Browse all 6 CVE security advisories affecting actions. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Actions is a workflow automation platform designed to streamline business processes through customizable integrations and task management. Historically, Actions has been vulnerable to multiple remote code execution (RCE) flaws, cross-site scripting (XSS) vulnerabilities, and privilege escalation issues across its API and web interface. The platform's six recorded CVEs primarily stem from improper input validation and insufficient access controls. While no major public security incidents have been documented, the consistent pattern of vulnerabilities suggests potential risks for organizations relying on Actions for critical workflows, particularly those with exposed internet-facing implementations.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2025-5890 | actions toolkit glob internal-pattern.ts globEscape redos — toolkitCWE-1333 | 4.3 | Medium | 2025-06-09 |
| CVE-2024-42471 | Arbitrary File Write via artifact extraction in actions/artifact — toolkitCWE-22 | 7.3 | High | 2024-09-02 |
| CVE-2022-39321 | GitHub Actions Runner vulnerable to Docker Command Escaping — runnerCWE-78 | 8.8 | High | 2022-10-25 |
| CVE-2022-35954 | Delimiter injection vulnerability in @actions/core exportVariable — toolkitCWE-77 | 5.0 | Medium | 2022-08-13 |
| CVE-2020-15228 | Environment Variable Injection in GitHub Actions — toolkitCWE-20 | 3.5 | Low | 2020-10-01 |
| CVE-2020-11021 | HTTP request which redirect to another hostname do not strip authorization header in Actions Http-Client — http-clientCWE-200 | 6.3 | Medium | 2020-04-29 |
This page lists every published CVE security advisory associated with actions. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.