github
diff --git a/‎…-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json‎ ‎…-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json‎advisories/unreviewed/2026/02/GHSA-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json renamed to advisories/github-reviewed/2026/02/GHSA-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json
Lines changed: 32 additions & 4 deletions b/‎…-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json‎ ‎…-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json‎advisories/unreviewed/2026/02/GHSA-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json renamed to advisories/github-reviewed/2026/02/GHSA-2xf7-hmf6-p64j/GHSA-2xf7-hmf6-p64j.json
Lines changed: 32 additions & 4 deletions
diff --git a/‎advisories/github-reviewed/2026/02/GHSA-7587-4wv6-m68m/GHSA-7587-4wv6-m68m.json‎
Lines changed: 63 additions & 0 deletions b/‎advisories/github-reviewed/2026/02/GHSA-7587-4wv6-m68m/GHSA-7587-4wv6-m68m.json‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/02/GHSA-8h58-w33p-wq3g/GHSA-8h58-w33p-wq3g.json‎
Lines changed: 63 additions & 0 deletions b/‎advisories/github-reviewed/2026/02/GHSA-8h58-w33p-wq3g/GHSA-8h58-w33p-wq3g.json‎
Lines changed: 63 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/02/GHSA-8wc6-vgrq-x6cf/GHSA-8wc6-vgrq-x6cf.json‎
Lines changed: 82 additions & 0 deletions b/‎advisories/github-reviewed/2026/02/GHSA-8wc6-vgrq-x6cf/GHSA-8wc6-vgrq-x6cf.json‎
Lines changed: 82 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/02/GHSA-9pj7-jh2r-87g8/GHSA-9pj7-jh2r-87g8.json‎
Lines changed: 108 additions & 0 deletions b/‎advisories/github-reviewed/2026/02/GHSA-9pj7-jh2r-87g8/GHSA-9pj7-jh2r-87g8.json‎
Lines changed: 108 additions & 0 deletions
@@ -1,24 +1,52 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2xf7-hmf6-p64j",
-  "modified": "2026-02-13T12:31:21Z",
+  "modified": "2026-02-13T20:55:54Z",
   "published": "2026-02-13T12:31:21Z",
   "aliases": [
     "CVE-2026-20796"
   ],
+  "summary": "Mattermost doesn't properly validate channel membership at the time of data retrieval",
   "details": "Mattermost versions 10.11.x <= 10.11.9 fail to properly validate channel membership at the time of data retrieval which allows a deactivated user to learn team names they should not have access to via a race condition in the /common_teams API endpoint.. Mattermost Advisory ID: MMSA-2025-00549",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.11.10"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 10.11.9"
+      }
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20796"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mattermost/mattermost"
+    },
     {
       "type": "WEB",
       "url": "https://mattermost.com/security-updates"
@@ -29,8 +57,8 @@
       "CWE-367"
     ],
     "severity": "LOW",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:55:54Z",
     "nvd_published_at": "2026-02-13T11:16:10Z"
   }
 }
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7587-4wv6-m68m",
+  "modified": "2026-02-13T20:54:19Z",
+  "published": "2026-02-13T20:54:19Z",
+  "aliases": [],
+  "summary": "rPGP vulnerable to parser crash on crafted RSA secret key packets through CVE-2026-21895",
+  "details": "### Summary\nIt was possible to trigger an unhandled edge case in the Rust Crypto rsa crate through rPGP packet parsing functionality, and crash the process that runs rPGP. This problem has been patched in a new rsa version. The new release of rPGP ensures a patched version of the rsa crate is in use, which prevents this issue.\n\n### Details\nWhile parsing a special RSA secret key packet, rPGP calls the rsa crate with the provided key. On vulnerable versions, this results in a Rust \"panic\" during key construction. Note that an attacker can trigger this situation even in places where applications don't expect to handle foreign key material, for example while attempting to receive a message.\n\nFor more information on the rsa crate vulnerability, see https://github.com/RustCrypto/RSA/security/advisories/GHSA-9c48-w39g-hm26 and https://github.com/RustCrypto/RSA/pull/624.\nIn rPGP, this has been fixed via https://github.com/rpgp/rpgp/pull/698.\n\n### Impact\nThis issue impacts availability (i.e. applications can crash).\n\nAffected rPGP versions: rPGP 0.16.0-alpha.0 to 0.18.0\nVulnerable rsa versions: all before version 0.9.10\n\n### Workaround\nThe issue depends on the combination of affected rPGP and rsa versions. Users of affected rPGP versions can pin the patched rsa 0.9.10 via a cargo lockfile to mitigate the issue.\n\n### Attribution\nDiscovered by Christian Reitter from Radically Open Security during a security review for Proton AG.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "pgp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.16.0-alpha.0"
+            },
+            {
+              "fixed": "0.19.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rpgp/rpgp/security/advisories/GHSA-7587-4wv6-m68m"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rpgp/rpgp/pull/698"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rpgp/rpgp/commit/38efa49ce18b3821649de9cd8dea88a959b833a5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rpgp/rpgp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-703"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:54:19Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8h58-w33p-wq3g",
+  "modified": "2026-02-13T20:54:27Z",
+  "published": "2026-02-13T20:54:27Z",
+  "aliases": [],
+  "summary": "rPGP affected by crash in message handling for deeply nested messages",
+  "details": "### Summary\nPrevious rPGP versions could be caused to crash with a \"stack overflow\" when parsing messages that contain deeply nested message layers, such as messages with many signatures.\n\nrPGP 0.19.0 resolves this issue with a more robust message handling implementation (via https://github.com/rpgp/rpgp/pull/625).\n\n### Impact\nAn attacker could cause applications to crash in rPGP's message parsing subsystem, when applications attempt to ingest messages.\n\n### Attribution\nDiscovered internally during rPGP development, using a fuzz test suite previously contributed by Christian Reitter.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "pgp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.16.0-alpha.0"
