Skip to content

Commit 0601fa3

Browse files
Advisory Database Sync
1 parent 1de738d commit 0601fa3

106 files changed

Lines changed: 1752 additions & 233 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 90 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,90 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-24x4-j6x9-rfw5",
4+
"modified": "2026-07-06T21:29:16Z",
5+
"published": "2026-07-06T21:29:16Z",
6+
"aliases": [
7+
"CVE-2026-55790"
8+
],
9+
"summary": "Craft CMS: DOM XSS via GitHub issue title in CraftSupport widget",
10+
"details": "## Summary\n\nAn attacker with only a GitHub account can plant a JavaScript payload in a `craftcms/cms` issue title. When a Craft admin uses the CraftSupport widget’s \"Give feedback\" screen and types a search term that returns the poisoned issue, the payload executes in the admin’s control panel session.\n\nNo control panel account or elevated privileges are required on the attacker’s side.\n\n## Preconditions\n\n- Attacker has a GitHub account (no control panel access needed).\n- Victim is an administrator, and you have the CraftSupport widget on the dashboard.\n- Victim uses the \"Give feedback\" screen and types a search term that returns the poisoned issue.\n\n## Root cause\n\n`CraftSupportWidget.js` lines 382-392:\n\n```js\n$('<a>', {\n href: this.getSearchResultUrl(results[i]),\n target: '_blank',\n html:\n '<span class=\"status ' +\n this.getSearchResultStatus(results[i]) +\n '\"></span>' +\n this.getSearchResultText(results[i]),\n})\n```\n\n`FeedbackScreen.getSearchResultText` (line 669-671) returns `result.title` verbatim from the GitHub API response. The jQuery `html:` option sets the element’s `innerHTML`, so a title containing `<img src=x onerror=...>` executes immediately on render.\n\nThe GitHub API returns issue titles as raw JSON strings with no HTML encoding. The widget makes this request directly from the browser, without a Craft proxy or any sanitization step.\n\n`HelpScreen` (Stack Exchange) is not affected because the Stack Exchange API HTML-encodes titles before returning them.\n\n## Steps to reproduce\n\n**Plant (attacker, GitHub account only):**\n\n1. Open `https://github.com/craftcms/cms/issues/new`.\n2. Set the title to a string combining a plausible search term and the payload, e.g.:\n\n```\n<img src=x onerror=alert(document.domain)> cannot upload files\n```\n\n3. Submit the issue.\n\n**Trigger (victim, Craft admin):**\n\n1. Open the Craft control panel dashboard.\n2. Open the CraftSupport widget, click \"Give feedback\".\n3. Type `cannot upload files` in the search box.\n4. `alert(document.domain)` fires in the admin's session.\n\n## Impact\n\nXSS in the admin control panel session. The payload has access to `Craft.csrfTokenName` and `Craft.csrfTokenValue` and can send same-origin action requests as the admin without any further interaction.\n\n## Mitigating factors\n\n- Victim must actively use the \"Give feedback\" search screen.\n- Attacker must predict or social-engineer a search term the admin will type, or use a broad term likely to match.\n- Widget is only available to admins.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/6bbb66038a268552180ca5c8eed9f46ea25a4417",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "craftcms/cms"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "5.0.0-RC1"
29+
},
30+
{
31+
"fixed": "5.9.23"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "< 5.9.22"
38+
}
39+
},
40+
{
41+
"package": {
42+
"ecosystem": "Packagist",
43+
"name": "craftcms/cms"
44+
},
45+
"ranges": [
46+
{
47+
"type": "ECOSYSTEM",
48+
"events": [
49+
{
50+
"introduced": "4.0.0-RC1"
51+
},
52+
{
53+
"fixed": "4.17.16"
54+
}
55+
]
56+
}
57+
],
58+
"database_specific": {
59+
"last_known_affected_version_range": "< 4.17.15"
60+
}
61+
}
62+
],
63+
"references": [
64+
{
65+
"type": "WEB",
66+
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-24x4-j6x9-rfw5"
67+
},
68+
{
69+
"type": "ADVISORY",
70+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55790"
71+
},
72+
{
73+
"type": "WEB",
74+
"url": "https://github.com/craftcms/cms/commit/6bbb66038a268552180ca5c8eed9f46ea25a4417"
75+
},
76+
{
77+
"type": "PACKAGE",
78+
"url": "https://github.com/craftcms/cms"
79+
}
80+
],
81+
"database_specific": {
82+
"cwe_ids": [
83+
"CWE-79"
84+
],
85+
"severity": "HIGH",
86+
"github_reviewed": true,
87+
"github_reviewed_at": "2026-07-06T21:29:16Z",
88+
"nvd_published_at": "2026-07-01T23:16:52Z"
89+
}
90+
}
Lines changed: 84 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,84 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-287w-mxq6-x2cp",
4+
"modified": "2026-07-06T21:29:49Z",
5+
"published": "2026-07-06T21:29:49Z",
6+
"aliases": [
7+
"CVE-2026-55792"
8+
],
9+
"summary": "Craft CMS: Sensitive File Disclosure / Server-Side File Read",
10+
"details": "The `dataUrl()` Twig function is included in Craft’s Twig sandbox allowlist, allowing any control panel user granted the `utility:system-messages` permission to embed a file-reading payload into system email templates. When those emails are sent, the server reads the target file and returns its contents as a base64-encoded data URL embedded in the email body. The .env file, which typically contains the database password, CRAFT_SECURITY_KEY, and third-party API keys, passes all of Craft’s existing `dataUrl()` protection checks and is fully exfiltrated. Obtaining CRAFT_SECURITY_KEY enables an attacker to forge session tokens and escalate to full admin account takeover.\n\n## Details\nAffected versions: Craft CMS 4.x, 5.x (confirmed against 5.9.19)\n\nThe vulnerability arises from the combination of three code facts:\n1. dataUrl is in the Twig sandbox allowlist\nsrc/config/twig-sandbox.php, line 115:\nphp'allowedFunctions' => [\n ...\n 'dataUrl', // ← allows file reading inside sandboxed templates\n ...\n],\n\n2. Html::dataUrl() does not block dotfiles\nsrc/helpers/Html.php, lines 1065–1090. The function applies four checks before reading a file:\n\nMust be within the project root .env is at the root\nMust not be in a system directory (config/, vendor/, storage/, templates/) .env is not\nMust not be a .php file .env has no extension\nFile must exist .env always exists in a Craft install\n\nThere is no check for dotfiles or specifically for .env. All four checks pass silently and file_get_contents() is called, with the result returned as data:text/plain;base64,....\n\n3. System message body is rendered via renderSandboxedString()\nsrc/mail/Mailer.php, lines 181–183:\nphp$subject = $view->renderSandboxedString($systemMessage->subject, $variables);\n$textBody = $view->renderSandboxedString($systemMessage->body, $variables);\n$htmlBody = $view->renderSandboxedString($systemMessage->body, $variables, escapeHtml: true);\n\nAny body content saved to a system message is executed inside the Twig sandbox when the email renders. Because dataUrl is in allowedFunctions, the sandbox policy permits its execution without restriction.\n\nAccess control: The utility:system-messages permission is a non-admin CP permission grantable to any user group via Settings > Users > Groups. It is not restricted to admins.\n\n## Impact\nVulnerability type: Sensitive File Disclosure / Server-Side File Read\nWho is impacted: Any Craft CMS 4.x or 5.x installation where at least one non-admin control panel user has been granted the utility:system-messages permission, and email sending is configured.\n\nResources:\n\n- https://github.com/craftcms/cms/pull/18559",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "craftcms/cms"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "4.0.0-RC1"
29+
},
30+
{
31+
"fixed": "4.18.0"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "craftcms/cms"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.0.0-RC1"
48+
},
49+
{
50+
"fixed": "5.10.0"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/craftcms/cms/security/advisories/GHSA-287w-mxq6-x2cp"
61+
},
62+
{
63+
"type": "ADVISORY",
64+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-55792"
65+
},
66+
{
67+
"type": "WEB",
68+
"url": "https://github.com/craftcms/cms/pull/18559"
69+
},
70+
{
71+
"type": "PACKAGE",
72+
"url": "https://github.com/craftcms/cms"
73+
}
74+
],
75+
"database_specific": {
76+
"cwe_ids": [
77+
"CWE-200"
78+
],
79+
"severity": "MODERATE",
80+
"github_reviewed": true,
81+
"github_reviewed_at": "2026-07-06T21:29:49Z",
82+
"nvd_published_at": "2026-07-02T00:16:44Z"
83+
}
84+
}

advisories/unreviewed/2026/04/GHSA-cmj5-x3xf-69wq/GHSA-cmj5-x3xf-69wq.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-cmj5-x3xf-69wq",
4-
"modified": "2026-07-06T18:30:35Z",
4+
"modified": "2026-07-06T21:30:25Z",
55
"published": "2026-04-30T18:30:32Z",
66
"aliases": [
77
"CVE-2026-33845"
@@ -35,6 +35,10 @@
3535
"type": "WEB",
3636
"url": "https://access.redhat.com/errata/RHSA-2026:36006"
3737
},
38+
{
39+
"type": "WEB",
40+
"url": "https://access.redhat.com/errata/RHSA-2026:36005"
41+
},
3842
{
3943
"type": "WEB",
4044
"url": "https://access.redhat.com/errata/RHSA-2026:36004"

advisories/unreviewed/2026/05/GHSA-9gx7-g5hv-xjjj/GHSA-9gx7-g5hv-xjjj.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-9gx7-g5hv-xjjj",
4-
"modified": "2026-07-06T18:30:36Z",
4+
"modified": "2026-07-06T21:30:25Z",
55
"published": "2026-05-18T15:30:37Z",
66
"aliases": [
77
"CVE-2026-42009"
@@ -39,6 +39,10 @@
3939
"type": "WEB",
4040
"url": "https://access.redhat.com/errata/RHSA-2026:36006"
4141
},
42+
{
43+
"type": "WEB",
44+
"url": "https://access.redhat.com/errata/RHSA-2026:36005"
45+
},
4246
{
4347
"type": "WEB",
4448
"url": "https://access.redhat.com/errata/RHSA-2026:36004"

advisories/unreviewed/2026/05/GHSA-m3r7-xjq8-gc4r/GHSA-m3r7-xjq8-gc4r.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-m3r7-xjq8-gc4r",
4-
"modified": "2026-07-06T18:30:35Z",
4+
"modified": "2026-07-06T21:30:25Z",
55
"published": "2026-05-07T12:31:23Z",
66
"aliases": [
77
"CVE-2026-42010"
@@ -39,6 +39,10 @@
3939
"type": "WEB",
4040
"url": "https://access.redhat.com/errata/RHSA-2026:36006"
4141
},
42+
{
43+
"type": "WEB",
44+
"url": "https://access.redhat.com/errata/RHSA-2026:36005"
45+
},
4246
{
4347
"type": "WEB",
4448
"url": "https://access.redhat.com/errata/RHSA-2026:36004"

advisories/unreviewed/2026/05/GHSA-qcj7-gqxf-2cqq/GHSA-qcj7-gqxf-2cqq.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-qcj7-gqxf-2cqq",
4-
"modified": "2026-07-06T18:30:35Z",
4+
"modified": "2026-07-06T21:30:25Z",
55
"published": "2026-05-04T12:30:28Z",
66
"aliases": [
77
"CVE-2026-33846"
@@ -35,6 +35,10 @@
3535
"type": "WEB",
3636
"url": "https://access.redhat.com/errata/RHSA-2026:36006"
3737
},
38+
{
39+
"type": "WEB",
40+
"url": "https://access.redhat.com/errata/RHSA-2026:36005"
41+
},
3842
{
3943
"type": "WEB",
4044
"url": "https://access.redhat.com/errata/RHSA-2026:36004"

advisories/unreviewed/2026/06/GHSA-2885-rcqv-3jp6/GHSA-2885-rcqv-3jp6.json

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2885-rcqv-3jp6",
4-
"modified": "2026-06-26T21:32:17Z",
4+
"modified": "2026-07-06T21:30:26Z",
55
"published": "2026-06-26T21:32:17Z",
66
"aliases": [
77
"CVE-2026-53313"
88
],
99
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\ndrm/amd/display: Avoid NULL dereference in dc_dmub_srv error paths\n\nIn dc_dmub_srv_log_diagnostic_data() and\ndc_dmub_srv_enable_dpia_trace().\n\nBoth functions check:\n\n if (!dc_dmub_srv || !dc_dmub_srv->dmub)\n\nand then call DC_LOG_ERROR() inside that block.\n\nDC_LOG_ERROR() uses dc_dmub_srv->ctx internally. So if\ndc_dmub_srv is NULL, the logging itself can dereference a\nNULL pointer and cause a crash.\n\nFix this by splitting the checks.\n\nFirst check if dc_dmub_srv is NULL and return immediately.\nThen check dc_dmub_srv->dmub and log the error only when\ndc_dmub_srv is valid.\n\nFixes the below:\n../display/dc/dc_dmub_srv.c:962 dc_dmub_srv_log_diagnostic_data() error: we previously assumed 'dc_dmub_srv' could be null (see line 961)\n../display/dc/dc_dmub_srv.c:1167 dc_dmub_srv_enable_dpia_trace() error: we previously assumed 'dc_dmub_srv' could be null (see line 1166)",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -24,8 +29,10 @@
2429
}
2530
],
2631
"database_specific": {
27-
"cwe_ids": [],
28-
"severity": null,
32+
"cwe_ids": [
33+
"CWE-476"
34+
],
35+
"severity": "MODERATE",
2936
"github_reviewed": false,
3037
"github_reviewed_at": null,
3138
"nvd_published_at": "2026-06-26T20:17:24Z"

advisories/unreviewed/2026/06/GHSA-2vjf-7vmh-8jpp/GHSA-2vjf-7vmh-8jpp.json

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-2vjf-7vmh-8jpp",
4-
"modified": "2026-06-26T21:32:17Z",
4+
"modified": "2026-07-06T21:30:26Z",
55
"published": "2026-06-26T21:32:17Z",
66
"aliases": [
77
"CVE-2026-53308"
88
],
99
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\npower: supply: max77705: Free allocated workqueue and fix removal order\n\nUse devm interface for allocating workqueue to fix two bugs at the same\ntime:\n\n1. Driver leaks the memory on remove(), because the workqueue is not\n destroyed.\n\n2. Driver allocates workqueue and then registers interrupt handlers\n with devm interface. This means that probe error paths will not use a\n reversed order, but first destroy the workqueue and then, via devm\n release handlers, free the interrupt.\n\n The interrupt handler schedules work on this exact workqueue, thus if\n interrupt is hit in this short time window - after destroying\n workqueue, but before devm() frees the interrupt - the schedulled\n work will lead to use of freed memory.\n\nChange is not equivalent in the workqueue itself: use non-legacy API\nwhich does not set (__WQ_LEGACY | WQ_MEM_RECLAIM). The workqueue is\nused to update power supply (power_supply_changed()) status, thus there\nis no point to run it for memory reclaim. Note that dev_name() is not\ndirectly used in second argument to prevent possible unlikely parsing\nany \"%\" character in device name as format.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -24,8 +29,10 @@
2429
}
2530
],
2631
"database_specific": {
27-
"cwe_ids": [],
28-
"severity": null,
32+
"cwe_ids": [
33+
"CWE-401"
34+
],
35+
"severity": "MODERATE",
2936
"github_reviewed": false,
3037
"github_reviewed_at": null,
3138
"nvd_published_at": "2026-06-26T20:17:24Z"

