securitylab.github.com
Resources curated from this publisher and indexed across appsec.fyi topic pages. Last item added: 2026-04-22.
| Date Added | Resource | Excerpt |
|---|---|---|
| 2026-04-22 2026 | Keeping Your GitHub Actions Secure Part 1: Preventing Pwn RequestsSupply Chain | Library detailing secure GitHub Actions workflows, specifically addressing the risks of the `pull_request_target` trigger when processing untrusted pull requests. It highlights how attackers can exploit this to gain repository write permissions or steal secrets by injecting malicious code into build scripts, package.json, or npm pre/postinstall scripts. The library advocates for a `pull_request` trigger for unprivileged handling of untrusted code and a subsequent `workflow_run` trigger for privileged operations, using artifacts to safely transfer data. |
| 2026-04-11 2026 | SQL injection vulnerabilities in Owncloud Android appMobile | Advisories detail SQL injection vulnerabilities in the Owncloud Android app, specifically impacting the `FileContentProvider` (GHSL-2022-059) and the `ReceiveExternalFilesActivity`. The `FileContentProvider` allows malicious applications to exploit SQL injection flaws through its `delete`, `insert`, `query`, and `update` methods, potentially leading to unauthorized data access or modification within the app's databases. Additionally, improper sanitization of externally provided file paths in `ReceiveExternalFilesActivity` can allow attackers to read from or write to the application's internal storage. |
| 2026-04-10 2026 | GitHub Security Lab: SSTI in Apache Camel — CVE-2020-11994SSTI | Writeup on CVE-2020-11994, detailing Server-Side Template Injection (SSTI) vulnerabilities in Apache Camel's FreeMarker, Velocity, MVEL, and Mustache components. These flaws enable Remote Code Execution (RCE) and Arbitrary File Disclosure by allowing attackers to control template headers or resource URIs, potentially impacting versions 2.x up to 2.22.0 and 3.x up to 3.2.0. |
| 2026-04-10 2026 | Command Injection and RCE in MetaSpore (GHSL-2025-035 to 037)RCE | Writeup detailing command injection (GHSL-2025-035) and RCE (GHSL-2025-037) vulnerabilities in MetaSpore's recommendation service. The command injection allows overwriting arbitrary files and leaking AWS tokens via the `aws s3 sync` command. The RCE is achieved by exploiting an unprotected Consul instance and a Spring Expression Language injection in `spring.application.name`, leading to arbitrary code execution. An additional vulnerability (GHSL-2025-036) involves sensitive Spring Boot Actuator endpoints being exposed without authentication. |
| 2024-07-23 2024 | Keeping your GitHub Actions and workflows secure Part 1: Preventing pwn requestsSupply Chain | In this article, we’ll discuss some common security malpractices for GitHub Actions and workflows, and how to best avoid them. Our examples are based on real-world GitHub workflow implementation vulne... |