Skip to content

Commit caae1cc

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-49pc-8936-wvfp GHSA-9jmq-xgjm-p8c2 GHSA-gv8r-9rw9-9697 GHSA-q5fh-2hc8-f6rq GHSA-rcqw-6466-3mv7 GHSA-9jmq-xgjm-p8c2
1 parent ef3ccde commit caae1cc

6 files changed

Lines changed: 367 additions & 33 deletions

File tree

advisories/github-reviewed/2026/02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-49pc-8936-wvfp",
4+
"modified": "2026-02-20T21:14:50Z",
5+
"published": "2026-02-20T21:14:49Z",
6+
"aliases": [
7+
"CVE-2026-27492"
8+
],
9+
"summary": "Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused",
10+
"details": "### Impact\nEmail properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected.\n\n### Patches\nYes, the issue has been patched. Users should upgrade to v1.5.1 or later.\n\n### Workarounds\nIf upgrading immediately is not possible, instantiate a new client for each send:\n```js\nconst client = new Lettermint({ apiKey: process.env.LETTERMINT_API_KEY });\nawait client.email.to('...').subject('...').html('...').send();\n```\n\nThis ensures no state is carried over between sends.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "lettermint"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.5.1"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/lettermint/lettermint-node"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-488"
59+
],
60+
"severity": "MODERATE",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-02-20T21:14:49Z",
63+
"nvd_published_at": null
64+
}
65+
}

advisories/github-reviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-9jmq-xgjm-p8c2",
4+
"modified": "2026-02-20T21:15:36Z",
5+
"published": "2026-02-20T18:31:33Z",
6+
"aliases": [
7+
"CVE-2025-67438"
8+
],
9+
"summary": "Sync-in Server has a stored cross-site scripting (XSS) vulnerability",
10+
"details": "A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "npm",
21+
"name": "@sync-in/server"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.9.3"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "ADVISORY",
41+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67438"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/Sync-in/server/commit/a6276d067725637310e4e83a3eee337aae81f439"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/Sync-in/server"
54+
},
55+
{
56+
"type": "WEB",
57+
"url": "https://github.com/Sync-in/server/releases/tag/v1.9.3"
58+
}
59+
],
60+
"database_specific": {
61+
"cwe_ids": [
62+
"CWE-79"
63+
],
64+
"severity": "MODERATE",
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-02-20T21:15:36Z",
67+
"nvd_published_at": "2026-02-20T16:22:02Z"
68+
}
69+
}

advisories/github-reviewed/2026/02/GHSA-gv8r-9rw9-9697/GHSA-gv8r-9rw9-9697.json

Lines changed: 99 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,99 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-gv8r-9rw9-9697",
4+
"modified": "2026-02-20T21:14:27Z",
5+
"published": "2026-02-20T21:14:27Z",
6+
"aliases": [],
7+
"summary": "Traefik affected by TLS ClientAuth Bypass on HTTP/3",
8+
"details": "### Summary\n\nThere is a potential vulnerability in Traefik managing HTTP/3 connections.\n\nMore details in the [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121).\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.37\n- https://github.com/traefik/traefik/releases/tag/v3.6.8\n\n## Workarounds\n\nNo workaround\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).",
9+
"severity": [
10+
{
11+
"type": "CVSS_V3",
12+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Go",
19+
"name": "github.com/traefik/traefik"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"last_affected": "1.7.34"
30+
}
31+
]
32+
}
33+
]
34+
},
35+
{
36+
"package": {
37+
"ecosystem": "Go",
38+
"name": "github.com/traefik/traefik/v2"
39+
},
40+
"ranges": [
41+
{
42+
"type": "ECOSYSTEM",
43+
"events": [
44+
{
45+
"introduced": "0"
46+
},
47+
{
48+
"fixed": "2.11.37"
49+
}
50+
]
51+
}
52+
],
53+
"database_specific": {
54+
"last_known_affected_version_range": "<= 2.11.36"
55+
}
56+
},
57+
{
58+
"package": {
59+
"ecosystem": "Go",
60+
"name": "github.com/traefik/traefik/v3"
61+
},
62+
"ranges": [
63+
{
64+
"type": "ECOSYSTEM",
65+
"events": [
66+
{
67+
"introduced": "0"
68+
},
69+
{
70+
"fixed": "3.6.8"
71+
}
72+
]
73+
}
74+
],
75+
"database_specific": {
76+
"last_known_affected_version_range": "<= 3.6.7"
77+
}
78+
}
79+
],
80+
"references": [
81+
{
82+
"type": "WEB",
83+
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-gv8r-9rw9-9697"
84+
},
85+
{
86+
"type": "PACKAGE",
87+
"url": "https://github.com/traefik/traefik"
88+
}
89+
],
90+
"database_specific": {
91+
"cwe_ids": [
92+
"CWE-1395"
93+
],
94+
"severity": "CRITICAL",
95+
"github_reviewed": true,
96+
"github_reviewed_at": "2026-02-20T21:14:27Z",
97+
"nvd_published_at": null
98+
}
99+
}

advisories/github-reviewed/2026/02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json

