Solution sectors / devtools-ci
Developer Tools & CI/CD
Developer tooling — IDEs, CI/CD pipelines, source control and artifact registries — has deep access to source code and build infrastructure, making it a high-value supply-chain target. This hub tracks CVEs across it.
Cumulative CVEs
7,619
across 248 monthly snapshots
Latest month
236
+5.8% MoM · +268.8% YoY
Peak month
236
Jun 26
KEV this month
0
50 vendors affected
CVEs per month
Newest period on the right. Click a point to open that monthly report.
Deployment mix
How this sector's software is typically delivered — whether you patch it yourself or a vendor does. AI-assisted vendor classification.
- On-prem78%
- Mixed22%
Latest CVEs in this sector
The 15 most recently published vulnerabilities tagged to Developer Tools & CI/CD.
- CVE-2026-54672electron-updater: Uncontrolled search path elements within `AppImage` built by `app-builder-lib`7.8
- CVE-2026-12085IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptable to an Insertion of Sensitive Information Into Sent Data vulnerability6.5
- CVE-2026-12086IBM DevOps Deploy / IBM UrbanCode Deploy (UCD) is susceptible to a Insertion of Sensitive Information into Log File Vulnerability6.2
- CVE-2026-58370Woodpecker < 3.15.0 - GitLab Approval Gate Bypass via Spoofable Commit Author Name8.1
- CVE-2026-58369Woodpecker < 3.15.0 - Unauthenticated NULL Pointer Dereference in /api/orgs/lookup Enables Log-Flooding Denial of Service5.3
- CVE-2026-41053Over-inclusive team membership expansion in GitHub App authentication provider for Rancher8.8
- CVE-2026-13574llvm llvm-project Bitcode File IntrinsicInst.cpp getBasePtr heap-based overflow3.3
- CVE-2026-13573llvm llvm-project ValueSymbolTable ValueSymbolTable.cpp insert stack-based overflow3.3
- CVE-2026-58053Gitea act_runner - Container Hardening Bypass via Workflow Container Options9.9
- CVE-2026-49869Kestra: Unauthenticated Remote Code Execution via Authentication Bypass in `AuthenticationFilter`10.0
- CVE-2026-45807Kestra: Path traversal via URL-encoded "%2E%2E" in execution and namespace file endpoints allows arbitrary file read7.7
- CVE-2026-49984Kestra: Path traversal in `LocalStorage` allows any authenticated user to read arbitrary server files via the execution file-download API (`\..\` bypasses the `..` guard)7.7
- CVE-2026-53576Kestra: Unauthenticated RCE via /configs path-suffix auth-filter bypass10.0
- CVE-2026-53577Kestra: Cross-Execution File Read via Preview Endpoint (IDOR)6.5
- CVE-2026-55069Kestra BasicAuth Password Stored as SHA-512 Enables Offline Brute-Force Attack8.7
Weakness fingerprint
Top CWE classes in this sector, latest monthly snapshot.
Subsectors
Breakdown for the latest monthly snapshot.
| Subsector | CVEs | Crit | KEV | Vendors | MoM | Top products |
|---|---|---|---|---|---|---|
| ci-cd | 120 | 11 | · | 17 | — | gitlab (25) · gogs (24) · jenkins (16) |
| — | 53 | 8 | · | 10 | — | nezha (13) · grpc-device (7) · ni grpc device server (7) |
| ide-editor | 28 | 5 | · | 7 | — | instrumentstudio (7) · visual studio code (7) · youtrack (6) |
| build-test-tools | 27 | 6 | · | 12 | — | altium enterprise server (7) · mise (4) · altium 365 (3) |
| artifact-registry | 5 | · | · | 2 | — | nexus repository manager (2) · red hat quay 3 (2) · nexus repository (1) |
| source-control | 3 | · | · | 2 | — | weblate (2) · jenkins-server-mcp (1) |
Sector classification is AI-assisted with human review. How tagging works · Report a misclassification