Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 75eaf0cc721c · 2026-03-18T17:28:23.000Z
GHSA-46fp-8f5p-pf2m GHSA-677m-j7p3-52f9 GHSA-6g43-577r-wf4x GHSA-762r-27w2-q22j
diff --git a/advisories/github-reviewed/2026/03/GHSA-46fp-8f5p-pf2m/GHSA-46fp-8f5p-pf2m.json b/advisories/github-reviewed/2026/03/GHSA-46fp-8f5p-pf2m/GHSA-46fp-8f5p-pf2m.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-46fp-8f5p-pf2m",
+  "modified": "2026-03-18T17:26:48Z",
+  "published": "2026-03-18T17:26:48Z",
+  "aliases": [],
+  "summary": "Improper detection of disallowed URIs by Loofah `allowed_uri?`",
+  "details": "## Summary\n\n`Loofah::HTML5::Scrub.allowed_uri?` does not correctly reject `javascript:` URIs when the scheme is split by HTML entity-encoded control characters such as `&#13;` (carriage return), `&#10;` (line feed), or `&#9;` (tab).\n\n## Details\n\nThe `allowed_uri?` method strips literal control characters before decoding HTML entities. Payloads like `java&#13;script:alert(1)` survive the control character strip, then `&#13;` is decoded to a carriage return, producing `java\\rscript:alert(1)`.\n\nNote that the Loofah sanitizer's default `sanitize()` path is **not affected** because Nokogiri decodes HTML entities during parsing before Loofah evaluates the URI protocol. This issue only affects direct callers of the `allowed_uri?` string-level helper when passing HTML-encoded strings.\n\n## Impact\n\nApplications that call `Loofah::HTML5::Scrub.allowed_uri?` to validate user-controlled URLs and then render approved URLs into `href` or other browser-interpreted URI attributes may be vulnerable to cross-site scripting (XSS).\n\nThis only affects Loofah `2.25.0`.\n\n## Mitigation\n\nUpgrade to Loofah >= `2.25.1`.\n\n## Credit\n\nResponsibly reported by HackOne user `@smlee`.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "loofah"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.25.0"
+            },
+            {
+              "fixed": "2.25.1"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "2.25.0"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/flavorjones/loofah/security/advisories/GHSA-46fp-8f5p-pf2m"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/flavorjones/loofah"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-18T17:26:48Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-677m-j7p3-52f9/GHSA-677m-j7p3-52f9.json b/advisories/github-reviewed/2026/03/GHSA-677m-j7p3-52f9/GHSA-677m-j7p3-52f9.json
@@ -0,0 +1,107 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-677m-j7p3-52f9",
+  "modified": "2026-03-18T17:26:14Z",
+  "published": "2026-03-18T17:26:14Z",
+  "aliases": [
+    "CVE-2026-33151"
+  ],
+  "summary": "socket.io allows an unbounded number of binary attachments",
+  "details": "### Impact\n\nA specially crafted Socket.IO packet can make the server wait for a large number of binary attachments and buffer them, which can be exploited to make the server run out of memory.\n\n### Patches\n\n| Version range    | Used by                                    | Fixed version |\n|------------------|--------------------------------------------|---------------|\n| `>=4.0.0 <4.2.6` | `socket.io@4.x` and `socket.io-client@4.x` | `4.2.6`       |\n| `>=3.4.0 <3.4.4` | `socket.io@2.x`                            | `3.4.4`       |\n| `<3.3.5`         | `socket.io-client@2.x`                     | `3.3.5`       |\n\n### Workarounds\n\nThere is no known workaround except upgrading to a safe version.\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n\n- Open a discussion [here](https://github.com/socketio/socket.io/discussions)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "socket.io-parser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.3.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "socket.io-parser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.4.0"
+            },
+            {
+              "fixed": "3.4.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "socket.io-parser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.2.6"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/socketio/socket.io/security/advisories/GHSA-677m-j7p3-52f9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/socketio/socket.io/commit/719f9ebab0772ffb882bd614b387e585c1aa75d4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/socketio/socket.io/commit/9d39f1f080510f036782f2177fac701cc041faaf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/socketio/socket.io/commit/b25738c416c4e32fbff62ee182afa8f6d0dacf78"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/socketio/socket.io"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-754"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-18T17:26:14Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-6g43-577r-wf4x/GHSA-6g43-577r-wf4x.json b/advisories/github-reviewed/2026/03/GHSA-6g43-577r-wf4x/GHSA-6g43-577r-wf4x.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6g43-577r-wf4x",
+  "modified": "2026-03-18T17:26:27Z",
+  "published": "2026-03-18T17:26:27Z",
+  "aliases": [
+    "CVE-2026-32937"
+  ],
+  "summary": "Out-of-Bounds Slice Access in free5GC CHF Leading to DoS",
+  "details": "### Impact\nThis is an out-of-bounds slice access vulnerability in the CHF `nchf-convergedcharging` service.\nA valid authenticated request to PUT `/nchf-convergedcharging/v3/recharging/:ueId?ratingGroup=...` can trigger a server-side panic in `github.com/free5gc/chf/internal/sbi.(*Server).RechargePut(...)` due to an out-of-range slice access. In the reported runtime, Gin recovery converts the panic into HTTP 500, but the recharge path remains remotely panic-triggerable and can be abused repeatedly to degrade recharge functionality and flood logs. In deployments without equivalent recovery handling, this panic may cause more severe service disruption.\n\n### Patches\nhttps://github.com/free5gc/chf/pull/61\n\n### Workarounds\n- Restrict access to the `nchf-convergedcharging` recharge endpoint to strictly trusted NF callers only.\n- Apply rate limiting or network ACLs in front of the CHF SBI interface to reduce repeated panic-trigger attempts.\n- If the recharge API is not required, temporarily disable or block external reachability to this route.\n- Ensure panic recovery, monitoring, and alerting are enabled.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/free5gc/chf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.2.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/free5gc/free5gc/security/advisories/GHSA-6g43-577r-wf4x"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/free5gc/free5gc/issues/864"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/free5gc/chf/pull/61"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/free5gc/chf/commit/55af766f321a00afa978e806548c96f8a7d2433e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/free5gc/chf"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-129"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-18T17:26:27Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-762r-27w2-q22j/GHSA-762r-27w2-q22j.json b/advisories/github-reviewed/2026/03/GHSA-762r-27w2-q22j/GHSA-762r-27w2-q22j.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-762r-27w2-q22j",
+  "modified": "2026-03-18T17:26:59Z",
+  "published": "2026-03-18T17:26:59Z",
+  "aliases": [
+    "CVE-2026-33209"
+  ],
+  "summary": "Avo has a XSS vulnerability on `return_to` param",
+  "details": "## Description\n\nA reflected cross-site scripting (XSS) vulnerability exists in the `return_to` query parameter used in the avo interface.\n\nAn attacker can craft a malicious URL that injects arbitrary JavaScript, which is executed when he clicks a dynamically generated navigation button.\n\n## Impact\n\nThis vulnerability may allow execution of arbitrary JavaScript in the context of the application.\n\nImpact varies depending on deployment:\n- In unauthenticated setups: exploitable via crafted links sent to users\n- In authenticated setups: limited to authenticated users and requires interaction",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "avo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.30.3"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.30.2"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/avo-hq/avo/security/advisories/GHSA-762r-27w2-q22j"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/avo-hq/avo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-18T17:26:59Z",
+    "nvd_published_at": null
+  }
+}
