Renovate Support & Health

GHSA-36j9-mx87-2cff CVSS_V3

Renovate vulnerable to arbitrary command injection via hermit manager and maliciously named dependencies

Published: 2026-01-13 Fixed in: 40.33.0

GHSA-36rh-ggpr-j3gj Unknown

Renovate vulnerable to Azure DevOps token leakage in logs

Published: 2020-09-14 Fixed in: 23.25.1

GHSA-3f44-xw83-3pmg CVSS_V3

Renovate vulnerable to arbitrary command injection via helmv3 manager and malicious Chart.yaml file

Published: 2026-01-13 Fixed in: 40.33.0

GHSA-5vjq-5jmg-39xq CVSS_V3

Renovate affected by remote code execution was possible using the bazel-module or bazelisk managers, when using lockFileMaintenance

Published: 2026-04-16 Fixed in: 43.102.11

GHSA-8wc6-vgrq-x6cf CVSS_V3

Child processes spawned by Renovate incorrectly have full access to environment variables

Published: 2026-02-13 Fixed in: 42.96.3

GHSA-fr4j-65pv-gjjj CVSS_V3

Renovate vulnerable to arbitrary command injection via npm manager and malicious Renovate configuration

Published: 2026-01-13 Fixed in: 40.33.0

GHSA-pfq2-hh62-7m96 CVSS_V3

Renovate vulnerable to arbitrary command injection via Gradle Wrapper and malicious `distributionUrl`

Published: 2026-01-13 Fixed in: 42.68.5

GHSA-rqgv-292v-5qgr CVSS_V3

Renovate vulnerable to arbitrary command injection via helmv3 manager and registryAliases

Published: 2024-04-23 Fixed in: 37.199.0

GHSA-v7x3-7hw7-pcjg CVSS_V3

Renovate vulnerable to leakage of temporary repository tokens into Pull Request comments

Published: 2019-10-21 Fixed in: 19.38.7

GHSA-xjr7-3c3g-m763 CVSS_V3

Renovate vulnerable to arbitrary command injection via gleam manager and malicious gleam.toml file

Published: 2026-01-13 Fixed in: 40.33.0

Renovate