<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom"><channel><title>Devsecops on HackingPassion.com : root@HackingPassion.com-[~]</title><link>https://hackingpassion.com/tags/devsecops/</link><description>Recent content in Devsecops on HackingPassion.com : root@HackingPassion.com-[~]</description><generator>Hugo</generator><language>en</language><lastBuildDate>Sun, 28 Jun 2026 15:28:45 +0200</lastBuildDate><atom:link href="https://hackingpassion.com/tags/devsecops/index.xml" rel="self" type="application/rss+xml"/><item><title>Your Gitea Docker Runner Gives Up Root Even With Privileged Mode Off</title><link>https://hackingpassion.com/gitea-act-runner-container-escape/</link><pubDate>Sun, 28 Jun 2026 15:28:45 +0200</pubDate><guid>https://hackingpassion.com/gitea-act-runner-container-escape/</guid><description>&lt;p>A Docker container on a Gitea build runner can break out to root on the host, the setting built to stop that does nothing, and there is no patch yet. &lt;strong>CVSS 9.9.&lt;/strong> A working proof of concept went public the same day the flaw was disclosed. The attacker only needs permission to run a workflow on a Docker-backed runner. The setting that fails here is &lt;code>privileged: false&lt;/code>. It switches off one flag and leaves the rest of the dangerous options live. This is &lt;strong>CVE-2026-58053&lt;/strong>.&lt;/p></description></item><item><title>PHP Composer Command Injection CVE-2026-40261</title><link>https://hackingpassion.com/php-composer-command-injection-cve-2026-40261/</link><pubDate>Wed, 15 Apr 2026 10:38:02 +0200</pubDate><guid>https://hackingpassion.com/php-composer-command-injection-cve-2026-40261/</guid><description>&lt;p>PHP Composer Has Two Flaws That Run Arbitrary Commands on Developer Machines
PHP Composer, the package manager that almost every PHP developer uses to build websites and applications, has two serious vulnerabilities that allow an attacker to run arbitrary commands on any machine running a vulnerable version. Neither one requires Perforce to be installed, configured, or even known about. Patches came out on April 14, 2026, and many environments will still be running vulnerable versions. 😏&lt;/p></description></item></channel></rss>