Skip to main content

Goshs

1 CVEs product

Monthly

CVE-2026-40903 CRITICAL PATCH Act Now

Remote unauthenticated attackers can leak GitHub workflow tokens from goshs repositories via ArtiPACKED attack. The vulnerability exploits artifact packaging mechanisms to extract GITHUB_TOKEN credentials despite the token never appearing in source code. With CVSS 9.1 (Critical) and network attack vector requiring no authentication, this poses immediate risk to CI/CD pipelines using goshs. No public exploit identified at time of analysis, though the attack technique (ArtiPACKED) is documented. EPSS data unavailable; not listed in CISA KEV.

Information Disclosure Goshs
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
EPSS 0% CVSS 9.1
CRITICAL PATCH Act Now

Remote unauthenticated attackers can leak GitHub workflow tokens from goshs repositories via ArtiPACKED attack. The vulnerability exploits artifact packaging mechanisms to extract GITHUB_TOKEN credentials despite the token never appearing in source code. With CVSS 9.1 (Critical) and network attack vector requiring no authentication, this poses immediate risk to CI/CD pipelines using goshs. No public exploit identified at time of analysis, though the attack technique (ArtiPACKED) is documented. EPSS data unavailable; not listed in CISA KEV.

Information Disclosure Goshs
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy