Skip to content

Commit 81fb8b5

Browse files
1 parent 02880ae commit 81fb8b5

2 files changed

Lines changed: 56 additions & 10 deletions

File tree

advisories/unreviewed/2026/06/GHSA-6jm8-4fhr-5w64/GHSA-6jm8-4fhr-5w64.json renamed to advisories/github-reviewed/2026/06/GHSA-6jm8-4fhr-5w64/GHSA-6jm8-4fhr-5w64.json

Lines changed: 27 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-6jm8-4fhr-5w64",
4-
"modified": "2026-06-01T06:30:25Z",
4+
"modified": "2026-07-09T20:49:44Z",
55
"published": "2026-06-01T06:30:25Z",
66
"aliases": [
77
"CVE-2026-10219"
88
],
9+
"summary": "GoClaw has a Command Injection issue",
910
"details": "A vulnerability was found in nextlevelbuilder GoClaw up to 3.11.3. This impacts the function FsBridge.WriteFile of the file internal/sandbox/fsbridge.go of the component write_file Tool. Performing a manipulation results in os command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The pull request to fix this issue awaits acceptance.",
1011
"severity": [
1112
{
@@ -14,10 +15,30 @@
1415
},
1516
{
1617
"type": "CVSS_V4",
17-
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
19+
}
20+
],
21+
"affected": [
22+
{
23+
"package": {
24+
"ecosystem": "Go",
25+
"name": "github.com/nextlevelbuilder/goclaw"
26+
},
27+
"ranges": [
28+
{
29+
"type": "ECOSYSTEM",
30+
"events": [
31+
{
32+
"introduced": "0"
33+
},
34+
{
35+
"last_affected": "3.11.3"
36+
}
37+
]
38+
}
39+
]
1840
}
1941
],
20-
"affected": [],
2142
"references": [
2243
{
2344
"type": "ADVISORY",
@@ -32,7 +53,7 @@
3253
"url": "https://github.com/nextlevelbuilder/goclaw/pull/1155"
3354
},
3455
{
35-
"type": "WEB",
56+
"type": "PACKAGE",
3657
"url": "https://github.com/nextlevelbuilder/goclaw"
3758
},
3859
{
@@ -57,8 +78,8 @@
5778
"CWE-77"
5879
],
5980
"severity": "MODERATE",
60-
"github_reviewed": false,
61-
"github_reviewed_at": null,
81+
"github_reviewed": true,
82+
"github_reviewed_at": "2026-07-09T20:49:44Z",
6283
"nvd_published_at": "2026-06-01T04:16:21Z"
6384
}
6485
}

advisories/unreviewed/2026/06/GHSA-gprj-xvq8-w53q/GHSA-gprj-xvq8-w53q.json renamed to advisories/github-reviewed/2026/06/GHSA-gprj-xvq8-w53q/GHSA-gprj-xvq8-w53q.json

Lines changed: 29 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -1,19 +1,40 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-gprj-xvq8-w53q",
4-
"modified": "2026-06-01T15:30:40Z",
4+
"modified": "2026-07-09T20:50:30Z",
55
"published": "2026-06-01T09:31:13Z",
66
"aliases": [
77
"CVE-2026-40963"
88
],
9+
"summary": "Apache Airflow has an Improper Authorization issue",
910
"details": "The structure_data endpoint in the Airflow UI returned external dependency graph nodes for linked Dags without checking whether the caller had read permission on those linked Dags. An authenticated UI/API user authorized for one Dag could enumerate linked Dag IDs and dependency metadata for other Dags they were not authorized to read. Affects deployments that rely on per-Dag read scoping to keep Dag dependency topology private across teams. Users are advised to upgrade to `apache-airflow` 3.2.2 or later.",
1011
"severity": [
1112
{
1213
"type": "CVSS_V3",
1314
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
1415
}
1516
],
16-
"affected": [],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "apache-airflow"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "3.0.0"
29+
},
30+
{
31+
"fixed": "3.2.2"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
1738
"references": [
1839
{
1940
"type": "ADVISORY",
@@ -23,6 +44,10 @@
2344
"type": "WEB",
2445
"url": "https://github.com/apache/airflow/pull/65342"
2546
},
47+
{
48+
"type": "PACKAGE",
49+
"url": "https://github.com/apache/airflow"
50+
},
2651
{
2752
"type": "WEB",
2853
"url": "https://lists.apache.org/thread/s907bhsksc37m59f0loqjcp1ryobrr60"
@@ -37,8 +62,8 @@
3762
"CWE-285"
3863
],
3964
"severity": "LOW",
40-
"github_reviewed": false,
41-
"github_reviewed_at": null,
65+
"github_reviewed": true,
66+
"github_reviewed_at": "2026-07-09T20:50:30Z",
4267
"nvd_published_at": "2026-06-01T09:16:18Z"
4368
}
4469
}

0 commit comments

Comments
 (0)