{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-26T21:46:35.089","vulnerabilities":[{"cve":{"id":"CVE-2025-53546","sourceIdentifier":"security-advisories@github.com","published":"2025-07-09T15:15:24.787","lastModified":"2026-06-17T09:38:25.440","vulnStatus":"Deferred","cveTags":[],"descriptions":[{"lang":"en","value":"Folo organizes feeds content into one timeline. Using pull_request_target on .github/workflows/auto-fix-lint-format-commit.yml can be exploited by attackers, since untrusted code can be executed having full access to secrets (from the base repo). By exploiting the vulnerability is possible to exfiltrate GITHUB_TOKEN which has high privileges. GITHUB_TOKEN can be used to completely overtake the repo since the token has content write privileges. This vulnerability is fixed in commit 585c6a591440cd39f92374230ac5d65d7dd23d6a."},{"lang":"es","value":"Folo organiza el contenido de los feeds en una sola línea de tiempo. El uso de pull_request_target en .github/workflows/auto-fix-lint-format-commit.yml puede ser explotado por atacantes, ya que se puede ejecutar código no confiable con acceso completo a los secretos (del repositorio base). Al explotar esta vulnerabilidad, es posible exfiltrar GITHUB_TOKEN, que tiene altos privilegios. GITHUB_TOKEN puede usarse para controlar completamente el repositorio, ya que el token tiene privilegios de escritura de contenido. Esta vulnerabilidad está corregida en el commit 585c6a591440cd39f92374230ac5d65d7dd23d6a."}],"affected":[{"source":"security-advisories@github.com","affectedData":[{"vendor":"RSSNext","product":"Folo","versions":[{"version":"< 585c6a591440cd39f92374230ac5d65d7dd23d6a","status":"affected"}]}]}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N","baseScore":9.1,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"NONE"},"exploitabilityScore":3.9,"impactScore":5.2}],"ssvcV203":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","ssvcData":{"timestamp":"2025-07-09T16:00:26.658492Z","id":"CVE-2025-53546","options":[{"exploitation":"poc"},{"automatable":"yes"},{"technicalImpact":"total"}],"role":"CISA Coordinator","version":"2.0.3"}}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Secondary","description":[{"lang":"en","value":"CWE-829"}]}],"references":[{"url":"https://github.com/RSSNext/Folo/commit/585c6a591440cd39f92374230ac5d65d7dd23d6a","source":"security-advisories@github.com"},{"url":"https://github.com/RSSNext/Folo/security/advisories/GHSA-h87r-5w74-qfm4","source":"security-advisories@github.com"},{"url":"https://github.com/RSSNext/Folo/security/advisories/GHSA-h87r-5w74-qfm4","source":"134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}]}