Publish Advisories

GHSA-gc59-r5jq-98qw
GHSA-hqxq-hwqf-wg83
GHSA-jpcj-7wfg-mqxv
GHSA-p423-j2cm-9vmq
GHSA-v6ph-xcq9-qxxj
GHSA-wr8q-c73g-m7gp
GHSA-gc59-r5jq-98qw
GHSA-wr8q-c73g-m7gp

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-gc59-r5jq-98qw/GHSA-gc59-r5jq-98qw.json

@@ -0,0 +1,141 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gc59-r5jq-98qw",
+  "modified": "2026-04-08T19:24:59Z",
+  "published": "2026-04-08T15:31:44Z",
+  "aliases": [
+    "CVE-2026-5795"
+  ],
+  "summary": "Eclipse Jetty: Early return from the JASPIAuthenticator code can potentially no clear ThreadLocal variables",
+  "details": "In Eclipse Jetty, the class JASPIAuthenticator initiates the authentication checks, which set two ThreadLocal variable.\n\n\nUpon returning from the initial checks, there are conditions that cause an early return from the JASPIAuthenticator code without clearing those ThreadLocals.\n\n\nA subsequent request using the same thread inherits the ThreadLocal values, leading to a broken access control and privilege escalation.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty.ee10:jetty-ee10"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "12.1.0"
+            },
+            {
+              "fixed": "12.1.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty.ee10:jetty-ee10"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "12.0.0"
+            },
+            {
+              "fixed": "12.0.33"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty.ee10:jetty-ee10"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.0.0"
+            },
+            {
+              "fixed": "11.0.28"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty.ee10:jetty-ee10"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.0.0"
+            },
+            {
+              "fixed": "10.0.28"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.eclipse.jetty.ee10:jetty-ee10"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.4.0"
+            },
+            {
+              "fixed": "9.4.60"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/jetty/jetty.project/security/advisories/GHSA-r7p8-xq5m-436c"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5795"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/jetty/jetty.project"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/92"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-226"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-08T19:24:59Z",
+    "nvd_published_at": "2026-04-08T14:16:32Z"
+  }
+}

advisories/github-reviewed/2026/04/GHSA-hqxq-hwqf-wg83/GHSA-hqxq-hwqf-wg83.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hqxq-hwqf-wg83",
+  "modified": "2026-04-08T19:23:00Z",
+  "published": "2026-04-08T19:23:00Z",
+  "aliases": [
+    "CVE-2026-39901"
+  ],
+  "summary": "monetr: Protected Transactions Deletable via PUT",
+  "details": "### Summary\nA transaction integrity flaw allows an authenticated tenant user to soft-delete synced non-manual transactions through the transaction update endpoint, despite the application explicitly blocking deletion of those transactions via the normal `DELETE` path. This bypass undermines the intended protection for imported transaction records and allows protected transactions to be hidden from normal views.\n\n### Details\nThe issue affects the transaction update path for synced transactions associated with non-manual links. The intended policy is clearly enforced in the `DELETE` handler: deletion of synced transactions for non-manual links is rejected with an error indicating that such transactions cannot be deleted.\n\nHowever, the `PUT` update path still accepts a client-controlled full `Transaction` object and persists fields that should be server-managed, including `deletedAt`. The update logic appears to restrict only selected fields, which leaves `deletedAt` attacker-controllable.\n\nVerified behavior on the same synced transaction showed:\n\n- `DELETE` was denied with the expected protection error for non-manual links\n- `PUT` with a user-supplied `deletedAt` value succeeded and returned `200 OK`\n- a subsequent transaction list no longer showed the transaction\n- `GET` by transaction ID still returned the record with `deletedAt` populated\n\nThis demonstrates a policy bypass: although the server explicitly defines synced transactions on non-manual links as non-deletable through the dedicated delete route, the same outcome can still be achieved through the update route by setting the soft-delete field directly.\n\nThe vulnerability is therefore not a simple UI inconsistency. It is a server-side authorization and integrity flaw caused by trusting a client-supplied full transaction object and failing to protect sensitive server-managed fields from modification.\n\n### PoC\nThe issue can be reproduced by identifying a synced transaction on a non-manual link, confirming that the normal `DELETE` route rejects deletion, then submitting an update request that sets the transaction’s `deletedAt` field. The transaction will then disappear from normal listing views even though direct retrieval still shows the record as soft-deleted.\n\n### Impact\n- **Type:** Authorization bypass / integrity violation\n- **Who is impacted:** Authenticated tenant users and any deployment relying on synced transaction immutability for non-manual links\n- **Security impact:** Attackers can hide or effectively delete protected imported transactions that should not be deletable, compromising transaction history, bookkeeping integrity, and trust in audit-relevant server-managed fields\n- **Attack preconditions:** The attacker must be authenticated and able to access a synced transaction within their own tenant/account scope",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/monetr/monetr"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.12.2"
+            },
+            {
+              "fixed": "1.12.3"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "1.12.2"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/monetr/monetr/security/advisories/GHSA-hqxq-hwqf-wg83"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/monetr/monetr"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/monetr/monetr/releases/tag/v1.12.3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-08T19:23:00Z",
+    "nvd_published_at": null
+  }
+}

