Publish Advisories

GHSA-29r8-gvx4-r9w3
GHSA-8p2x-5cpm-qrqw
GHSA-9ffq-6457-8958
GHSA-fh48-f69w-7vmp
GHSA-fr76-5637-w3g9
GHSA-ghx5-7jjg-q2j7
GHSA-j36m-74g2-7m95
GHSA-m59h-42jf-cphr
GHSA-m99f-mmvg-3xmx
GHSA-pwjx-qhcg-rvj4
GHSA-wxjx-r2j2-96fx

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-29r8-gvx4-r9w3/GHSA-29r8-gvx4-r9w3.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-29r8-gvx4-r9w3",
-  "modified": "2026-03-18T16:17:26Z",
+  "modified": "2026-03-25T19:53:20Z",
   "published": "2026-03-17T09:31:28Z",
   "aliases": [
     "CVE-2026-4208"
@@ -28,14 +28,11 @@
               "introduced": "0"
             },
             {
-              "fixed": "2.0.1"
+              "fixed": "1.0.7"
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 2.0.0"
-      }
+      ]
     },
     {
       "package": {
@@ -47,17 +44,17 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "2.0.0"
             },
             {
-              "fixed": "1.0.7"
+              "fixed": "2.0.1"
             }
           ]
         }
       ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 1.0.5"
-      }
+      "versions": [
+        "2.0.0"
+      ]
     }
   ],
   "references": [
@@ -73,6 +70,14 @@
       "type": "PACKAGE",
       "url": "https://github.com/MrSilaz/mfa_email"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/MrSilaz/mfa_email/releases/tag/v1.0.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/MrSilaz/mfa_email/releases/tag/v2.0.1"
+    },
     {
       "type": "WEB",
       "url": "https://typo3.org/security/advisory/typo3-ext-sa-2026-007"

advisories/github-reviewed/2026/03/GHSA-8p2x-5cpm-qrqw/GHSA-8p2x-5cpm-qrqw.json

@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8p2x-5cpm-qrqw",
+  "modified": "2026-03-25T19:54:42Z",
+  "published": "2026-03-25T19:54:42Z",
+  "aliases": [
+    "CVE-2026-33690"
+  ],
+  "summary": "AVideo vulnerable to IP Address Spoofing via Untrusted HTTP Headers in getRealIpAddr()",
+  "details": "## Summary\n\nThe `getRealIpAddr()` function in `objects/functions.php` trusts user-controlled HTTP headers to determine the client's IP address. \nAn attacker can spoof their IP address by sending forged headers, bypassing any IP-based access controls or audit logging.\n\n## Vulnerable Code\n\nFile: `objects/functions.php`\n```php\n$headers = [\n    'HTTP_X_REAL_IP',      \n    'HTTP_CLIENT_IP',    \n    'HTTP_X_FORWARDED_FOR',\n    'REMOTE_ADDR'\n];\n\nforeach ($headers as $header) {\n    if (!empty($_SERVER[$header])) {\n        $ips = explode(',', $_SERVER[$header]);\n        foreach ($ips as $ipCandidate) {\n            $ipCandidate = trim($ipCandidate);\n            if (filter_var($ipCandidate, FILTER_VALIDATE_IP, \n                           FILTER_FLAG_IPV4)) {\n                return $ipCandidate; \n            }\n        }\n    }\n}\n```\n\n## Attack Scenario\n\n1. Attacker sends request with forged header:\n```\nX-Client-IP: 127.0.0.1\n```\nor\n```\nX-Real-IP: 192.168.1.1\n```\n\n2. `getRealIpAddr()` returns the forged IP\n3. Any IP-based rate limiting, access control, or audit \n   log that relies on this function is bypassed\n\n## Proof of Concept\n```bash\ncurl -H \"X-Client-IP: 127.0.0.1\" \\\n     https://target.com/any_endpoint.php\n```\n\nThe server now believes the request came from localhost.\n\n## Impact\n- Bypass IP-based rate limiting\n- Bypass IP-based access controls\n- Forge audit log entries\n- Potential privilege escalation if localhost is trusted",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-8p2x-5cpm-qrqw"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33690"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/commit/1a1df6a9377e5cc67d1d0ac8ef571f7abbffbc6c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-348"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-25T19:54:42Z",
+    "nvd_published_at": "2026-03-23T19:16:42Z"
+  }
+}

advisories/github-reviewed/2026/03/GHSA-9ffq-6457-8958/GHSA-9ffq-6457-8958.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-9ffq-6457-8958",
+  "modified": "2026-03-25T20:01:04Z",
+  "published": "2026-03-25T20:01:04Z",
+  "aliases": [
+    "CVE-2026-33686"
+  ],
+  "summary": "Sharp is Vulnerable to Path Traversal via Unsanitized Extension in FileUtil",
+  "details": "### Summary\nA path traversal vulnerability exists in the FileUtil class of the code16/sharp package. The application fails to sanitize file extensions properly, allowing path separators to be passed into the storage layer.\n\n### Detail\nIn `src/Utils/FileUtil.php`, the `FileUtil::explodeExtension()` function extracts a file's extension by splitting the filename at the last dot. However, the extracted extension is never sanitized. While the application uses a `normalizeName()` function, this function only cleans the base filename, meaning any path separators (such as /) injected into the extension will survive and be passed into the `storeAs()` function.\n\n### Impact\nExploiting this flaw allows an authenticated attacker to manipulate file paths:\n- Files can be written outside of the intended tmp directory via path traversal. For more details on the package, visit: https://github.com/code16/sharp\n- Existing critical files (such as .env or configuration files) could potentially be overwritten. Review the CWE definition here: https://cwe.mitre.org/data/definitions/22.html (Note: This vulnerability was successfully chained with CWE-434 in a local Proof of Concept to confirm the traversal.)\n\n### Patches\nThis issue has been patched by properly sanitizing the extension using `pathinfo(PATHINFO_EXTENSION)` instead of `strrpos()`, alongside applying strict regex replacements to both the base name and the extension. The fix is available in pull request #715\n\n### Credits\nReported by [zaurgsynv](https://github.com/zaurgsynv).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "code16/sharp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.20.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/code16/sharp/security/advisories/GHSA-9ffq-6457-8958"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/code16/sharp/pull/715"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/code16/sharp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-25T20:01:04Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-fh48-f69w-7vmp/GHSA-fh48-f69w-7vmp.json

