CVE-2026-44971

Name of the Vulnerable Software and Affected Versions GuardDog versions 1.0.0 through 2.9.0

Description The programmatic remote project scanning path in the ProjectScanner.scan remote() function rewrites attacker-controlled repository URLs using blind string replacement before sending the caller's GitHub credentials with the request. Because the logic fails to parse or validate the hostname, a crafted URL can trigger Server-Side Request Forgery (SSRF), allowing an attacker to capture the GH TOKEN used by the tool. This occurs when the software replaces the string "github" with "raw.githubusercontent" without verifying the destination, leading the system to send HTTP Basic Auth credentials to an arbitrary host.

Recommendations Update GuardDog to a version later than 2.9.0. As a temporary workaround, restrict the use of the ProjectScanner.scan remote() function to trusted repository URLs only.