Publish Advisories

GHSA-gq3w-7jj3-x7gr
GHSA-q2r8-vmq7-fpx2
GHSA-34g8-9fpp-46ch
GHSA-3rhr-jr63-hwq5
GHSA-679f-wmrg-qf57
GHSA-fx49-m253-27jj
GHSA-gq3w-7jj3-x7gr
GHSA-34g8-9fpp-46ch
GHSA-3rhr-jr63-hwq5
GHSA-679f-wmrg-qf57
GHSA-fx49-m253-27jj

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-gq3w-7jj3-x7gr/GHSA-gq3w-7jj3-x7gr.json

@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gq3w-7jj3-x7gr",
+  "modified": "2026-03-17T20:02:55Z",
+  "published": "2026-02-21T00:31:43Z",
+  "aliases": [
+    "CVE-2026-2635"
+  ],
+  "summary": "MLflow Use of Default Password Authentication Bypass Vulnerability",
+  "details": "This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "mlflow"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.8.0rc0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2635"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mlflow/mlflow/pull/19260"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mlflow/mlflow"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mlflow/mlflow/releases/tag/v3.8.0rc0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-111"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1393"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T20:02:55Z",
+    "nvd_published_at": "2026-02-20T23:16:05Z"
+  }
+}

…-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.json …-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.jsonadvisories/unreviewed/2026/02/GHSA-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.json renamed to advisories/github-reviewed/2026/02/GHSA-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.json advisories/unreviewed/2026/02/GHSA-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.json renamed to advisories/github-reviewed/2026/02/GHSA-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q2r8-vmq7-fpx2",
-  "modified": "2026-02-21T00:31:43Z",
+  "modified": "2026-03-17T20:03:07Z",
   "published": "2026-02-21T00:31:43Z",
   "aliases": [
     "CVE-2026-2033"
   ],
-  "details": "MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.",
+  "summary": "MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability",
+  "details": "MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "mlflow"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.8.0rc0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,18 @@
       "type": "WEB",
       "url": "https://github.com/mlflow/mlflow/pull/19260"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mlflow/mlflow/commit/5bf2ec2bd4222a18d78631183ac7f6b752afe8a4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mlflow/mlflow"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mlflow/mlflow/releases/tag/v3.8.0rc0"
+    },
     {
       "type": "WEB",
       "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-105"
@@ -33,8 +66,8 @@
       "CWE-22"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T20:03:07Z",
     "nvd_published_at": "2026-02-20T23:16:03Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-34g8-9fpp-46ch/GHSA-34g8-9fpp-46ch.json

@@ -0,0 +1,141 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-34g8-9fpp-46ch",
+  "modified": "2026-03-17T20:01:22Z",
+  "published": "2026-03-16T15:30:43Z",
+  "aliases": [
+    "CVE-2026-2456"
+  ],
+  "summary": "Mattermost fails to limit the size of responses from integration action endpoints",
+  "details": "Mattermost versions 11.3.x <= 11.3.0, 11.2.x <= 11.2.2, 10.11.x <= 10.11.10 Mattermost fails to limit the size of responses from integration action endpoints, which allows an authenticated attacker to cause server memory exhaustion and denial of service via a malicious integration server that returns an arbitrarily large response when a user clicks an interactive message button. Mattermost Advisory ID: MMSA-2026-00571",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost/server/v8"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.0.0-20260127165411-fe3052073dc6"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.3.2-0.20260127165411-fe3052073dc6"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.11.0-rc1"
+            },
+            {
+              "fixed": "10.11.11"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.2.0-rc1"
+            },
+            {
+              "fixed": "11.2.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/mattermost/mattermost-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "11.3.0-rc1"
+            },
+            {
+              "fixed": "11.3.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2456"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mattermost/mattermost/commit/fe3052073dc67e3c920baf9fe7efd44ac1d8124c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mattermost/mattermost"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mattermost.com/security-updates"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-789"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T20:01:22Z",
+    "nvd_published_at": "2026-03-16T14:19:29Z"
+  }
+}