@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fh48-f69w-7vmp",
+  "modified": "2026-03-25T19:56:00Z",
+  "published": "2026-03-25T19:56:00Z",
+  "aliases": [
+    "CVE-2026-33517"
+  ],
+  "summary": "MantisBT Vulnerable to Stored HTML Injection in Tag Delete Confirmation",
+  "details": "Improper escaping of Tag name when deleting it in tag_delete.php allows an attacker to inject HTML and, if CSP settings permit, achieve execution of arbitrary JavaScript.\n\n### Impact\nCross-site scripting (XSS).\n\n### Patches\n80990f43153167c73f11eb4b2bc7108d0c3d6b46\n\n### Workarounds\n* Revert commit d6890320752ecf37bd74d11fe14fe7dc12335be9\n* Manually edit language files to remove the sprintf placeholder `%1$s` from *$s_tag_delete_message*  string, for example with `sed -r -i '/tag_delete_message/s/.%1\\$s.//' -- lang/`\n\n### Credits\nMantisBT hanks Vishal Shukla for discovering and responsibly reporting the issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "mantisbt/mantisbt"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.28.0"
+            },
+            {
+              "fixed": "2.28.1"
+            }
+          ]
+        }
+      ],
+      "versions": [
+        "2.28.0"
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/security/advisories/GHSA-fh48-f69w-7vmp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33517"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/commit/80990f43153167c73f11eb4b2bc7108d0c3d6b46"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mantisbt/mantisbt/commit/d6890320752ecf37bd74d11fe14fe7dc12335be9"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mantisbt/mantisbt"
+    },
+    {
+      "type": "WEB",
+      "url": "https://mantisbt.org/bugs/view.php?id=36971"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-25T19:56:00Z",
+    "nvd_published_at": "2026-03-23T20:16:27Z"
+  }
+}

advisories/github-reviewed/2026/03/GHSA-fr76-5637-w3g9/GHSA-fr76-5637-w3g9.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fr76-5637-w3g9",
+  "modified": "2026-03-25T20:00:24Z",
+  "published": "2026-03-25T20:00:24Z",
+  "aliases": [
+    "CVE-2026-33687"
+  ],
+  "summary": "Sharp has Unrestricted File Upload via Client-Controlled Validation Rules",
+  "details": "### Summary \nThe `code16/sharp` Laravel admin panel package contains a vulnerability in its file upload endpoint that allows authenticated users to bypass all file type restrictions.\n\n### Details\nThe upload endpoint within the `ApiFormUploadController` accepts a client-controlled `validation_rule` parameter. This parameter is directly passed into the Laravel validator without sufficient server-side enforcement. By intercepting the request and sending `validation_rule[]=file`, an attacker can completely bypass all MIME type and file extension restrictions. The vulnerable code is located in `src/Http/Controllers/Api/ApiFormUploadController.php` at line 24.\n\n### Impact\nThis vulnerability leads to several critical security risks:\n\nAttackers can upload arbitrary files, including PHP webshells, to the server. For more details on the package, visit: https://github.com/code16/sharp\n\nMIME type and extension validation can be bypassed entirely via client-controlled rules. Review the CWE definition here: https://cwe.mitre.org/data/definitions/434.html\n\nIf the storage disk is configured to be publicly accessible, this can lead to Remote Code Execution (RCE). See the vendor repository: https://github.com/code16/sharp\n\n(Note: Under default configurations, executing uploaded PHP files directly is not possible unless a public disk configuration is in place.)\n\n### Patches\nThis issue has been addressed by removing the client-controlled validation rules and strictly defining upload rules server-side. The fix is available in pull request https://github.com/code16/sharp/pull/714.\n\n### Workarounds\n- Restrict Disk Access: Ensure that the storage disk used for Sharp uploads is strictly private. Under default configurations, an attacker cannot directly execute uploaded PHP files unless a public disk configuration is explicitly used. For more details on Laravel disk configurations, visit: https://laravel.com/docs/13.x/filesystem\n\n### Credits\nReported by [zaurgsynv](https://github.com/zaurgsynv).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "code16/sharp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.20.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/code16/sharp/security/advisories/GHSA-fr76-5637-w3g9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/code16/sharp/pull/714"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/code16/sharp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/code16/sharp/releases/tag/v9.20.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://laravel.com/docs/13.x/filesystem"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-25T20:00:24Z",
+    "nvd_published_at": null
+  }
+}