Browse all 5 CVE security advisories affecting step-security. AI-powered Chinese analysis, POCs, and references for each vulnerability.
Step-security provides application security testing solutions, focusing on identifying vulnerabilities in software development pipelines. Historically, their products have commonly detected remote code execution, cross-site scripting, and privilege escalation vulnerabilities across various applications. While no major public security incidents have been reported, the company maintains a moderate vulnerability history with five CVEs recorded, primarily related to input validation flaws and improper access controls in their own tools. Their security characteristics emphasize automated scanning and integration with CI/CD processes, though the presence of their own CVEs highlights the challenges of maintaining security in security tools.
| CVE ID | Title | CVSS | Severity | Published |
|---|---|---|---|---|
| CVE-2026-32947 | Egress Policy Bypass via DNS over HTTPS (DoH) in Harden-Runner (Community Tier) — harden-runnerCWE-693 | 9.1 | - | 2026-03-20 |
| CVE-2026-32946 | Egress Policy Bypass via DNS over TCP in Harden-Runner (Community Tier) — harden-runnerCWE-693 | 8.6 | - | 2026-03-20 |
| CVE-2026-25598 | Bypassing Logging of Outbound Connections Using sendto, sendmsg, and sendmmsg in Harden-Runner (Community Tier) — harden-runnerCWE-778 | 5.3AI | MediumAI | 2026-02-09 |
| CVE-2025-32955 | Harden-Runner Evasion of 'disable-sudo' policy — harden-runnerCWE-268 | 6.0 | Medium | 2025-04-21 |
| CVE-2024-52587 | Harden-Runner has command injection weaknesses in `setup.ts` and `arc-runner.ts` — harden-runnerCWE-78 | 9.8 | - | 2024-11-18 |
This page lists every published CVE security advisory associated with step-security. Each entry links to a detailed page with CVSS scoring, CWE classification, affected products and references. AI-generated Chinese analysis is provided for fast triage.