Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit c1ee3f5c8e28 · 2026-03-17T17:09:01.000Z
GHSA-7x5c-vfhj-9628 GHSA-7x6v-j9x4-qf24 GHSA-wfv2-pwc8-crg5
diff --git a/advisories/github-reviewed/2026/03/GHSA-7x5c-vfhj-9628/GHSA-7x5c-vfhj-9628.json b/advisories/github-reviewed/2026/03/GHSA-7x5c-vfhj-9628/GHSA-7x5c-vfhj-9628.json
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7x5c-vfhj-9628",
+  "modified": "2026-03-17T17:07:41Z",
+  "published": "2026-03-17T17:07:41Z",
+  "aliases": [
+    "CVE-2026-31891"
+  ],
+  "summary": "Cockpit CMS has SQL Injection in MongoLite Aggregation Optimizer via toJsonExtractRaw() ",
+  "details": "### Impact\n\nThis is a SQL Injection vulnerability in the MongoLite Aggregation Optimizer.\n\nAny Cockpit CMS instance running version **2.13.4 or earlier** with API access enabled\nis potentially affected.\n\n**Who is impacted:**\n- Any deployment where the `/api/content/aggregate/{model}` endpoint is publicly\n  accessible or reachable by untrusted users.\n- Attackers in possession of a **valid read-only API key** (the lowest privilege level)\n  can exploit this vulnerability — no admin access is required.\n\n**What an attacker can do:**\n- Inject arbitrary SQL via unsanitized field names in aggregation queries.\n- Bypass the `_state=1` published-content filter to access unpublished or restricted content.\n- Extract unauthorized data from the underlying SQLite content database.\n\n**Confidentiality impact is High.** Integrity and availability are not directly affected\nby this vulnerability.\n\n### Patches\n\nThis vulnerability has been **patched in version 2.13.5**.\n\nAll users running Cockpit CMS version **2.13.4 or earlier** are strongly advised to\nupgrade to **2.13.5 or later** immediately.\n\n- https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5\n\nThe fix applies the same field-name sanitization introduced in v2.13.3 for `toJsonPath()`\nto the `toJsonExtractRaw()` method in `lib/MongoLite/Aggregation/Optimizer.php`,\nclosing the injection vector in the Aggregation Optimizer.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "cockpit-hq/cockpit"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.13.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Cockpit-HQ/Cockpit/security/advisories/GHSA-7x5c-vfhj-9628"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Cockpit-HQ/Cockpit"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.13.5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T17:07:41Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-7x6v-j9x4-qf24/GHSA-7x6v-j9x4-qf24.json b/advisories/github-reviewed/2026/03/GHSA-7x6v-j9x4-qf24/GHSA-7x6v-j9x4-qf24.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7x6v-j9x4-qf24",
+  "modified": "2026-03-17T17:07:51Z",
+  "published": "2026-03-17T17:07:51Z",
+  "aliases": [
+    "CVE-2026-31898"
+  ],
+  "summary": "jsPDF has a PDF Object Injection via FreeText color",
+  "details": "### Impact\n\nUser control of arguments of the `createAnnotation` method allows users to inject arbitrary PDF objects, such as JavaScript actions.\n\nIf given the possibility to pass unsanitized input to the following method, a user can inject arbitrary PDF objects, such as JavaScript actions, which might trigger when the PDF is opened or interacted with..\n\n* `createAnnotation`: `color` parameter\n\nExample attack vector:\n\n```js\nimport { jsPDF } from 'jspdf'\n\nconst doc = new jsPDF();\n\nconst payload = '000000) /AA <</E <</S /Launch /F (calc.exe)>>>> (';\n\ndoc.createAnnotation({\n  type: 'freetext',\n  bounds: { x: 10, y: 10, w: 120, h: 20 },\n  contents: 'hello',\n  color: payload\n});\n\ndoc.save('test.pdf');\n```\n\n### Patches\n\nThe vulnerability has been fixed in jsPDF@4.2.1.\n\n### Workarounds\nSanitize user input before passing it to the vulnerable API members.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "jspdf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.2.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.2.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-7x6v-j9x4-qf24"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/commit/4155c4819d5eca284168e51e0e1e81126b4f14b8"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parallax/jsPDF"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/releases/tag/v4.2.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-116"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T17:07:51Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-wfv2-pwc8-crg5/GHSA-wfv2-pwc8-crg5.json b/advisories/github-reviewed/2026/03/GHSA-wfv2-pwc8-crg5/GHSA-wfv2-pwc8-crg5.json
@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wfv2-pwc8-crg5",
+  "modified": "2026-03-17T17:07:59Z",
+  "published": "2026-03-17T17:07:59Z",
+  "aliases": [
+    "CVE-2026-31938"
+  ],
+  "summary": "jsPDF has HTML Injection in New Window paths",
+  "details": "### Impact\n\nUser control of the `options` argument of the `output` function allows attackers to inject arbitrary HTML (such as scripts) into the browser context the created PDF is opened in. The affected overloads and options are:\n\n* `\"pdfobjectnewwindow\"`: the `pdfObjectUrl` option and the entire options object, which is JSON-serialized and included verbatim in the generated HTML-string.\n* `\"pdfjsnewwindow\"`: the `pdfJsUrl` and `filename` options\n* `\"dataurlnewwindow\"`: the `filename` option\n\nThe vulnerability can be exploited in the following scenario: the attacker provides values for the output options, for example via a web interface. These values are then passed unsanitized (automatically or semi-automatically) to the attack victim. The victim creates and opens a PDF with the attack vector using one of the vulnerable method overloads inside their browser. The attacker can thus inject scripts that run in the victims browser context and can extract or modify secrets from this context.\n\nExample attack vector:\n\n```js\nimport { jsPDF } from 'jspdf';\nconst doc = new jsPDF();\n\nconst payload =  'x\\\"></iframe><script>window.__n=1</script><iframe src=\"';\n\ndoc.output('pdfjsnewwindow', {\n  filename: payload,\n  pdfJsUrl: 'viewer.html'\n});\n```\n\n### Patches\nThe vulnerability has been fixed in jspdf@4.2.1.\n\n### Workarounds\nSanitize user input before passing it to the output method.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "jspdf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.2.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.2.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/security/advisories/GHSA-wfv2-pwc8-crg5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/commit/87a40bbd07e6b30575196370670b41f264aa78d7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/parallax/jsPDF"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parallax/jsPDF/releases/tag/v4.2.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-17T17:07:59Z",
+    "nvd_published_at": null
+  }
+}
