Cli

GitHub CLI versions 2.92.0 and earlier incorrectly include authorization headers in API requests to TUF repository mirrors and external hosts when using the `gh attestation`, `gh release verify`, and `gh release verify-asset` commands, potentially exposing sensitive tokens.

Uniget is vulnerable to command injection because the `check` field is loaded directly from untrusted JSON metadata without validation, allowing an attacker to execute arbitrary shell commands on the victim's system when performing common uniget operations.