Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b4a354a6ac29 · 2026-04-01T00:05:31.000Z
GHSA-g5vp-j278-8pjh GHSA-8rh7-6779-cjqq GHSA-f6j3-w9v3-cq22 GHSA-ghq9-vc6f-8qjf
diff --git a/advisories/github-reviewed/2024/11/GHSA-g5vp-j278-8pjh/GHSA-g5vp-j278-8pjh.json b/advisories/github-reviewed/2024/11/GHSA-g5vp-j278-8pjh/GHSA-g5vp-j278-8pjh.json
@@ -1,13 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g5vp-j278-8pjh",
-  "modified": "2025-01-21T19:43:05Z",
+  "modified": "2026-04-01T00:03:50Z",
   "published": "2024-11-12T18:30:59Z",
-  "aliases": [
-    "CVE-2024-49048"
-  ],
-  "summary": "TorchGeo Remote Code Execution Vulnerability",
-  "details": "TorchGeo Remote Code Execution Vulnerability",
+  "withdrawn": "2026-04-01T00:03:50Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: TorchGeo Remote Code Execution Vulnerability",
+  "details": "## Duplicate Advisory\n\nThis advisory has been withdrawn because it is a duplicate of GHSA-ghq9-vc6f-8qjf. This link is maintained to preserve external references.\n\n## Original Description\nTorchGeo Remote Code Execution Vulnerability",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2026/04/GHSA-8rh7-6779-cjqq/GHSA-8rh7-6779-cjqq.json b/advisories/github-reviewed/2026/04/GHSA-8rh7-6779-cjqq/GHSA-8rh7-6779-cjqq.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8rh7-6779-cjqq",
+  "modified": "2026-04-01T00:02:42Z",
+  "published": "2026-04-01T00:02:42Z",
+  "aliases": [],
+  "summary": "OpenClaw has a CWD `.env` environment variable injection which bypasses host-env policy and allows config takeover",
+  "details": "## Summary\n\nOpenClaw loaded the current working directory `.env` before trusted state-dir configuration, allowing untrusted workspace state to inject host environment values.\n\n## Impact\n\nA repository or workspace containing a malicious `.env` file could override runtime configuration and security-sensitive environment settings when OpenClaw started there.\n\n## Affected Component\n\n`src/infra/dotenv.ts, src/cli/dotenv.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `6a79324802` (`Filter untrusted CWD .env entries before OpenClaw startup`).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2026.3.24"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8rh7-6779-cjqq"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/6a793248024dca7685f63bcceb64a0096fd1586d"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-426"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T00:02:42Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-f6j3-w9v3-cq22/GHSA-f6j3-w9v3-cq22.json b/advisories/github-reviewed/2026/04/GHSA-f6j3-w9v3-cq22/GHSA-f6j3-w9v3-cq22.json
@@ -0,0 +1,96 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f6j3-w9v3-cq22",
+  "modified": "2026-04-01T00:03:19Z",
+  "published": "2026-04-01T00:03:19Z",
+  "aliases": [
+    "CVE-2026-34574"
+  ],
+  "summary": "Parse Server has a session field immutability bypass via falsy-value guard",
+  "details": "### Impact\n\nAn authenticated user can bypass the immutability guard on session fields (`expiresAt`, `createdWith`) by sending a null value in a PUT request to the session update endpoint. This allows nullifying the session expiry, making the session valid indefinitely and bypassing configured session length policies.\n\n### Patches\n\nThe truthiness-based guard checks were replaced with key-presence checks that reject any value for protected session fields, including null.\n\n### Workarounds\n\nThere is no known workaround. A `beforeSave` trigger on `_Session` could be used to reject null values for `expiresAt` and `createdWith`.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "9.0.0"
+            },
+            {
+              "fixed": "9.7.0-alpha.14"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "parse-server"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "8.6.69"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-f6j3-w9v3-cq22"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34574"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10347"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/pull/10348"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/90802969fc713b7bc9733d7255c7519a6ed75d21"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/ebccd7fe2708007e62f705ee1c820a6766178777"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parse-community/parse-server"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-697"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T00:03:19Z",
+    "nvd_published_at": "2026-03-31T16:16:33Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-ghq9-vc6f-8qjf/GHSA-ghq9-vc6f-8qjf.json b/advisories/github-reviewed/2026/04/GHSA-ghq9-vc6f-8qjf/GHSA-ghq9-vc6f-8qjf.json
@@ -0,0 +1,89 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ghq9-vc6f-8qjf",
+  "modified": "2026-04-01T00:03:56Z",
+  "published": "2026-04-01T00:03:56Z",
+  "aliases": [
+    "CVE-2024-49048"
+  ],
+  "summary": "TorchGeo Remote Code Execution Vulnerability",
+  "details": "### Impact\n\nTorchGeo 0.4–0.6.0 used an [`eval`](https://docs.python.org/3/library/functions.html#eval) statement in its model weight API that could allow an unauthenticated, remote attacker to execute arbitrary commands. All platforms that expose [`torchgeo.models.get_weight()`](https://torchgeo.readthedocs.io/en/v0.6.0/api/models.html#torchgeo.models.get_weight) or [`torchgeo.trainers`](https://torchgeo.readthedocs.io/en/v0.6.0/api/trainers.html) as an external API could be affected.\n\n### Patches\n\nThe `eval` statement was replaced with a fixed enum lookup, preventing arbitrary code injection. All users are encouraged to upgrade to TorchGeo 0.6.1 or newer.\n\n### Workarounds\n\nIn unpatched versions, input validation and sanitization can be used to avoid this vulnerability.\n\n### References\n\n#### Bug history\n\n* Introduced: https://github.com/torchgeo/torchgeo/pull/917\n* Patched: https://github.com/torchgeo/torchgeo/pull/2323\n* Released: [v0.6.1](https://github.com/microsoft/torchgeo/releases/tag/v0.6.1)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "torchgeo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.4"
+            },
+            {
+              "fixed": "0.6.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.6.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/torchgeo/torchgeo/security/advisories/GHSA-ghq9-vc6f-8qjf"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-49048"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/torchgeo/torchgeo/pull/2323"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/torchgeo/torchgeo/pull/917"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/torchgeo/torchgeo/commit/1a980788cb7089a1115f3b786c7daa9dd47d7d7a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/microsoft/torchgeo/releases/tag/v0.6.1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pypa/advisory-database/tree/main/vulns/torchgeo/PYSEC-2024-204.yaml"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/torchgeo/torchgeo"
+    },
+    {
+      "type": "WEB",
+      "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49048"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-94",
+      "CWE-95"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T00:03:56Z",
+    "nvd_published_at": null
+  }
+}
