Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-4rc3-7j7w-m548/GHSA-4rc3-7j7w-m548.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4rc3-7j7w-m548",
+  "modified": "2026-04-24T15:34:00Z",
+  "published": "2026-04-24T15:34:00Z",
+  "aliases": [
+    "CVE-2026-41311"
+  ],
+  "summary": "liquidjs has a Denial of Service via circular block reference in layout",
+  "details": "### Summary\n\nA circular block reference in `{% layout %}` / `{% block %}` causes an infinite recursive loop, consuming all available memory (~4GB) and crashing the Node.js process with `FATAL ERROR: JavaScript heap out of memory`. This allows any user who can submit a Liquid template to perform a Denial of Service attack.\n\n### Details\n\nIn `src/tags/block.ts`, during OUTPUT mode, each block looks up its render function from `ctx.getRegister('blocks')[this.block]`. When a block with name `a` is nested inside another block also named `a` in a child template, the inner block finds the outer block's render function and calls it. The outer block's templates contain the inner block again, creating infinite recursion with no termination condition.\n\nRelevant code (`src/tags/block.ts`, `getBlockRender` method):\n\n```typescript\nprivate getBlockRender (ctx: Context) {\n  const { liquid, templates } = this\n  const renderChild = ctx.getRegister('blocks')[this.block]\n  const renderCurrent = function * (superBlock: BlockDrop, emitter: Emitter) {\n    ctx.push({ block: superBlock })\n    yield liquid.renderer.renderTemplates(templates, ctx, emitter)\n    ctx.pop()\n  }\n  return renderChild\n    ? (superBlock: BlockDrop, emitter: Emitter) => renderChild(\n        new BlockDrop(\n          (emitter: Emitter) => renderCurrent(superBlock, emitter)\n        ),\n        emitter)\n    : renderCurrent\n}\n```\n\nWhen `renderChild` exists (same-name block found), it calls `renderChild` which re-renders templates containing the nested block, which again finds `renderChild`, and so on — infinite loop.\n\n### PoC\n\n**1. Create a layout file** (`layout.html`):\n\n```liquid\n<header>{% block a %}default-a{% endblock %}</header>\n<main>{% block b %}default-b{% endblock %}</main>\n<footer>{% block c %}default-c{% endblock %}</footer>\n```\n\n**2. Create a template that uses the layout:**\n\n```liquid\n{% layout \"layout\" %}\n{% block a %}outer-a {% block a %}inner-a{% endblock %}{% endblock %}\n{% block b %}content-b{% endblock %}\n{% block c %}content-c{% endblock %}\n```\n\n**3. Render:**\n\n```javascript\nconst { Liquid } = require('liquidjs')\nconst liquid = new Liquid({ root: './', extname: '.html' })\nliquid.renderFile('template').then(console.log)\n// Result: process hangs, memory grows to ~4GB, then crashes with OOM\n```\n\nThe anonymous block variant also triggers the same issue:\n\n```liquid\n{% layout \"parent\" %}\n{%block%}A{%block%}B{%endblock%}{%endblock%}\n```\n\n### Impact\n\n**Denial of Service (DoS).** Any application that accepts user-provided or user-influenced Liquid templates — such as CMS platforms, email template builders, multi-tenant SaaS products, or static site generators with untrusted input — can be crashed by a single malicious template. The attack requires no authentication beyond the ability to submit a template, and no special configuration. The Node.js process is killed by the OS due to memory exhaustion, causing complete service disruption.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "liquidjs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "10.25.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-4rc3-7j7w-m548"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/harttle/liquidjs/commit/e2311dfd6e82f73509308aa8a3a1fafc92e226f0"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/harttle/liquidjs"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-674"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-24T15:34:00Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-qx2v-qp2m-jg93/GHSA-qx2v-qp2m-jg93.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qx2v-qp2m-jg93",
+  "modified": "2026-04-24T15:31:42Z",
+  "published": "2026-04-24T15:31:42Z",
+  "aliases": [
+    "CVE-2026-41305"
+  ],
+  "summary": "PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
+  "details": "# PostCSS: XSS via Unescaped `</style>` in CSS Stringify Output\n\n## Summary\n\nPostCSS v8.5.5 (latest) does not escape `</style>` sequences when stringifying CSS ASTs. When user-submitted CSS is parsed and re-stringified for embedding in HTML `<style>` tags, `</style>` in CSS values breaks out of the style context, enabling XSS.\n\n## Proof of Concept\n\n```javascript\nconst postcss = require('postcss');\n\n// Parse user CSS and re-stringify for page embedding\nconst userCSS = 'body { content: \"</style><script>alert(1)</script><style>\"; }';\nconst ast = postcss.parse(userCSS);\nconst output = ast.toResult().css;\nconst html = `<style>${output}</style>`;\n\nconsole.log(html);\n// <style>body { content: \"</style><script>alert(1)</script><style>\"; }</style>\n//\n// Browser: </style> closes the style tag, <script> executes\n```\n\n**Tested output** (Node.js v22, postcss v8.5.5):\n```\nInput: body { content: \"</style><script>alert(1)</script><style>\"; }\nOutput: body { content: \"</style><script>alert(1)</script><style>\"; }\nContains </style>: true\n```\n\n## Impact\n\nImpact non-bundler use cases since bundlers for XSS on their own. Requires some PostCSS plugin to have malware code, which can inject XSS to website.\n\n## Suggested Fix\n\nEscape `</style` in all stringified output values:\n```javascript\noutput = output.replace(/<\\/(style)/gi, '<\\\\/$1');\n```\n\n## Credits\nDiscovered and reported by [Sunil Kumar](https://tharvid.in) ([@TharVid](https://github.com/TharVid))",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "postcss"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.5.10"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/postcss/postcss/security/advisories/GHSA-qx2v-qp2m-jg93"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41305"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/postcss/postcss"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/postcss/postcss/releases/tag/8.5.10"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-24T15:31:42Z",
+    "nvd_published_at": "2026-04-24T03:16:11Z"
+  }
+}

