|
691
|
3.0 |
LOW
Local
|
-
|
-
|
ciguard is a static security auditor for CI/CD pipelines. From 0.1.0 to 0.8.1, the published ghcr.io/jo-jo98/ciguard container image inherits the default root user because the Dockerfile lacks a USER…
New
|
CWE-269
Improper Privilege Management
|
CVE-2026-44218
|
2026-05-14 02:02 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
692
|
3.7 |
LOW
Network
|
-
|
-
|
ciguard is a static security auditor for CI/CD pipelines. From 0.6.0 to 0.8.1, both SCA HTTP clients (src/ciguard/analyzer/sca/osv.py and src/ciguard/analyzer/sca/endoflife.py) call payload = json.lo…
New
|
CWE-770
Allocation of Resources Without Limits or Throttling
|
CVE-2026-44219
|
2026-05-14 02:02 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
693
|
3.2 |
LOW
Local
|
-
|
-
|
ciguard is a static security auditor for CI/CD pipelines. From 0.8.0 to 0.8.1 , the discover_pipeline_files() function in src/ciguard/discovery.py walks a directory tree following symlinks, with cycl…
New
|
CWE-59
Link Following
|
CVE-2026-44220
|
2026-05-14 02:02 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
694
|
4.4 |
MEDIUM
Local
|
jqlang
|
jq
|
jq is a command-line JSON processor. In 1.8.1 and earlier, jq accepts embedded NUL bytes in import paths at the jq-language level, but later resolves those paths through C string operations during mo…
Update
|
CWE-20
CWE-158
Improper Input Validation
Improper Neutralization of Null Byte or NUL Character
|
CVE-2026-43895
|
2026-05-14 02:02 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
695
|
5.3 |
MEDIUM
Network
|
-
|
-
|
protobufjs compiles protobuf definitions into JavaScript (JS) functions. Prior to 7.5.6 and 8.0.2, protobufjs includes a minimal UTF-8 decoder that accepted overlong UTF-8 byte sequences and decoded …
New
|
CWE-176
Improper Handling of Unicode Encoding
|
CVE-2026-44288
|
2026-05-14 02:01 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
696
|
8.7 |
HIGH
Network
|
-
|
-
|
protobufjs-cli is the command line add-on for protobuf.js. Prior to 1.2.1 and 2.0.2, pbjs static code generation could emit unsafe JavaScript identifiers derived from schema-controlled names. When ge…
New
|
CWE-94
Code Injection
|
CVE-2026-44295
|
2026-05-14 02:01 |
2026-05-14 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
697
|
5.5 |
MEDIUM
Local
|
jqlang
|
jq
|
jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic.…
Update
|
CWE-190
Integer Overflow or Wraparound
|
CVE-2026-43894
|
2026-05-14 02:01 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
698
|
5.5 |
MEDIUM
Local
|
jqlang
|
jq
|
jq is a command-line JSON processor. In 1.8.1 and earlier, the jq bytecode VM's data stack tracks its allocation size in a signed int. When the stack grows beyond ≈1 GiB (via deeply nested generator …
Update
|
CWE-190
CWE-787
Integer Overflow or Wraparound
Out-of-bounds Write
|
CVE-2026-41257
|
2026-05-14 02:01 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
699
|
5.5 |
MEDIUM
Local
|
jqlang
|
jq
|
jq is a command-line JSON processor. In 1.8.1 and earlier, Top-level jq programs loaded from a file with -f are truncated at the first embedded NUL byte on current upstream HEAD. A crafted filter fil…
Update
|
CWE-158
Improper Neutralization of Null Byte or NUL Character
|
CVE-2026-41256
|
2026-05-14 02:00 |
2026-05-12 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
|
700
|
8.4 |
HIGH
Local
|
-
|
-
|
JunoClaw is an agentic AI platform built on Juno Network. Prior to 0.x.y-security-1, plugin-shell's run_command wrapped every agent-supplied command in 'sh -c' / 'cmd /C' and passed the full argument…
New
|
CWE-77
CWE-78
Command Injection
OS Command
|
CVE-2026-43990
|
2026-05-14 02:00 |
2026-05-13 |
Show
|
GitHub
Exploit DB
Packet Storm
|
|
|
