By weakness (CWE)
CWE-427: related vulnerabilities
CVEs classified under CWE-427. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
2 published vulnerabilities
- CVE-2026-44358HIGH 8.2
Espressif's Shared GitHub DangerJS Action, a reusable CI workflow component, contains a privilege escalation vulnerability in versions prior to 1.0.1. When processing pull requests from forks, the action's entrypoint script executes DangerJS from an untrusted search path after copying fork code into the working directory. This allows fork-supplied code to run inside the action container with the permissions of the workflow, rather than the action's own trusted code. An attacker can exploit this by submitting a malicious pull request from a fork, causing arbitrary code execution in the CI/CD environment.
- CVE-2026-36574HIGH 7.8
CactusViewer v2.3.0 contains a DLL hijacking vulnerability that allows an attacker to execute arbitrary code and escalate privileges on a system where the application is installed. The flaw occurs because the application loads dynamic libraries in an unsafe manner, enabling an attacker to place a malicious DLL in a location the application searches before legitimate system libraries. When CactusViewer runs, it loads the attacker's malicious code instead of the legitimate library, granting the attacker the same privilege level as the user running the application.