Go modules package
github.com/nektos/act
pkg:golang/github.com/nektos/act
Vulnerabilities (3)
| CVE | Sev | CVSS | KEV | Affected versions | Fixed in | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-34042 | Hig | 8.2 | < 0.2.86 | 0.2.86 | Mar 31, 2026 | act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitr | |
| CVE-2026-34041 | Cri | 9.8 | < 0.2.86 | 0.2.86 | Mar 31, 2026 | act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted da | |
| CVE-2023-22726 | — | < 0.2.40 | 0.2.40 | Jan 20, 2023 | act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may l |
- affected < 0.2.86fixed 0.2.86
act is a project which allows for local running of github actions. Prior to version 0.2.86, act's built in actions/cache server listens to connections on all interfaces and allows anyone who can connect to it including someone anywhere on the internet to create caches with arbitr
- affected < 0.2.86fixed 0.2.86
act is a project which allows for local running of github actions. Prior to version 0.2.86, act unconditionally processes the deprecated ::set-env:: and ::add-path:: workflow commands, which was disabled due to environment injection risks. When a workflow step echoes untrusted da
- CVE-2023-22726Jan 20, 2023affected < 0.2.40fixed 0.2.40
act is a project which allows for local running of github actions. The artifact server that stores artifacts from Github Action runs does not sanitize path inputs. This allows an attacker to download and overwrite arbitrary files on the host from a Github Action. This issue may l