resolved
Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`
Bug reported by was disclosed at June 11, 2026, 4:54 pm | OS Command Injection
resolved
RCE + PAT Exfiltration via pull_request_target in privacy-configuration/auto-respond-pr.yml — Direct Supply Chain to All DDG Browsers
Bug reported by Griffin was disclosed at June 11, 2026, 2:30 pm |
A vulnerability was discovered in the "auto-respond-pr.yml" GitHub Actions workflow of the "privacy-configuration" repository. The workflow used the "pull_request_target" trigger, which checked out the fork's repository as both the "base" and "PR" branches. This allowed an attacker to control the code executed by the workflow, leading to arbitrary code execution and the exposure of the "PRIVACY_CONFIG_PAT" secret. The exposed token was likely used for PR auto-approval, enabling the attacker to approve their own PRs and access private repository contents. The vulnerability also resulted in the unconditional exposure of additional secrets, such as "ASANA_ACCESS_TOKEN" and "GH_RO_PAT", when a fork PR was closed.
resolved
RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml — Affects All DuckDuckGo Browsers
Bug reported by Griffin was disclosed at June 11, 2026, 2:28 pm |
A vulnerability was discovered in the DuckDuckGo content-scope-scripts repository's GitHub Actions workflow. The workflow used the pull_request_target trigger without access controls, allowing untrusted code from fork pull requests to be checked out and executed. This could have led to remote code execution and the potential exfiltration of sensitive information, such as API keys, on the runner. The vulnerability also could have been exploited to manipulate the automated release pipeline, potentially compromising all DuckDuckGo browsers and extensions across multiple platforms.
resolved
SSRF via Improper Redirect Validation in Rocket.Chat oEmbed Function
Bug reported by KT was disclosed at June 11, 2026, 11:52 am | Server-Side Request Forgery (SSRF)
A vulnerability was discovered in Rocket.Chat version 7.10.1 where the oEmbed feature did not properly validate redirected URLs. This allowed an attacker to bypass SSRF protections and access internal network resources that would otherwise be unreachable.
resolved
SSRF via improper validation after DNS name resolution in the link-preview feature
Bug reported by KT was disclosed at June 11, 2026, 11:52 am | Server-Side Request Forgery (SSRF)
The link-preview feature in Rocket.Chat version 7.11.0 did not properly validate the IP address after DNS resolution. This allowed an attacker to obtain a domain that pointed to an internal IP address, triggering SSRF and enabling access to internal hosts that would otherwise be unreachable.
![[Image: e72398fe92beda2aa80d0329e8b9f4febece7568.gif]](https://64.media.tumblr.com/834502d05f9b014cbc37366fe428a5a7/13cb9841c0799d7a-ff/s500x560/e72398fe92beda2aa80d0329e8b9f4febece7568.gif)