advisories/unreviewed/2026/06/GHSA-32q2-cq6r-mpm8/GHSA-32q2-cq6r-mpm8.json

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-32q2-cq6r-mpm8",
4-
"modified": "2026-06-26T21:32:17Z",
4+
"modified": "2026-07-06T21:30:26Z",
55
"published": "2026-06-26T21:32:17Z",
66
"aliases": [
77
"CVE-2026-53311"
88
],
99
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nfuse: fix uninit-value in fuse_dentry_revalidate()\n\nfuse_dentry_revalidate() may be called with a dentry that didn't had\n->d_time initialised. The issue was found with KMSAN, where lookup_open()\ncalls __d_alloc(), followed by d_revalidate(), as shown below:\n\n=====================================================\nBUG: KMSAN: uninit-value in fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394\n fuse_dentry_revalidate+0x150/0x13d0 fs/fuse/dir.c:394\n d_revalidate fs/namei.c:1030 [inline]\n lookup_open fs/namei.c:4405 [inline]\n open_last_lookups fs/namei.c:4583 [inline]\n path_openat+0x1614/0x64c0 fs/namei.c:4827\n do_file_open+0x2aa/0x680 fs/namei.c:4859\n[...]\n\nUninit was created at:\n slab_post_alloc_hook mm/slub.c:4466 [inline]\n slab_alloc_node mm/slub.c:4788 [inline]\n kmem_cache_alloc_lru_noprof+0x382/0x1280 mm/slub.c:4807\n __d_alloc+0x55/0xa00 fs/dcache.c:1740\n d_alloc_parallel+0x99/0x2740 fs/dcache.c:2604\n lookup_open fs/namei.c:4398 [inline]\n open_last_lookups fs/namei.c:4583 [inline]\n path_openat+0x135f/0x64c0 fs/namei.c:4827\n do_file_open+0x2aa/0x680 fs/namei.c:4859\n[...]\n=====================================================",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -28,8 +33,10 @@
2833
}
2934
],
3035
"database_specific": {
31-
"cwe_ids": [],
32-
"severity": null,
36+
"cwe_ids": [
37+
"CWE-908"
38+
],
39+
"severity": "MODERATE",
3340
"github_reviewed": false,
3441
"github_reviewed_at": null,
3542
"nvd_published_at": "2026-06-26T20:17:24Z"

advisories/unreviewed/2026/06/GHSA-36x8-5j9r-qw5f/GHSA-36x8-5j9r-qw5f.json

Lines changed: 11 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,13 +1,18 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-36x8-5j9r-qw5f",
4-
"modified": "2026-06-26T21:32:17Z",
4+
"modified": "2026-07-06T21:30:26Z",
55
"published": "2026-06-26T21:32:17Z",
66
"aliases": [
77
"CVE-2026-53318"
88
],
99
"details": "In the Linux kernel, the following vulnerability has been resolved:\n\nwifi: mt76: mt7925: prevent NULL pointer dereference in mt7925_tx_check_aggr()\n\nMove the NULL check for 'sta' before dereferencing it to prevent a\npossible crash.",
10-
"severity": [],
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
14+
}
15+
],
1116
"affected": [],
1217
"references": [
1318
{
@@ -32,8 +37,10 @@
3237
}
3338
],
3439
"database_specific": {
35-
"cwe_ids": [],
36-
"severity": null,
40+
"cwe_ids": [
41+
"CWE-476"
42+
],
43+
"severity": "MODERATE",
3744
"github_reviewed": false,
3845
"github_reviewed_at": null,
3946
"nvd_published_at": "2026-06-26T20:17:25Z"

0 commit comments

Comments
 (0)