Advisory Improvement: Enhancements and Cleanup for GHSA Workflow (6866)

advisories/github-reviewed/2025/03/GHSA-3jxr-23ph-c89g/GHSA-3jxr-23ph-c89g.json

@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3jxr-23ph-c89g",
-  "modified": "2025-06-03T17:32:56Z",
+  "modified": "2026-02-13T20:52:09Z",
   "published": "2025-03-04T18:33:43Z",
-  "aliases": [
-    "CVE-2025-23368"
-  ],
-  "summary": "Wildfly Elytron integration susceptible to brute force attacks via CLI",
-  "details": "A flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.",
+  "withdrawn": "2026-02-13T20:52:09Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: Wildfly Elytron integration susceptible to brute force attacks via CLI",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-qhp6-6p8p-2rqh. This link is maintained to preserve external references.\n\n### Original Description\nA flaw was found in Wildfly Elytron integration. The component does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame, making it more susceptible to brute force attacks via CLI.",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2026/01/GHSA-jp3q-wwp3-pwv9/GHSA-jp3q-wwp3-pwv9.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jp3q-wwp3-pwv9",
-  "modified": "2026-02-10T13:47:10Z",
+  "modified": "2026-02-13T14:57:31Z",
   "published": "2026-01-22T21:41:14Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-26188"
+  ],
   "summary": "Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue",
   "details": "**Summary**\nAn authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with `dangerouslySetInnerHTML` without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.\n\n**Affected Product**\n- Ecosystem: Packagist (Craft CMS plugin)\n- Package: solspace/craft-freeform\n- Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.\n\n**Details**\n- Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using `dangerouslySetInnerHTML` without sanitization.\n- Evidence: `dangerouslySetInnerHTML` on user-controlled properties in bundled CP JS at [packages/plugin/src/Resources/js/client/client.js](packages/plugin/src/Resources/js/client/client.js#L1).\n\n**PoCs**\n- Label-based XSS:\n  1. In Craft CP, create/edit a Freeform field and set its label to `<img src=x onerror=\"alert('xss-label')\">`.\n  2. Open the form builder view containing the field.\n  3. Alert executes (stored XSS).\n- Integration icon SVG:\n  1. Set an integration \"icon SVG\" to `<svg><script>alert('xss-icon')</script></svg>`.\n  2. Open the integrations CP view.\n  3. Script executes.\n\n**Impact**\nArbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.\n\n**Remediation**\n- Sanitize/HTML-encode all user-controlled strings before passing to `dangerouslySetInnerHTML`, or avoid it for labels/titles/icons.\n- Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.\n- Add regression tests with `<img onerror>` payloads to ensure no execution in builder/integration views.\n\n**Workarounds**\n- Restrict form-edit permissions to trusted admins only until patched.\n- Consider CSP that disallows inline scripts (defense-in-depth only).\n\n**Credits**\n- Discovered by https://www.linkedin.com/in/praveenkavinda/ | Prav33N-Sec.",
   "severity": [
@@ -41,9 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/solspace/craft-freeform/security/advisories/GHSA-jp3q-wwp3-pwv9"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26188"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/solspace/craft-freeform/commit/b9adad6cdf1eba5400aae8b1ae39bd7d4d33af5e"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/solspace/craft-freeform"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/solspace/craft-freeform/releases/tag/v5.14.7"
     }
   ],
   "database_specific": {
@@ -53,6 +67,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-22T21:41:14Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-02-12T23:16:09Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-wv3h-x6c4-r867/GHSA-wv3h-x6c4-r867.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wv3h-x6c4-r867",
-  "modified": "2026-02-10T13:47:26Z",
+  "modified": "2026-02-13T20:24:37Z",
   "published": "2026-01-21T09:31:30Z",
   "aliases": [
     "CVE-2025-14559"
@@ -25,14 +25,33 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "26.5.0"
             },
             {
               "fixed": "26.5.2"
             }
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.4.9"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [
@@ -44,6 +63,10 @@
       "type": "WEB",
       "url": "https://github.com/keycloak/keycloak/issues/45651"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/commit/2d0aa31c4830ebaad094c3762e78b884c141e659"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/keycloak/keycloak/commit/d67349f3aa9fed5c61750619d0f9de6356aeaeff"

