Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 0dd769671504 · 2026-04-18T01:16:24.000Z
GHSA-h8wq-7xc4-p3qx GHSA-29x4-r6jv-ff4w GHSA-452v-w3gx-72wg GHSA-8m29-fpq5-89jj GHSA-9j88-vvj5-vhgr
diff --git a/advisories/github-reviewed/2026/03/GHSA-h8wq-7xc4-p3qx/GHSA-h8wq-7xc4-p3qx.json b/advisories/github-reviewed/2026/03/GHSA-h8wq-7xc4-p3qx/GHSA-h8wq-7xc4-p3qx.json
@@ -1,24 +1,57 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h8wq-7xc4-p3qx",
-  "modified": "2026-03-09T21:31:38Z",
+  "modified": "2026-04-18T01:14:15Z",
   "published": "2026-03-09T21:31:38Z",
   "aliases": [
     "CVE-2026-0846"
   ],
+  "summary": "NLTK has Arbitrary File Read via Absolute Path Input in nltk.util.filestring()",
   "details": "A vulnerability in the `filestring()` function of the `nltk.util` module in nltk version 3.9.2 allows arbitrary file read due to improper validation of input paths. The function directly opens files specified by user input without sanitization, enabling attackers to access sensitive system files by providing absolute paths or traversal paths. This vulnerability can be exploited locally or remotely, particularly in scenarios where the function is used in web APIs or other interfaces that accept user-supplied input.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "nltk"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.9.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0846"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nltk/nltk/pull/3485"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nltk/nltk/commit/b2e1164bf89277f79b65406c829b99fb20ca1974"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nltk/nltk"
+    },
     {
       "type": "WEB",
       "url": "https://huntr.com/bounties/007b84f8-418e-4300-99d0-bf504c2f97eb"
@@ -29,8 +62,8 @@
       "CWE-36"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:14:15Z",
     "nvd_published_at": "2026-03-09T20:16:05Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-29x4-r6jv-ff4w/GHSA-29x4-r6jv-ff4w.json b/advisories/github-reviewed/2026/04/GHSA-29x4-r6jv-ff4w/GHSA-29x4-r6jv-ff4w.json
@@ -0,0 +1,75 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-29x4-r6jv-ff4w",
+  "modified": "2026-04-18T01:15:10Z",
+  "published": "2026-04-18T01:15:10Z",
+  "aliases": [],
+  "summary": "Zebra Vulnerable to Denial of Service via Interrupted JSON-RPC Requests from Authenticated Clients",
+  "details": "A vulnerability in Zebra's JSON-RPC HTTP middleware allows an authenticated RPC client to cause a Zebra node to crash by disconnecting before the request body is fully received. The node treats the failure to read the HTTP request body as an unrecoverable error and aborts the process instead of returning an error response.\n\n## Severity\n**Moderate** - This is a Denial of Service (DoS) that requires a client capable of passing Zebra's cookie authentication, which is enabled by default.\n\n## Affected Versions\n- `zebrad`: versions from **2.2.0** up to (but not including) **4.3.1**\n- `zebra-rpc`: versions from **1.0.0-beta.45** up to (but not including) **6.0.2**\n\n## Description\n\nZebra's JSON-RPC HTTP middleware treated a failure to read the incoming HTTP request body as an unrecoverable error, aborting the process rather than returning an error response. A client that disconnected after sending only part of a request body, for example, by resetting the TCP connection mid-transfer, was sufficient to trigger the crash. The vulnerability could be exploited only by authenticated RPC clients. Nodes running the shipped defaults, with RPC bound to localhost and cookie authentication on, were not vulnerable.\n\n## Impact\n**Denial of Service**\n* **Attack Vector:** Network, authenticated (requires a valid RPC cookie when cookie authentication is enabled).\n* **Effect:** Immediate crash of the Zebra node.\n* **Scope:** Any node whose RPC interface is reachable by a client with valid credentials, or any node with cookie authentication disabled and an exposed RPC interface.\n\n## Fixed Versions\nThis issue is fixed in **Zebra 4.3.1** (crate `zebra-rpc` 6.0.2).\n\nThe fix propagates failures to read the HTTP request body as ordinary error responses, so Zebra now rejects truncated or interrupted requests rather than crashing.\n\n## Mitigation\nUsers should upgrade to **Zebra 4.3.1** or later.\n\nIf an immediate upgrade is not possible, users should ensure their RPC port is not exposed to untrusted networks and that cookie authentication remains enabled (the default).\n\n## References\n* [Zebra 4.3.1 Release Announcement](https://zfnd.org/)\n\n## Credits\nThanks to [shieldedonly](https://github.com/shieldedonly) who discovered this issue and reported it via our coordinated disclosure process.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "zebra-rpc"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.0.0-beta.45"
+            },
+            {
+              "fixed": "6.0.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "zebrad"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.2.0"
+            },
+            {
+              "fixed": "4.3.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-29x4-r6jv-ff4w"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ZcashFoundation/zebra"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-248",
+      "CWE-617"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:15:10Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-452v-w3gx-72wg/GHSA-452v-w3gx-72wg.json b/advisories/github-reviewed/2026/04/GHSA-452v-w3gx-72wg/GHSA-452v-w3gx-72wg.json
@@ -0,0 +1,74 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-452v-w3gx-72wg",
+  "modified": "2026-04-18T01:14:57Z",
+  "published": "2026-04-18T01:14:57Z",
+  "aliases": [],
+  "summary": "Zebra has rk Identity Point Panic in Transaction Verification",