Lines changed: 69 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,69 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-q5fh-2hc8-f6rq",
4+
"modified": "2026-02-20T21:15:26Z",
5+
"published": "2026-02-20T21:15:25Z",
6+
"aliases": [
7+
"CVE-2026-27482"
8+
],
9+
"summary": "Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)",
10+
"details": "### Summary\n\n Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can\n issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.\n\n ### Details\n\n - Middleware: python/ray/dashboard/http_server_head.py#get_browsers_no_post_put_middleware only checks POST/PUT via is_browser_request (UA/Origin/Sec-Fetch heuristics). DELETE is not gated.\n - Endpoints lacking browser protection/auth by default:\n - python/ray/dashboard/modules/serve/serve_head.py: @routes.delete(\"/api/serve/applications/\") calls serve.shutdown().\n - python/ray/dashboard/modules/job/job_head.py: @routes.delete(\"/api/jobs/{job_or_submission_id}\").\n - python/ray/dashboard/modules/job/job_agent.py: @routes.delete(\"/api/job_agent/jobs/{job_or_submission_id}\") (not wrapped with deny_browser_requests either).\n - Dashboard token auth is optional and off by default; binding to 0.0.0.0 is common for remote access.\n\n ### PoC\n\n Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth.\n\n 1. Start Serve (or have jobs present).\n 2. From any browser-reachable origin (DNS rebinding or same-LAN page), issue a DELETE fetch:\n\n``` \nfetch(\"http://<dashboard-host>:8265/api/serve/applications/\", {\n method: \"DELETE\",\n headers: { \"User-Agent\": \"Mozilla/5.0\" } // browsers set this automatically\n });\n```\n\n Result: Serve shuts down.\n 3) Similarly, delete jobs:\n\n ` fetch(\"http://<dashboard-host>:8265/api/jobs/<job_or_submission_id>\", { method: \"DELETE\" });`\n ` fetch(\"http://<dashboard-agent>:52365/api/job_agent/jobs/<job_or_submission_id>\", { method: \"DELETE\" });`\n\n Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed.\n\n ### Impact\n\n - Availability loss: Serve shutdown; job deletion. Triggerable via drive-by browser requests if the dashboard/agent ports are reachable and auth is disabled (default).\n - No code execution from this vector, but breaks isolation/trust assumptions for “developer-only” endpoints.\n \n### Fix\nThe fix for this vulnerability is to update to Ray 2.54.0 or higher. \n\nFix PR: https://github.com/ray-project/ray/pull/60526",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "ray"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2.54.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/ray-project/ray/pull/60526"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4"
50+
},
51+
{
52+
"type": "PACKAGE",
53+
"url": "https://github.com/ray-project/ray"
54+
},
55+
{
56+
"type": "WEB",
57+
"url": "https://github.com/ray-project/ray/releases/tag/ray-2.54.0"
58+
}
59+
],
60+
"database_specific": {
61+
"cwe_ids": [
62+
"CWE-306"
63+
],
64+
"severity": "MODERATE",
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-02-20T21:15:25Z",
67+
"nvd_published_at": null
68+
}
69+
}

advisories/github-reviewed/2026/02/GHSA-rcqw-6466-3mv7/GHSA-rcqw-6466-3mv7.json

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-rcqw-6466-3mv7",
4+
"modified": "2026-02-20T21:15:06Z",
5+
"published": "2026-02-20T21:15:06Z",
6+
"aliases": [
7+
"CVE-2026-27568"
8+
],
9+
"summary": "AVideo has Stored Cross-Site Scripting via Markdown Comment Injection",
10+
"details": "## Vulnerability Type\nStored Cross-Site Scripting (XSS) — CWE-79.\n\n## Affected Product/Versions\nAVideo 18.0.\n\n## Root Cause Summary\nAVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links.\n\n## Impact Summary\nAn authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration.\n\n## Resolution/Fix\nThe issue was confirmed and fixed in the master branch. An official release will be published soon.\n\n## Workarounds\nUntil the release is available, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode.\n\n## Credits/Acknowledgement\nReported by Arkadiusz Marta (https://github.com/arkmarta/).",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "wwbn/avideo"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "21.0"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "WEB",
41+
"url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rcqw-6466-3mv7"
42+
},
43+
{
44+
"type": "WEB",
45+
"url": "https://github.com/WWBN/AVideo/commit/ade348ed6d28b3797162c3d9e98054fb09ec51d7"
46+
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/WWBN/AVideo"
50+
},
51+
{
52+
"type": "WEB",
53+
"url": "https://github.com/WWBN/AVideo/releases/tag/21.0"
54+
}
55+
],
56+
"database_specific": {
57+
"cwe_ids": [
58+
"CWE-79"
59+
],
60+
"severity": "MODERATE",
61+
"github_reviewed": true,
62+
"github_reviewed_at": "2026-02-20T21:15:06Z",
63+
"nvd_published_at": null
64+
}
65+
}

0 commit comments

Comments
 (0)