PatchSiren

cli CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

HIGH cli CVE published 2026-05-29

CVE-2026-48501

GitHub CLI (gh) versions prior to 2.93.0 incorrectly transmit authorization tokens to external hosts during attestation and release verification operations. The vulnerability stems from flawed host normalization logic in the CLI's shared HTTP client authentication layer, which collapses any *.github.com subdomain to github.com. This causes requests to tuf-repo.github.com—a GitHub Pages site hosting TUF me [truncated]

LOW cli CVE published 2026-05-15

CVE-2026-45803

CVE-2026-45803 is a low-severity GitHub CLI issue in which workflow log content can be rendered to a terminal without sanitizing control sequences. If an attacker can influence Actions log output, viewing a run with gh run view --log or gh run view --log-failed can cause terminal escape sequence injection in the user’s session. The issue is fixed in GitHub CLI 2.92.0.