Browse all 3 CVE security advisories affecting nektos. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Nektos is a CLI tool for automating software development workflows, primarily used for GitHub Actions and other CI/CD pipelines. Historically, it has been susceptible to remote code execution vulnerabilities due to unsafe deserialization and command injection flaws, as well as privilege escalation issues through improper handling of environment variables. The project has addressed three CVEs to date, including RCE vulnerabilities in its YAML parsing and argument handling components. While no major public security incidents have been documented, the consistent presence of RCE flaws in its history suggests potential risks for organizations using the tool in production environments without proper input validation and sandboxing measures.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-34042 | act: actions/cache server allows malicious cache injection — actCWE-862 | 8.2 | High | 2026-03-31 |
| CVE-2026-34041 | act: Unrestricted set-env and add-path command processing enables environment injection — actCWE-74 | 7.1AI | HighAI | 2026-03-31 |
| CVE-2023-22726 | Unrestricted file upload leading to privilege escalation in act — actCWE-434 | 8.0 | High | 2023-01-20 |
This page lists every published CVE security advisory associated with nektos. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.