advisories/github-reviewed/2026/02/GHSA-27jp-wm6q-gp25/GHSA-27jp-wm6q-gp25.json

@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-27jp-wm6q-gp25",
+  "modified": "2026-02-13T16:16:11Z",
+  "published": "2026-02-13T16:16:11Z",
+  "aliases": [],
+  "summary": "sqlparse: formatting list of tuples leads to denial of service",
+  "details": "### Summary\nThe below gist hangs while attempting to format a long list of tuples.\n\nThis was found while [drafting a regression test for Dja\nngo 5.2's composite primary key feature](https://code.djangoproject.com/ticket/36416#comment:3), which allows querying composite fields with tuples.\n\n###",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "sqlparse"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.5.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.5.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/andialbrecht/sqlparse/security/advisories/GHSA-27jp-wm6q-gp25"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/andialbrecht/sqlparse/commit/40ed3aa958657fa4a82055927fa9de70ab903360"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/andialbrecht/sqlparse"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/andialbrecht/sqlparse/releases/tag/0.5.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T16:16:11Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/02/GHSA-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2xf7-hmf6-p64j",
+  "modified": "2026-02-13T20:55:54Z",
+  "published": "2026-02-13T12:31:21Z",
+  "aliases": [
+    "CVE-2026-20796"
+  ],
+  "summary": "Mattermost doesn't properly validate channel membership at the time of data retrieval",
+  "details": "Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.11.10"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 10.11.9"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20796"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mattermost/mattermost"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-367"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:55:54Z",
+    "nvd_published_at": "2026-02-13T11:16:10Z"
+  }
+}

advisories/github-reviewed/2026/02/GHSA-33mh-2634-fwr2/GHSA-33mh-2634-fwr2.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-33mh-2634-fwr2",
-  "modified": "2026-02-12T14:22:46Z",
+  "modified": "2026-02-13T17:16:36Z",
   "published": "2026-02-09T20:37:05Z",
   "aliases": [
     "CVE-2026-25765"

advisories/github-reviewed/2026/02/GHSA-37gf-gmxv-74wv/GHSA-37gf-gmxv-74wv.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-37gf-gmxv-74wv",
-  "modified": "2026-02-10T18:35:15Z",
+  "modified": "2026-02-13T21:49:42Z",
   "published": "2026-02-09T21:31:03Z",
   "aliases": [
     "CVE-2026-1486"
@@ -25,14 +25,33 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "26.5.0"
             },
             {
               "fixed": "26.5.3"
             }
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-services"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.4.9"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [
@@ -52,6 +71,10 @@
       "type": "WEB",
       "url": "https://github.com/keycloak/keycloak/commit/176dc8902ce552056d3648c4601d519afc6fb043"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/commit/8316e8538f0037d9f998181e73122cff93a94035"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:2365"

advisories/unreviewed/2026/02/GHSA-38c4-r59v-3vqw/GHSA-38c4-r59v-3vqw.json → advisories/github-reviewed/2026/02/GHSA-38c4-r59v-3vqw/GHSA-38c4-r59v-3vqw.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-38c4-r59v-3vqw",
-  "modified": "2026-02-12T06:30:13Z",
+  "modified": "2026-02-13T20:04:39Z",
   "published": "2026-02-12T06:30:13Z",
   "aliases": [
     "CVE-2026-2327"
   ],
+  "summary": "markdown-it is has a Regular Expression Denial of Service (ReDoS)",
   "details": "Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "markdown-it"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "13.0.0"
+            },
+            {
+              "fixed": "14.1.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -31,9 +52,13 @@
       "type": "WEB",
       "url": "https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/markdown-it/markdown-it"
+    },
     {
       "type": "WEB",
-      "url": "https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs%23L33"
+      "url": "https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs#L33"
     },
     {
       "type": "WEB",
@@ -45,8 +70,8 @@
       "CWE-1333"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:04:39Z",
     "nvd_published_at": "2026-02-12T06:16:02Z"
   }
 }