{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-04-16T22:59:52.363","vulnerabilities":[{"cve":{"id":"CVE-2026-27941","sourceIdentifier":"security-advisories@github.com","published":"2026-02-26T02:16:22.160","lastModified":"2026-03-06T20:06:09.357","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"OpenLIT is an open source platform for AI engineering. Prior to version 1.37.1, several GitHub Actions workflows in OpenLIT's GitHub repository use the `pull_request_target` event while checking out and executing untrusted code from forked pull requests. These workflows run with the security context of the base repository, including a write-privileged `GITHUB_TOKEN` and numerous sensitive secrets (API keys, database/vector store tokens, and a Google Cloud service account key). Version 1.37.1 contains a fix."},{"lang":"es","value":"OpenLIT es una plataforma de código abierto para ingeniería de IA. Antes de la versión 1.37.1, varios flujos de trabajo de GitHub Actions en el repositorio de GitHub de OpenLIT utilizan el evento 'pull_request_target' mientras extraen y ejecutan código no confiable de solicitudes de extracción bifurcadas. Estos flujos de trabajo se ejecutan con el contexto de seguridad del repositorio base, incluyendo un 'GITHUB_TOKEN' con privilegios de escritura y numerosos secretos sensibles (claves de API, tokens de base de datos/almacén vectorial y una clave de cuenta de servicio de Google Cloud). La versión 1.37.1 contiene una corrección."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H","baseScore":9.9,"baseSeverity":"CRITICAL","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"CHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"HIGH"},"exploitabilityScore":3.1,"impactScore":6.0}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-829"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:openlit:openlit_software_development_kit:*:*:*:*:*:python:*:*","versionStartIncluding":"1.36.2","versionEndExcluding":"1.37.1","matchCriteriaId":"4A765658-CA39-4F2B-94EF-64D0345C0F1F"}]}]}],"references":[{"url":"https://github.com/openlit/openlit/commit/4a62039a1659d6cbb8913172693f587b5fc2546c","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/openlit/openlit/security/advisories/GHSA-9jgv-x8cq-296q","source":"security-advisories@github.com","tags":["Exploit","Mitigation","Vendor Advisory"]}]}}]}