Security: renovatebot/renovate
Security Advisories
View known security vulnerabilities and report new vulnerabilities privately to maintainers.
-
Remote code execution was possible using the bazel-module or bazelisk managers, when using `lockFileMaintenance`GHSA-5vjq-5jmg-39xq published
Apr 14, 2026 by jamietannaModerate -
Child processes spawned by Renovate incorrectly have full access to environment variablesGHSA-8wc6-vgrq-x6cf published
Feb 13, 2026 by jamietannaModerate -
Arbitrary command injection via Gradle Wrapper and malicious `distributionUrl`GHSA-pfq2-hh62-7m96 published
Jan 13, 2026 by jamietannaModerate -
Arbitrary command injection via kustomize manager and malicious helm repositoryGHSA-xv56-3wq5-9997 published
Jan 13, 2026 by jamietannaModerate -
Arbitrary command injection via npm manager and malicious Renovate configurationGHSA-fr4j-65pv-gjjj published
Jan 13, 2026 by jamietannaModerate -
Arbitrary command injection via hermit manager and maliciously named dependenciesGHSA-36j9-mx87-2cff published
Jan 13, 2026 by jamietannaModerate -
Arbitrary command injection via helmv3 manager and malicious Chart.yaml fileGHSA-3f44-xw83-3pmg published
Jan 13, 2026 by jamietannaModerate -
Arbitrary command injection via gleam manager and malicious gleam.toml fileGHSA-xjr7-3c3g-m763 published
Jan 13, 2026 by jamietannaModerate -
Arbitrary command injection via helmv3 manager and registryAliasesGHSA-rqgv-292v-5qgr published
Apr 23, 2024 by rarkinsModerate -
Azure DevOps token leakage in logsGHSA-36rh-ggpr-j3gj published
Sep 12, 2020 by rarkinsModerate