VYPR
Vendor

Blacklanternsecurity

Products
1
CVEs
8
Across products
8
Status
Private

Products

1

Recent CVEs

8
  • CVE-2025-10284CriOct 9, 2025
    risk 0.55cvss 9.6epss 0.01

    BBOT's unarchive module could be abused by supplying malicious archives files and when extracted can then perform an arbitrary file write, resulting in remote code execution.

  • CVE-2025-10283CriOct 9, 2025
    risk 0.55cvss 9.6epss 0.00

    BBOT's gitdumper module could be abused to execute commands through a malicious git repository.

  • CVE-2025-10282MedOct 9, 2025
    risk 0.31cvss 4.7epss 0.00

    BBOT's gitlab module could be abused to disclose a GitLab API key to an attacker controlled server with a malicious formatted git URL.

  • CVE-2025-10281MedOct 9, 2025
    risk 0.24cvss 4.7epss 0.00

    BBOT's git_clone module could be abused to disclose a GitHub API key to an attacker controlled server with a malicious formatted git URL.

  • CVE-2026-12568Jun 17, 2026
    risk 0.00cvss epss 0.00

    The postman_download module uses the workspace name field from the Postman API to construct the local directory path without sanitization. If a malicious workspace has a name containing path traversal characters, pathlib resolves the path outside the intended output directory,…

  • CVE-2026-12567Jun 17, 2026
    risk 0.00cvss epss 0.00

    The github_workflows module constructs local directory paths from user-controlled repository names without validating for symlinks. A local attacker sharing the scan directory can plant a symlink at the predictable output path, causing workflow data to be written to an…

  • CVE-2026-12566Jun 17, 2026
    risk 0.00cvss epss 0.00

    The docker_pull module uses the realm parameter from a Docker registry's WWW-Authenticate response header as the authentication endpoint without validation. An attacker in a man-in-the-middle position between bbot and a Docker registry could modify this header to redirect the…

  • CVE-2026-12565Jun 17, 2026
    risk 0.00cvss epss 0.00

    The unarchive internal module's archive extraction commands perform no code-level validation on extracted file paths, relying entirely on the behavior of external tools (e.g. GNU tar) which varies by platform. While CVE-2025-10284 addressed git-specific RCE vectors, the…