+  "details": "# rk Identity Point Panic in Transaction Verification\n\n## Summary\n\nOrchard transactions contain a `rk` field which is a randomized validating key and also an elliptic curve point. The Zcash specification allows the field to be the identity (a \"zero\" value), however, the `orchard` crate which is used to verify Orchard proofs would panic when fed a `rk` with the identity value. Thus an attacker could send a crafted transaction that would make a Zebra node crash.\n\n## Severity\n\n**Critical** - This is a Denial of Service Vulnerability that could allow an attacker to crash Zebra nodes.\n\n## Affected Versions\n\nAll Zebra versions prior to **version 4.3.1**.\n\n## Description\n\nThe vulnerability exists in the `circuits.rs` file of the `orchard` crate; it attempts to get the coordinates of the `rk` value and calls `unwrap()` on the results, which causes a panic if `rk` is the identity.\n\nZebra parses `rk` as a byte vector; it creates an Orchard \"bundle\" using the `orchard` crate and then calls the same crate to verify it, triggering the panic.\n\nAn attacker could exploit this by:\n1. Creating a transaction with a identity `rk`\n2. Submitting it to a Zebra node, making it crash\n\n## Impact\n\n**Denial of Service**\n\n* **Attack Vector:** Network.\n* **Effect:** Node crash.\n* **Scope:** Any impacted Zebra node.\n\n## Fixed Versions\n\nThis issue is fixed in **Zebra 4.3.1**. \n\nThe fix was agreed with `zcashd` developers (which has the same issue) to not allow the identity `rk` anymore and change the specification as such. Zebra now does this when parsing a transaction. This was deemed easier than fixing the issue in `orchard`, which would make the bug public before the nodes could be patched.\n\n## Mitigation\n\nUsers should upgrade to **Zebra 4.3.1** or later immediately. \n\nThere are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains not vulnerable to denial of service.\n\n## Credits\n\nThanks to Alex “Scalar” Sol for finding and reporting the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "zebrad"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "zebra-chain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-452v-w3gx-72wg"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ZcashFoundation/zebra"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-617"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:14:57Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-8m29-fpq5-89jj/GHSA-8m29-fpq5-89jj.json b/advisories/github-reviewed/2026/04/GHSA-8m29-fpq5-89jj/GHSA-8m29-fpq5-89jj.json
@@ -0,0 +1,74 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8m29-fpq5-89jj",
+  "modified": "2026-04-18T01:15:24Z",
+  "published": "2026-04-18T01:15:24Z",
+  "aliases": [],
+  "summary": "Zebra Vulnerable to Consensus Divergence in Transparent Sighash Hash-Type Handling",
+  "details": "# Consensus Divergence in Transparent Sighash Hash-Type Handling\n\n## Summary\n\nAfter a refactoring, Zebra failed to validate a consensus rule that restricted the possible values of sighash hash types for V5 transactions which were enabled in the NU5 network upgrade. Zebra nodes could thus accept and eventually mine a block that would be considered invalid by zcashd nodes, creating a consensus split between Zebra and zcashd nodes.\n\nIn a similar vein, for V4 transactions, Zebra mistakenly used the \"canonical\" hash type when computing the sighash while zcashd (correctly per the spec) uses the raw value, which could also crate a consensus split.\n\n## Severity\n\n**Critical** - This is a Consensus Vulnerability that could allow a malicious party to induce network partitioning, service disruption, and potential double-spend attacks against affected nodes.\n\nNote that the impact is currently alleviated by the fact that currently most miners run `zcashd`.\n\n## Affected Versions\n\nAll Zebra versions prior to version 4.3.1. (Some older versions are not impacted but are no longer supported by the network.)\n\n## Description\n\nVerification of transparent transactions inherits the Bitcoin Script verification code in C++. Since it is consensus-critical, this code was called from Zebra through foreign function interface (FFI). That interface was clunky because it required parsing the whole transaction in C++ code, which would then pull Rust libraries which could get in conflict with Zebra code. A refactoring was done so that only the verification itself was done in C++, and the rest done by Rust code, using a callback. However, in this refactoring, it was not noticed that a particular consensus rule - only accepting known hash types in transparent transaction signatures - was being enforced in C++ code and thus had to be enforced by the Rust caller.\n\nAn attacker could exploit this by:\n\n- Submitting a V4 or V5 transaction with an invalid hash type\n- The V5 transaction would be accepted by Zebra nodes but not by `zcashd` nodes (and vice-versa for V4), creating a consensus split in the network.\n\n## Impact\n\n**Consensus Failure**\n\n- **Attack Vector:** Network.\n- **Effect:** Network partition/consensus split.\n- **Scope:** Any Zebra affected Zebra node\n\n## Fixed Versions\n\nThis issue is fixed in Zebra 4.3.1.\n\nThe fix adds the consensus check in the caller of the C++ verification code. It also uses the raw hash type for V4 sighash computations.\n\n## Mitigation\n\nUsers should upgrade to Zebra 4.3.1 or later immediately.\n\nThere are no known workarounds for this issue. Immediate upgrade is the only way to ensure the node remains on the correct consensus path and is protected against malicious chain forks.\n\n## Credits\n\nThanks Alex “Scalar” Sol for finding and reporting the issue, and to @sangsoo-osec who independently found the same issue and demonstrated that the V4 variant was also exploitable.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "zebrad"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.3.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "zebra-script"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.0.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-8m29-fpq5-89jj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ZcashFoundation/zebra"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-573"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:15:24Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-9j88-vvj5-vhgr/GHSA-9j88-vvj5-vhgr.json b/advisories/github-reviewed/2026/04/GHSA-9j88-vvj5-vhgr/GHSA-9j88-vvj5-vhgr.json
