Publish Advisories

GHSA-27h3-crw2-q36w
GHSA-phv5-vq5p-qhp7
GHSA-q2hg-643c-gw8h
GHSA-xrxf-jgv3-qmrm

Author: advisory-database[bot]

…-27h3-crw2-q36w/GHSA-27h3-crw2-q36w.json …-27h3-crw2-q36w/GHSA-27h3-crw2-q36w.jsonadvisories/unreviewed/2026/04/GHSA-27h3-crw2-q36w/GHSA-27h3-crw2-q36w.json renamed to advisories/github-reviewed/2026/04/GHSA-27h3-crw2-q36w/GHSA-27h3-crw2-q36w.json advisories/unreviewed/2026/04/GHSA-27h3-crw2-q36w/GHSA-27h3-crw2-q36w.json renamed to advisories/github-reviewed/2026/04/GHSA-27h3-crw2-q36w/GHSA-27h3-crw2-q36w.json

@@ -1,24 +1,53 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-27h3-crw2-q36w",
-  "modified": "2026-04-16T15:31:31Z",
+  "modified": "2026-04-16T22:57:31Z",
   "published": "2026-04-16T15:31:31Z",
   "aliases": [
     "CVE-2026-30778"
   ],
+  "summary": "SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information",
   "details": "The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.\n\nThis issue affects Apache SkyWalking: from 9.7.0 through 10.3.0.\n\nUsers are recommended to upgrade to version 10.4.0, which fixes the issue.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.skywalking:server-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.7.0"
+            },
+            {
+              "fixed": "10.4.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-30778"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/skywalking/commit/5a3f6260e4dd681a9132204e5299064bef079886"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/skywalking"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/pvf35o3tp1rqhmrhzj6fg31gvqrqcvn3"
@@ -33,8 +62,8 @@
       "CWE-202"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T22:57:31Z",
     "nvd_published_at": "2026-04-15T11:16:33Z"
   }
 }

…-phv5-vq5p-qhp7/GHSA-phv5-vq5p-qhp7.json …-phv5-vq5p-qhp7/GHSA-phv5-vq5p-qhp7.jsonadvisories/unreviewed/2026/04/GHSA-phv5-vq5p-qhp7/GHSA-phv5-vq5p-qhp7.json renamed to advisories/github-reviewed/2026/04/GHSA-phv5-vq5p-qhp7/GHSA-phv5-vq5p-qhp7.json advisories/unreviewed/2026/04/GHSA-phv5-vq5p-qhp7/GHSA-phv5-vq5p-qhp7.json renamed to advisories/github-reviewed/2026/04/GHSA-phv5-vq5p-qhp7/GHSA-phv5-vq5p-qhp7.json

@@ -1,14 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-phv5-vq5p-qhp7",
-  "modified": "2026-04-16T15:31:32Z",
+  "modified": "2026-04-16T22:57:42Z",
   "published": "2026-04-16T15:31:32Z",
   "aliases": [
     "CVE-2026-31987"
   ],
+  "summary": "Apache Airflow: JWT token appearing in logs",
   "details": "JWT Tokens used by tasks were exposed in logs. This could allow UI users to act as Dag Authors. \nUsers are advised to upgrade to Airflow version that contains fix.\n\nUsers are recommended to upgrade to version 3.2.0, which fixes this issue.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-airflow"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0"
+            },
+            {
+              "fixed": "3.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -26,18 +52,26 @@
       "type": "WEB",
       "url": "https://github.com/apache/airflow/pull/62964"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/airflow"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/pvsrtxzwo9xy6xgknmwslv4zrw70kt6g"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/16/7"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-532"
     ],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T22:57:42Z",
     "nvd_published_at": "2026-04-16T14:16:13Z"
   }
 }

…-q2hg-643c-gw8h/GHSA-q2hg-643c-gw8h.json …-q2hg-643c-gw8h/GHSA-q2hg-643c-gw8h.jsonadvisories/unreviewed/2026/04/GHSA-q2hg-643c-gw8h/GHSA-q2hg-643c-gw8h.json renamed to advisories/github-reviewed/2026/04/GHSA-q2hg-643c-gw8h/GHSA-q2hg-643c-gw8h.json advisories/unreviewed/2026/04/GHSA-q2hg-643c-gw8h/GHSA-q2hg-643c-gw8h.json renamed to advisories/github-reviewed/2026/04/GHSA-q2hg-643c-gw8h/GHSA-q2hg-643c-gw8h.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q2hg-643c-gw8h",
-  "modified": "2026-04-16T15:31:31Z",
+  "modified": "2026-04-16T22:57:15Z",
   "published": "2026-04-16T15:31:31Z",
   "aliases": [
     "CVE-2025-54550"
   ],
+  "summary": "Apache Airflow: RCE by race condition in example_xcom dag",
   "details": "The example example_xcom that was included in airflow documentation implemented unsafe pattern of reading value\nfrom xcom in the way that could be exploited to allow UI user who had access to modify XComs to perform arbitrary\nexecution of code on the worker. Since the UI users are already highly trusted, this is a Low severity vulnerability.\n\nIt does not affect Airflow release - example_dags are not supposed to be enabled in production environment, however\nusers following the example could replicate the bad pattern. Documentation of Airflow 3.2.0 contains version of\nthe example with improved resiliance for that case.\n\nUsers who followed that pattern are advised to adjust their implementations accordingly.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-airflow"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/apache/airflow/pull/63200"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/airflow"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/3mf4cfx070ofsnf9qy0s2v5gqb5sc2g1"
@@ -37,8 +62,8 @@
       "CWE-94"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T22:57:15Z",
     "nvd_published_at": "2026-04-15T04:17:32Z"
   }
 }

…-xrxf-jgv3-qmrm/GHSA-xrxf-jgv3-qmrm.json …-xrxf-jgv3-qmrm/GHSA-xrxf-jgv3-qmrm.jsonadvisories/unreviewed/2026/04/GHSA-xrxf-jgv3-qmrm/GHSA-xrxf-jgv3-qmrm.json renamed to advisories/github-reviewed/2026/04/GHSA-xrxf-jgv3-qmrm/GHSA-xrxf-jgv3-qmrm.json advisories/unreviewed/2026/04/GHSA-xrxf-jgv3-qmrm/GHSA-xrxf-jgv3-qmrm.json renamed to advisories/github-reviewed/2026/04/GHSA-xrxf-jgv3-qmrm/GHSA-xrxf-jgv3-qmrm.json

@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xrxf-jgv3-qmrm",
-  "modified": "2026-04-16T15:31:30Z",
+  "modified": "2026-04-16T22:56:42Z",
   "published": "2026-04-14T15:30:34Z",
   "aliases": [
     "CVE-2025-61260"
   ],
+  "summary": "OpenAI Codex CLI enables code execution through malicious MCP (Model Context Protocol) configuration files",
   "details": "A vulnerability was identified in OpenAI Codex CLI v0.23.0 and before that enables code execution through malicious MCP (Model Context Protocol) configuration files. The attack is triggered when a user runs the codex command inside a malicious or compromised repository. Codex automatically loads project-local .env and .codex/config.toml files without requiring user confirmation, allowing attackers to embed arbitrary commands that execute immediately.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@openai/codex"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.23.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61260"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openai/codex"
+    },
     {
       "type": "WEB",
       "url": "https://research.checkpoint.com/2025/openai-codex-cli-command-injection-vulnerability"
@@ -33,8 +58,8 @@
       "CWE-94"
     ],
     "severity": "CRITICAL",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T22:56:42Z",
     "nvd_published_at": "2026-04-14T15:16:24Z"
   }
 }