+            },
+            {
+              "fixed": "0.19.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rpgp/rpgp/security/advisories/GHSA-8h58-w33p-wq3g"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rpgp/rpgp/pull/625"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rpgp/rpgp/commit/e82f2c7494ba277d62fd372d69b2c008473bbef8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rpgp/rpgp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-121"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:54:27Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,82 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8wc6-vgrq-x6cf",
+  "modified": "2026-02-13T20:53:58Z",
+  "published": "2026-02-13T20:53:58Z",
+  "aliases": [],
+  "summary": "Child processes spawned by Renovate incorrectly have full access to environment variables",
+  "details": "When Renovate spawns child processes, their access to environment variables is filtered to an allowlist, to prevent unauthorized access to privileged credentials that the Renovate process has access to.\n\nSince [42.68.1](https://github.com/renovatebot/renovate/releases/tag/42.68.1) (2025-12-30), this filtering had been **inadvertently removed**, and so any child processes spawned from these versions will have had access to any environment variables that Renovate has access to.\n\nThis could lead to [insider attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-insider-attack) and [outside attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-outsider-attack) being able to exflitrate secrets from the Renovate deployment.\n\nIt is recommended to rotate (+ revoke) any credentials that Renovate has access to, in case any spawned child processes have attempted to exfiltrate any secrets.\n\n## Impact\n\nChild processes spawned by Renovate (i.e. `npm install`, anything defined in [`postUpgradeTasks`](https://docs.renovatebot.com/configuration-options/#postupgradetasks) or [`postUpdateOptions`](https://docs.renovatebot.com/configuration-options/#postupdateoptions)) will have full access to the environment variables that the Renovate process has. \n\nThis could lead to [insider attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-insider-attack) and [outside attackers](https://docs.renovatebot.com/security-and-permissions/#execution-of-code-outsider-attack) being able to exflitrate secrets from the Renovate deployment.\n\n## Patches\n\nThis is patched in [42.96.3](https://github.com/renovatebot/renovate/releases/tag/42.96.3) and [43.4.4](https://github.com/renovatebot/renovate/releases/tag/43.4.4).\n\n## Workarounds\n\nThere are no workarounds, other than upgrading your Renovate version.\n\n## Why did this happen?\n\nAs part of work towards https://github.com/renovatebot/renovate/security/advisories/GHSA-pfq2-hh62-7m96, one of the [preparatory changes](https://github.com/renovatebot/renovate/pull/40212) we made was moving to [`execa`](https://www.npmjs.com/package/execa).\n\nOne of the default behaviours of `execa` is to [extend the process' environment variables with any new ones](https://github.com/sindresorhus/execa/tree/v8.0.1?tab=readme-ov-file#extendenv), rather than override them.\n\nThis was missed in code review, which meant that since this version, the full environment variables have been provided to any child processes spawned with `execa` by Renovate.\n\nThis was discovered as part of an unrelated change.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "renovate"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "42.68.1"
+            },
+            {
+              "fixed": "42.96.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "renovate"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "43.0.0"
+            },
+            {
+              "fixed": "43.4.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/renovatebot/renovate/security/advisories/GHSA-8wc6-vgrq-x6cf"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/renovatebot/renovate"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/renovatebot/renovate/releases/tag/42.96.3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/renovatebot/renovate/releases/tag/43.4.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-269"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:53:58Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,108 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9pj7-jh2r-87g8",
+  "modified": "2026-02-13T20:56:15Z",
+  "published": "2026-02-13T12:31:21Z",
+  "aliases": [
+    "CVE-2026-22892"
+  ],
+  "summary": "Mattermost doesn't validate user permissions when creating Jira issues from Mattermost posts",
+  "details": "Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to validate user permissions when creating Jira issues from Mattermost posts, which allows an authenticated attacker with access to the Jira plugin to read post content and attachments from channels they do not have access to via the /create-issue API endpoint by providing the post ID of an inaccessible post.. Mattermost Advisory ID: MMSA-2025-00550",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.2.0"
+            },
+            {
+              "fixed": "11.2.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 11.2.1"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.1.0"
+            },
+            {
+              "fixed": "11.1.3"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 11.1.2"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0"
+            },
+            {
+              "fixed": "10.11.10"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 10.11.9"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22892"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mattermost/mattermost"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:56:15Z",
+    "nvd_published_at": "2026-02-13T11:16:10Z"
+  }
+}