR code execution in privileged CI when a maintainer applies a label.
CVE-2026-39382 discloses a critical command-injection bug in dbt’s `open-issue-in-repo.yml` reusable GitHub Actions workflow, letting attackers run arbitrary shell commands in CI contexts.
CVE-2026-35580 is a Critical GitHub Actions shell injection in `emissary` workflows (<8.39.0) where workflow_dispatch inputs hit `run:` blocks, enabling repo poisoning and downstream compromise.
CVE-2026-33475 discloses a critical shell-injection flaw in Langflow’s GitHub Actions workflows that lets attackers run commands via branch/PR names and steal CI secrets.
Aqua says attackers used a compromised credential to publish malicious `trivy-action` and `setup-trivy` releases; any affected GitHub Actions pipeline should upgrade and rotate secrets.
An OpenSSF Siren advisory reports an automated campaign ("hackerbot-claw") actively exploiting insecure GitHub Actions workflows to run code and exfiltrate CI credentials.
OpenLIT disclosed and fixed a critical GitHub Actions workflow flaw where `pull_request_target` could execute untrusted fork code with privileged tokens and secrets exposed.