Skip to content

Commit 00baa88

Browse files
Advisory Database Sync
1 parent 03405cb commit 00baa88

123 files changed

Lines changed: 3372 additions & 136 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qxvm-pcfm-qc39",
4+
"modified": "2026-06-16T21:30:08Z",
5+
"published": "2026-06-16T21:30:08Z",
6+
"aliases": [
7+
"CVE-2026-54322"
8+
],
9+
"summary": "Daytona: Cross-org IDOR in organization role update/delete — any org owner can rewrite or destroy another org's roles",
10+
"details": "### Summary\nDaytona's organization role update and delete endpoints authorized the caller as an owner of the organization named in the request path, but resolved and mutated the target role by its identifier alone, without verifying the role belonged to that organization. An authenticated user who owns any organization (organizations are self-service) could therefore modify the permissions of, or delete, a role belonging to a different organization, given that role's identifier.\n\n### Impact\nThis is a cross-tenant broken access control (IDOR) issue affecting multi-tenant deployments, including the managed Daytona platform. Using a target role's identifier, an attacker with owner rights over their own organization could:\n\n- Overwrite the target role's name and permission set, escalating or stripping privileges for every member and API key in the victim organization that holds that role.\n- Delete the target role, removing the associated permissions from its holders.\n- Observe the victim role's current permission set returned in the update response (limited information disclosure).\n\nExploitation requires knowledge of the target role's identifier, which is not enumerable across organizations and is not exposed to non-members through the API.\n\n### Affected versions\nAll versions up to and including 0.184.0.\n\n### Patches\nFixed in 0.185.0. The role update, delete, and role-assignment lookups are now scoped to the caller's organization, so a role belonging to another organization resolves to \"not found\" before any read or mutation. The managed Daytona platform was updated on release of 0.185.0.\n\n### Workarounds\nNone. Upgrade to 0.185.0. Single-organization self-hosted deployments are not exploitable, as the issue requires a second organization to target.\n\n### Credit\nReported by @vnth4nhnt.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:H/A:L"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Go",
21+
"name": "github.com/daytonaio/daytona"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "0.185.0"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 0.184.0"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/daytonaio/daytona/security/advisories/GHSA-qxvm-pcfm-qc39"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/daytonaio/daytona"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-639",
54+
"CWE-862"
55+
],
56+
"severity": "HIGH",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-06-16T21:30:08Z",
59+
"nvd_published_at": null
60+
}
61+
}

advisories/unreviewed/2026/05/GHSA-fm65-xrrr-c358/GHSA-fm65-xrrr-c358.json

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-fm65-xrrr-c358",
4-
"modified": "2026-05-13T18:30:56Z",
4+
"modified": "2026-06-16T21:31:53Z",
55
"published": "2026-05-13T18:30:56Z",
66
"aliases": [
77
"CVE-2026-42946"

advisories/unreviewed/2026/06/GHSA-235f-qxww-6764/GHSA-235f-qxww-6764.json

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-235f-qxww-6764",
4-
"modified": "2026-06-15T21:30:39Z",
4+
"modified": "2026-06-16T21:31:54Z",
55
"published": "2026-06-15T21:30:39Z",
66
"aliases": [
77
"CVE-2026-38063"
88
],
99
"details": "Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -20,8 +25,10 @@
2025
}
2126
],
2227
"database_specific": {
23-
"cwe_ids": [],
24-
"severity": null,
28+
"cwe_ids": [
29+
"CWE-78"
30+
],
31+
"severity": "CRITICAL",
2532
"github_reviewed": false,
2633
"github_reviewed_at": null,
2734
"nvd_published_at": "2026-06-15T20:16:26Z"
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-27pq-2ph8-8x25",
4+
"modified": "2026-06-16T21:31:59Z",
5+
"published": "2026-06-16T21:31:59Z",
6+
"aliases": [
7+
"CVE-2026-53855"
8+
],
9+
"details": "OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks via shell positional parameters. Attackers can combine allowlisted tools with shell positional arguments to place inline-eval content in shell carriers outside intended allowlist rules, enabling execution of unapproved shell-provided content.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "WEB",
24+
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-5cj2-3jr2-5h77"
25+
},
26+
{
27+
"type": "ADVISORY",
28+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53855"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://www.vulncheck.com/advisories/openclaw-shell-positional-parameters-bypass-in-inline-eval-checks"
33+
}
34+
],
35+
"database_specific": {
36+
"cwe_ids": [
37+
"CWE-184"
38+
],
39+
"severity": "HIGH",
40+
"github_reviewed": false,
41+
"github_reviewed_at": null,
42+
"nvd_published_at": "2026-06-16T19:17:02Z"
43+
}
44+
}
Lines changed: 29 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,29 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2c4x-2rp9-wr2h",
4+
"modified": "2026-06-16T21:32:01Z",
5+
"published": "2026-06-16T21:32:01Z",
6+
"aliases": [
7+
"CVE-2026-0154"
8+
],
9+
"details": "In Modem, there is a possible way to trigger a modem crash during a SIP REFER request due to memory corruption. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation.",
10+
"severity": [],
11+
"affected": [],
12+
"references": [
13+
{
14+
"type": "ADVISORY",
15+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0154"
16+
},
17+
{
18+
"type": "WEB",
19+
"url": "https://source.android.com/docs/security/bulletin/pixel/2026/2026-06-01"
20+
}
21+
],
22+
"database_specific": {
23+
"cwe_ids": [],
24+
"severity": null,
25+
"github_reviewed": false,
26+
"github_reviewed_at": null,
27+
"nvd_published_at": "2026-06-16T20:16:26Z"
28+
}
29+
}

