High severity8.6NVD Advisory· Published May 31, 2018· Updated Jun 17, 2026
CVE-2016-10526
CVE-2016-10526
Description
A common setup to deploy to gh-pages on every commit via a CI system is to expose a github token to ENV and to use it directly in the auth part of the url. In module versions < 0.9.1 the auth portion of the url is outputted as part of the grunt tasks logging function. If this output is publicly available then the credentials should be considered compromised.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
grunt-gh-pagesnpm | < 0.10.0 | 0.10.0 |
Affected products
2- HackerOne/grunt-gh-pages node modulev5Range: <=0.9.1
Patches
Vulnerability mechanics
References
7- github.com/advisories/GHSA-rrj3-qmh8-72pfghsaADVISORY
- github.com/tschaub/grunt-gh-pages/pull/41nvdThird Party AdvisoryWEB
- nodesecurity.io/advisories/85nvdThird Party Advisory
- nvd.nist.gov/vuln/detail/CVE-2016-10526ghsaADVISORY
- github.com/tschaub/grunt-gh-pages/commit/2d277e3e969ccd4c2d493f3795400fa77e6b6342ghsaWEB
- github.com/tschaub/grunt-gh-pages/pull/41/commits/590f69767203d8c379fe18cded93bd5ad6cb53cbghsaWEB
- www.npmjs.com/advisories/85ghsaWEB
News mentions
0No linked articles in our index yet.