…-jpcj-7wfg-mqxv/GHSA-jpcj-7wfg-mqxv.json …-jpcj-7wfg-mqxv/GHSA-jpcj-7wfg-mqxv.jsonadvisories/unreviewed/2026/04/GHSA-jpcj-7wfg-mqxv/GHSA-jpcj-7wfg-mqxv.json renamed to advisories/github-reviewed/2026/04/GHSA-jpcj-7wfg-mqxv/GHSA-jpcj-7wfg-mqxv.json advisories/unreviewed/2026/04/GHSA-jpcj-7wfg-mqxv/GHSA-jpcj-7wfg-mqxv.json renamed to advisories/github-reviewed/2026/04/GHSA-jpcj-7wfg-mqxv/GHSA-jpcj-7wfg-mqxv.json

@@ -1,14 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jpcj-7wfg-mqxv",
-  "modified": "2026-04-08T18:34:06Z",
+  "modified": "2026-04-08T19:24:12Z",
   "published": "2026-04-08T18:34:06Z",
   "aliases": [
     "CVE-2026-31040"
   ],
+  "summary": "stata-mcp has insufficient validation of user-supplied Stata do-file content that can lead to command execution",
   "details": "A vulnerability was identified in stata-mcp prior to v1.13.0 where insufficient validation of user-supplied Stata do-file content can lead to command execution.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "stata-mcp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.13.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -29,13 +55,19 @@
     {
       "type": "WEB",
       "url": "https://github.com/SepineTam/stata-mcp/releases/tag/v1.13.0"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/sepinetam/stata-mcp"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-08T19:24:12Z",
     "nvd_published_at": "2026-04-08T16:16:22Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-p423-j2cm-9vmq/GHSA-p423-j2cm-9vmq.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p423-j2cm-9vmq",
+  "modified": "2026-04-08T19:23:08Z",
+  "published": "2026-04-08T19:23:08Z",
+  "aliases": [
+    "CVE-2026-39892"
+  ],
+  "summary": "Cryptography vulnerable to buffer overflow if non-contiguous buffers were passed to APIs",
+  "details": "If a non-contiguous buffer was passed to APIs which accepted Python buffers (e.g. `Hash.update()`), this could lead to buffer overflows. For example:\n\n```python\nh = Hash(SHA256())\nb.update(buf[::-1])\n```\n\nwould read past the end of the buffer on Python >3.11",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "cryptography"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "45.0.0"
+            },
+            {
+              "fixed": "46.0.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pyca/cryptography"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-08T19:23:08Z",
+    "nvd_published_at": null
+  }
+}