advisories/unreviewed/2026/06/GHSA-2p5w-f38x-fgff/GHSA-2p5w-f38x-fgff.json

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2p5w-f38x-fgff",
4-
"modified": "2026-06-15T21:30:39Z",
4+
"modified": "2026-06-16T21:31:54Z",
55
"published": "2026-06-15T21:30:38Z",
66
"aliases": [
77
"CVE-2026-38061"
88
],
99
"details": "Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -20,8 +25,10 @@
2025
}
2126
],
2227
"database_specific": {
23-
"cwe_ids": [],
24-
"severity": null,
28+
"cwe_ids": [
29+
"CWE-78"
30+
],
31+
"severity": "CRITICAL",
2532
"github_reviewed": false,
2633
"github_reviewed_at": null,
2734
"nvd_published_at": "2026-06-15T20:16:26Z"
Lines changed: 36 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,36 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2r87-8x7j-8ppq",
4+
"modified": "2026-06-16T21:31:56Z",
5+
"published": "2026-06-16T21:31:56Z",
6+
"aliases": [
7+
"CVE-2026-47963"
8+
],
9+
"details": "DNG SDK versions 1.7.1 2536 and earlier are affected by an out-of-bounds read vulnerability that could lead to disclosure of sensitive memory. An attacker could leverage this vulnerability to disclose sensitive information. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
14+
}
15+
],
16+
"affected": [],
17+
"references": [
18+
{
19+
"type": "ADVISORY",
20+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47963"
21+
},
22+
{
23+
"type": "WEB",
24+
"url": "https://helpx.adobe.com/security/products/dng-sdk/apsb26-67.html"
25+
}
26+
],
27+
"database_specific": {
28+
"cwe_ids": [
29+
"CWE-125"
30+
],
31+
"severity": "MODERATE",
32+
"github_reviewed": false,
33+
"github_reviewed_at": null,
34+
"nvd_published_at": "2026-06-16T19:16:56Z"
35+
}
36+
}
Lines changed: 44 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,44 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-2w22-3f6x-3hf4",
4+
"modified": "2026-06-16T21:32:00Z",
5+
"published": "2026-06-16T21:32:00Z",
6+
"aliases": [
7+
"CVE-2026-53865"
8+
],
9+
"details": "OpenClaw before 2026.5.2 contains a path traversal vulnerability in maintenance task execution that allows workspace-derived service paths to influence trash command selection. Attackers can execute unintended local executables from operator-unintended paths during maintenance operations by manipulating workspace-derived environment paths.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "WEB",
24+
"url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rx78-29qr-5hq8"
25+
},
26+
{
27+
"type": "ADVISORY",
28+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53865"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://www.vulncheck.com/advisories/openclaw-arbitrary-command-execution-via-workspace-derived-service-path"
33+
}
34+
],
35+
"database_specific": {
36+
"cwe_ids": [
37+
"CWE-426"
38+
],
39+
"severity": "HIGH",
40+
"github_reviewed": false,
41+
"github_reviewed_at": null,
42+
"nvd_published_at": "2026-06-16T19:17:04Z"
43+
}
44+
}

advisories/unreviewed/2026/06/GHSA-2wqx-fp26-qh5v/GHSA-2wqx-fp26-qh5v.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2wqx-fp26-qh5v",
4-
"modified": "2026-06-16T18:32:38Z",
4+
"modified": "2026-06-16T21:31:56Z",
55
"published": "2026-06-16T18:32:38Z",
66
"aliases": [
77
"CVE-2026-12003"
@@ -30,6 +30,10 @@
3030
{
3131
"type": "WEB",
3232
"url": "https://https://mail.python.org/archives/list/security-announce@python.org/thread/JIFOBO7UX3LY4VJKJUOKYJV62CFR2IRH"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "http://www.openwall.com/lists/oss-security/2026/06/16/8"
3337
}
3438
],
3539
"database_specific": {

advisories/unreviewed/2026/06/GHSA-2x28-ghj8-5fhc/GHSA-2x28-ghj8-5fhc.json

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2x28-ghj8-5fhc",
4-
"modified": "2026-06-16T18:32:36Z",
4+
"modified": "2026-06-16T21:31:55Z",
55
"published": "2026-06-16T15:33:49Z",
66
"aliases": [
77
"CVE-2026-12305"
88
],
99
"details": "Memory safety bug fixed in Firefox 152. This vulnerability was fixed in Firefox 152 and Firefox ESR 140.12.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -36,8 +41,10 @@
3641
}
3742
],
3843
"database_specific": {
39-
"cwe_ids": [],
40-
"severity": null,
44+
"cwe_ids": [
45+
"CWE-119"
46+
],
47+
"severity": "HIGH",
4148
"github_reviewed": false,
4249
"github_reviewed_at": null,
4350
"nvd_published_at": "2026-06-16T13:16:30Z"

0 commit comments

Comments
 (0)