Publish Advisories

GHSA-38h3-2333-qx47
GHSA-8wmw-prw8-2ggm
GHSA-xw5c-jc7x-gf75

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-38h3-2333-qx47/GHSA-38h3-2333-qx47.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-38h3-2333-qx47",
+  "modified": "2026-04-18T01:05:12Z",
+  "published": "2026-04-18T01:05:12Z",
+  "aliases": [
+    "CVE-2026-41078"
+  ],
+  "summary": "OpenTelemetry .NET has potential memory exhaustion via unbounded pooled-list sizing in Jaeger exporter conversion path",
+  "details": "### Summary\n\n> [!IMPORTANT]  \n> There is no plan to fix this issue as `OpenTelemetry.Exporter.Jaeger` was deprecated in 2023. It is for informational purposes only.\n\n`OpenTelemetry.Exporter.Jaeger` may allow sustained memory pressure when the internal pooled-list sizing grows based on a large observed span/tag set and that enlarged size is reused for subsequent allocations. Under high-cardinality or attacker-influenced telemetry input, this can increase memory consumption and potentially cause denial of service.\n\n### Details\n\nThe Jaeger exporter conversion path can append tag/event data into pooled list structures. In affected versions, pooled allocation sizing may be influenced by large observed payloads and reused globally across later allocations, resulting in persistent oversized rentals and elevated memory pressure. In environments where telemetry attributes/events can be influenced by untrusted input and limits are increased from defaults, this may lead to process instability or denial of service.\n\n### Impact\n\nAvailability impact only. Confidentiality and integrity impacts are not expected.\n\n### Workarounds / Mitigations\n\n* Prefer maintained exporters (for example OpenTelemetry Protocol format (OTLP)) instead of the Jaeger exporter.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "OpenTelemetry.Exporter.Jaeger"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.6.0-rc.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/open-telemetry/opentelemetry-dotnet/security/advisories/GHSA-38h3-2333-qx47"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/open-telemetry/opentelemetry-dotnet"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400",
+      "CWE-770"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:05:12Z",
+    "nvd_published_at": null
+  }
+}

…-8wmw-prw8-2ggm/GHSA-8wmw-prw8-2ggm.json …-8wmw-prw8-2ggm/GHSA-8wmw-prw8-2ggm.jsonadvisories/unreviewed/2026/04/GHSA-8wmw-prw8-2ggm/GHSA-8wmw-prw8-2ggm.json renamed to advisories/github-reviewed/2026/04/GHSA-8wmw-prw8-2ggm/GHSA-8wmw-prw8-2ggm.json advisories/unreviewed/2026/04/GHSA-8wmw-prw8-2ggm/GHSA-8wmw-prw8-2ggm.json renamed to advisories/github-reviewed/2026/04/GHSA-8wmw-prw8-2ggm/GHSA-8wmw-prw8-2ggm.json

@@ -1,21 +1,47 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8wmw-prw8-2ggm",
-  "modified": "2026-04-17T15:31:18Z",
+  "modified": "2026-04-18T01:03:36Z",
   "published": "2026-04-17T15:31:18Z",
   "aliases": [
     "CVE-2026-31317"
   ],
-  "details": "Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file",
-  "severity": [],
-  "affected": [],
+  "summary": "Craftql vulnerable to Server-Side Request Forgery",
+  "details": "Craftql v1.3.7 and before is vulnerable to Server-Side Request Forgery (SSRF) which allows an attacker to execute arbitrary code via the vendor/markhuot/craftql/src/Listeners/GetAssetsFieldSchema.php file.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "markhuot/craftql"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.3.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31317"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/markhuot/craftql"
     },
     {
@@ -28,10 +54,12 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:03:36Z",
     "nvd_published_at": "2026-04-17T14:16:33Z"
   }
 }

…-xw5c-jc7x-gf75/GHSA-xw5c-jc7x-gf75.json …-xw5c-jc7x-gf75/GHSA-xw5c-jc7x-gf75.jsonadvisories/unreviewed/2026/04/GHSA-xw5c-jc7x-gf75/GHSA-xw5c-jc7x-gf75.json renamed to advisories/github-reviewed/2026/04/GHSA-xw5c-jc7x-gf75/GHSA-xw5c-jc7x-gf75.json advisories/unreviewed/2026/04/GHSA-xw5c-jc7x-gf75/GHSA-xw5c-jc7x-gf75.json renamed to advisories/github-reviewed/2026/04/GHSA-xw5c-jc7x-gf75/GHSA-xw5c-jc7x-gf75.json

@@ -1,19 +1,59 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xw5c-jc7x-gf75",
-  "modified": "2026-04-17T15:31:18Z",
+  "modified": "2026-04-18T01:04:38Z",
   "published": "2026-04-17T15:31:18Z",
   "aliases": [
     "CVE-2026-40458"
   ],
-  "details": "PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent.\n\nThis issue was fixed in PAC4J versions 5.7.10 and 6.4.1",
+  "summary": "PAC4J has a Cross-Site Request Forgery (CSRF) Vulnerability",
+  "details": "PAC4J is vulnerable to Cross-Site Request Forgery (CSRF). A malicious attacker can craft a specially designed website which, when visited by a user, will automatically submit a forged cross-site request with a token whose hash collides with the victim's legitimate CSRF token. Importantly, the attacker does not need to know the victim’s CSRF token or its hash prior to the attack. Collisions in the deterministic String.hashCode() function can be computed directly, reducing the effective token's security space to 32 bits. This bypasses CSRF protection, allowing profile updates, password changes, account linking, and any other state-changing operations to be performed without the victim's consent.\n\nThis issue was fixed in PAC4J versions 5.7.10 and 6.4.1.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.pac4j:pac4j-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.7.10"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.pac4j:pac4j-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.0.0-RC1"
+            },
+            {
+              "fixed": "6.4.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +63,10 @@
       "type": "WEB",
       "url": "https://cert.pl/en/posts/2026/04/CVE-2026-40458"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pac4j/pac4j"
+    },
     {
       "type": "WEB",
       "url": "https://www.pac4j.org/blog/security-advisory-pac4j-core-and-ldap.html"
@@ -33,8 +77,8 @@
       "CWE-352"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-18T01:04:38Z",
     "nvd_published_at": "2026-04-17T14:16:33Z"
   }
 }