Wayphinder

#17539of 53,608
15.3Total CVSS
Vulnerabilities · 2
High
2
PT-2026-39697
7.5
2026-05-11
Go-Git · Go-Git · CVE-2026-45022
**Name of the Vulnerable Software and Affected Versions** go-git versions prior to v5 **Description** `go-git` may parse malformed Git objects differently than upstream Git. When `commit` or `tag` objects contain ambiguous or malformed headers, the decoded representation in `go-git` may expose values that differ from how Git interprets or rejects the same object. Furthermore, commit signing and verification logic operates on commit data reconstructed from the parsed representation instead of the original raw object bytes. This can lead to `go-git` signing or verifying a commit payload that is not byte-for-byte equivalent to the object stored in the repository, potentially making a signature appear valid for a commit with metadata that differs from the intended signed object. **Recommendations** Upgrade to a supported version of go-git (v5 or later).
PT-2023-29697
7.8
2023-10-20
Pdm · Pdm · CVE-2023-45805
**Name of the Vulnerable Software and Affected Versions** pdm versions prior to 2.9.4 **Description** It's possible to craft a malicious `pdm.lock` file that could allow an insider or a malicious open source project to appear to depend on a trusted PyPI project, but actually install another project. A project can be targeted by creating a project with a similar name and uploading a file to pypi.org. The version must only be `parseable as a version` and the filename must be a prefix of the project name, but it's not verified to match the version being installed. When installing dependencies with pdm, what's actually installed could differ from what's listed in `pyproject.toml` (including arbitrary code execution on install). It could also be used for downgrade attacks by only changing the version. **Recommendations** For versions prior to 2.9.4, upgrade to release version 2.9.4 to address the issue. As a temporary workaround, consider verifying the project name and version to match exactly before installing dependencies. Restrict access to the `pdm.lock` file to minimize the risk of exploitation. Avoid using the `pdm.lock` file from untrusted sources until the issue is resolved.