By vendor
Github vulnerabilities
Known CVEs affecting Github products, prioritized by severity, with SEC.co remediation and detection guidance.
1 published vulnerability
- CVE-2026-48501HIGH 7.4
GitHub CLI (gh) prior to version 2.93.0 has a flaw where it unintentionally sends your authentication token to external services during specific operations. When you run commands like `gh attestation`, `gh release verify`, or `gh release verify-asset`, the tool needs to fetch data from various external servers—including TUF (The Update Framework) repositories and cloud storage. The problem is that the authentication layer doesn't correctly identify which servers should receive your token. Due to flawed host detection logic, requests to services like tuf-repo.github.com are incorrectly treated as requests to GitHub itself, causing your personal GitHub token to be transmitted to an untrusted third party. Similarly, requests to unrelated external hosts (like Sigstore's CDN or Azure Blob Storage) also receive your token. An attacker controlling or monitoring traffic to these external services could intercept your token and impersonate your GitHub account.