Command Injection via Unsanitized Bundling Options in `aws-cdk-lib/aws-lambda-nodejs`

Bug reported by was disclosed at June 11, 2026, 4:54 pm   |   OS Command Injection

RCE + PAT Exfiltration via pull_request_target in privacy-configuration/auto-respond-pr.yml — Direct Supply Chain to All DDG Browsers

Bug reported by Griffin was disclosed at June 11, 2026, 2:30 pm   |  

A vulnerability was discovered in the "auto-respond-pr.yml" GitHub Actions workflow of the "privacy-configuration" repository. The workflow used the "pull_request_target" trigger, which checked out the fork's repository as both the "base" and "PR" branches. This allowed an attacker to control the code executed by the workflow, leading to arbitrary code execution and the exposure of the "PRIVACY_CONFIG_PAT" secret. The exposed token was likely used for PR auto-approval, enabling the attacker to approve their own PRs and access private repository contents. The vulnerability also resulted in the unconditional exposure of additional secrets, such as "ASANA_ACCESS_TOKEN" and "GH_RO_PAT", when a fork PR was closed.

RCE + Supply Chain Attack via pull_request_target in content-scope-scripts/semver-label.yml — Affects All DuckDuckGo Browsers

Bug reported by Griffin was disclosed at June 11, 2026, 2:28 pm   |  

A vulnerability was discovered in the DuckDuckGo content-scope-scripts repository's GitHub Actions workflow. The workflow used the pull_request_target trigger without access controls, allowing untrusted code from fork pull requests to be checked out and executed. This could have led to remote code execution and the potential exfiltration of sensitive information, such as API keys, on the runner. The vulnerability also could have been exploited to manipulate the automated release pipeline, potentially compromising all DuckDuckGo browsers and extensions across multiple platforms.

SSRF via Improper Redirect Validation in Rocket.Chat oEmbed Function

Bug reported by KT was disclosed at June 11, 2026, 11:52 am   |   Server-Side Request Forgery (SSRF)

A vulnerability was discovered in Rocket.Chat version 7.10.1 where the oEmbed feature did not properly validate redirected URLs. This allowed an attacker to bypass SSRF protections and access internal network resources that would otherwise be unreachable.

SSRF via improper validation after DNS name resolution in the link-preview feature

Bug reported by KT was disclosed at June 11, 2026, 11:52 am   |   Server-Side Request Forgery (SSRF)

The link-preview feature in Rocket.Chat version 7.11.0 did not properly validate the IP address after DNS resolution. This allowed an attacker to obtain a domain that pointed to an internal IP address, triggering SSRF and enabling access to internal hosts that would otherwise be unreachable.