{"data":{"id":"62becc77-14cf-4bdf-8168-5922c6480d53","title":"CVE-2026-33075: FastGPT is an AI Agent building platform. In versions 4.14.8.3 and below, the fastgpt-preview-image.yml workflow is vuln","summary":"FastGPT (an AI platform for building AI agents) versions 4.14.8.3 and below have a critical security flaw where the fastgpt-preview-image.yml workflow uses pull_request_target (a GitHub feature that runs code with access to repository secrets) but executes code from an external contributor's fork, allowing attackers to run arbitrary code (commands on systems they don't own), steal secrets, and potentially compromise the production container registry (the central storage system for packaged software).","solution":"N/A -- no mitigation discussed in source.","labels":["security"],"sourceUrl":"https://nvd.nist.gov/vuln/detail/CVE-2026-33075","publishedAt":"2026-03-20T09:16:15.877Z","cveId":"CVE-2026-33075","cweIds":["CWE-494","CWE-829"],"cvssScore":null,"cvssSeverity":null,"severity":"critical","attackType":["supply_chain"],"issueType":"vulnerability","affectedPackages":null,"affectedVendors":["HuggingFace"],"affectedVendorsRaw":["FastGPT"],"classifierModel":"claude-haiku-4-5-20251001","classifierPromptVersion":"v3","cvssVector":null,"attackVector":null,"attackComplexity":null,"privilegesRequired":null,"userInteraction":null,"exploitMaturity":"unknown","epssScore":0,"patchAvailable":null,"disclosureDate":"2026-03-20T09:16:15.877Z","capecIds":["CAPEC-437"],"crossRefCount":0,"attackSophistication":"moderate","impactType":["confidentiality","integrity","availability"],"aiComponentTargeted":"framework","llmSpecific":false,"classifierConfidence":0.95,"researchCategory":null,"atlasIds":["AML.T0010"]}}