advisories/unreviewed/2022/01/GHSA-7xr9-9g9p-xmfp/GHSA-7xr9-9g9p-xmfp.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7xr9-9g9p-xmfp",
-  "modified": "2022-01-29T00:00:55Z",
+  "modified": "2026-04-24T15:32:17Z",
   "published": "2022-01-26T00:01:46Z",
   "aliases": [
     "CVE-2021-45340"
   ],
   "details": "In Libsixel prior to and including v1.10.3, a NULL pointer dereference in the stb_image.h component of libsixel allows attackers to cause a denial of service (DOS) via a crafted PICT file.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {

advisories/unreviewed/2022/02/GHSA-5mpg-37cw-j7g5/GHSA-5mpg-37cw-j7g5.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5mpg-37cw-j7g5",
-  "modified": "2022-03-02T00:00:34Z",
+  "modified": "2026-04-24T15:32:17Z",
   "published": "2022-02-20T00:00:30Z",
   "aliases": [
     "CVE-2021-46700"
   ],
   "details": "In libsixel 1.8.6, sixel_encoder_output_without_macro (called from sixel_encoder_encode_frame in encoder.c) has a double free.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {

advisories/unreviewed/2022/05/GHSA-273r-q5cp-p9c2/GHSA-273r-q5cp-p9c2.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-273r-q5cp-p9c2",
-  "modified": "2022-05-24T17:05:11Z",
+  "modified": "2026-04-24T15:32:16Z",
   "published": "2022-05-24T17:05:11Z",
   "aliases": [
     "CVE-2019-20023"
   ],
   "details": "A memory leak was discovered in image_buffer_resize in fromsixel.c in libsixel 1.8.4.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -21,6 +26,7 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-401",
       "CWE-772"
     ],
     "severity": "MODERATE",

advisories/unreviewed/2022/05/GHSA-29q2-x88c-692h/GHSA-29q2-x88c-692h.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-29q2-x88c-692h",
-  "modified": "2022-05-24T19:14:54Z",
+  "modified": "2026-04-24T15:32:17Z",
   "published": "2022-05-24T19:14:54Z",
   "aliases": [
     "CVE-2020-21547"
   ],
   "details": "Libsixel 1.8.2 contains a heap-based buffer overflow in the dither_func_fs function in tosixel.c.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {

advisories/unreviewed/2022/05/GHSA-3hx6-cm77-2752/GHSA-3hx6-cm77-2752.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3hx6-cm77-2752",
-  "modified": "2022-05-24T17:05:29Z",
+  "modified": "2026-04-24T15:32:16Z",
   "published": "2022-05-24T17:05:29Z",
   "aliases": [
     "CVE-2019-20205"
   ],
   "details": "libsixel 1.8.4 has an integer overflow in sixel_frame_resize in frame.c.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -20,7 +25,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-190"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2022/05/GHSA-65xw-v37r-whx2/GHSA-65xw-v37r-whx2.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-65xw-v37r-whx2",
-  "modified": "2022-05-24T17:34:38Z",
+  "modified": "2026-04-24T15:32:16Z",
   "published": "2022-05-24T17:34:38Z",
   "aliases": [
     "CVE-2020-19668"
   ],
   "details": "Unverified indexs into the array lead to out of bound access in the gif_out_code function in fromgif.c in libsixel 1.8.6.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -21,7 +26,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-119"
+      "CWE-119",
+      "CWE-125"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2022/05/GHSA-6rrw-8mq7-2wvv/GHSA-6rrw-8mq7-2wvv.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6rrw-8mq7-2wvv",
-  "modified": "2022-05-24T17:03:37Z",
+  "modified": "2026-04-24T15:32:16Z",
   "published": "2022-05-24T17:03:37Z",
   "aliases": [
     "CVE-2019-19777"
   ],
   "details": "stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read in stbi__load_main.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -20,7 +25,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-125"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2022/05/GHSA-72pv-4f7x-ghhf/GHSA-72pv-4f7x-ghhf.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-72pv-4f7x-ghhf",
-  "modified": "2022-05-24T17:03:37Z",
+  "modified": "2026-04-24T15:32:16Z",
   "published": "2022-05-24T17:03:37Z",
   "aliases": [
     "CVE-2019-19778"
   ],
   "details": "An issue was discovered in libsixel 1.8.2. There is a heap-based buffer over-read in the function load_sixel at loader.c.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -20,7 +25,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-125"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,