Blacklanternsecurity
Products
1- Bbot8 CVEspypi
Recent CVEs
8| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2025-10284 | Cri | 0.55 | 9.6 | 0.01 | Oct 9, 2025 | BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution. | ||
| CVE-2025-10283 | Cri | 0.55 | 9.6 | 0.00 | Oct 9, 2025 | BBOT's gitdumper module could be abused to execute commands through a malicious git repository. | ||
| CVE-2025-10282 | Med | 0.31 | 4.7 | 0.00 | Oct 9, 2025 | BBOT's gitlab module could be abused to disclose a GitLab API key to an attacker controlled server with a malicious formatted git URL. | ||
| CVE-2025-10281 | Med | 0.24 | 4.7 | 0.00 | Oct 9, 2025 | BBOT's git_clone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL. | ||
| CVE-2026-12568 | 0.00 | — | 0.00 | Jun 17, 2026 | The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory,… | |||
| CVE-2026-12567 | 0.00 | — | 0.00 | Jun 17, 2026 | The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an… | |||
| CVE-2026-12566 | 0.00 | — | 0.00 | Jun 17, 2026 | The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the… | |||
| CVE-2026-12565 | 0.00 | — | 0.00 | Jun 17, 2026 | The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the… |
- risk 0.55cvss 9.6epss 0.01
BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution.
- risk 0.55cvss 9.6epss 0.00
BBOT's gitdumper module could be abused to execute commands through a malicious git repository.
- risk 0.31cvss 4.7epss 0.00
BBOT's gitlab module could be abused to disclose a GitLab API key to an attacker controlled server with a malicious formatted git URL.
- risk 0.24cvss 4.7epss 0.00
BBOT's git_clone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL.
- CVE-2026-12568Jun 17, 2026risk 0.00cvss —epss 0.00
The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory,…
- CVE-2026-12567Jun 17, 2026risk 0.00cvss —epss 0.00
The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an…
- CVE-2026-12566Jun 17, 2026risk 0.00cvss —epss 0.00
The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the…
- CVE-2026-12565Jun 17, 2026risk 0.00cvss —epss 0.00
The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the…