Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit cc109601c53c · 2026-04-08T15:10:54.000Z
GHSA-588r-cr5c-w6hf GHSA-p8xc-w3q4-h64x
diff --git a/advisories/github-reviewed/2026/04/GHSA-588r-cr5c-w6hf/GHSA-588r-cr5c-w6hf.json b/advisories/github-reviewed/2026/04/GHSA-588r-cr5c-w6hf/GHSA-588r-cr5c-w6hf.json
@@ -0,0 +1,117 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-588r-cr5c-w6hf",
+  "modified": "2026-04-08T15:09:01Z",
+  "published": "2026-04-08T15:09:01Z",
+  "aliases": [
+    "CVE-2026-34588"
+  ],
+  "summary": "OpenEXR has a signed 32-bit Overflow in PIZ Decoder Leads to OOB Read/Write",
+  "details": "## Summary\n\n`internal_exr_undo_piz()` advances the working wavelet pointer with signed 32-bit arithmetic:\n\n```c\nwavbuf += nx * ny * wcount;\n```\n\nBecause `nx`, `ny`, and `wcount` are `int`, a crafted EXR file can make this product overflow and wrap. The next channel then decodes from an incorrect address. The wavelet decode path operates in place, so this yields both out-of-bounds reads and out-of-bounds writes.\n\nTested on commit 7820b7e1b93405ba1d551c43a945018226b75bc5\n\n## Technical Details\n\nThe vulnerable decode path is:\n\n1. `internal_exr_undo_piz()` sets `wavbuf = decode->scratch_buffer_1`.\n2. For each channel, it calls `wav_2D_decode (wavbuf + j, ...)`.\n3. It then advances `wavbuf` with `wavbuf += nx * ny * wcount`.\n\nThe overflow happens in step 3. Once `wavbuf` is wrapped, the next channel's wavelet decode runs on the wrong address.\n\nIn the 14-bit wavelet path, `wdec14_4()` first reads:\n\n- `*px`\n- `*p10`\n- `*p01`\n- `*p11`\n\nand then writes back to the same locations:\n\n- `*px  = ...`\n- `*p01 = ...`\n- `*p10 = ...`\n- `*p11 = ...`\n\nAs a result, the bug is not just a crash-only invalid read. It is an out-of-bounds read/write condition.\n\n## Reproduction\n\n[piz_scanline_redzone.zip](https://github.com/user-attachments/files/26318946/piz_scanline_redzone.zip)\n\nBuild `exrcheck` with ASAN and run:\n\n```\n❯ ./build-asan/bin/exrcheck /tmp/piz_scanline_redzone.exr\n file /tmp/piz_scanline_redzone.exr /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_piz.c:373:19: runtime error: signed integer overflow: 134217724 * 32 cannot be represented in type 'int'\n=================================================================\n==1711239==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x7bedc3934700 at pc 0x7bf1f100f498 bp 0x7ffe032d8f00 sp 0x7ffe032d8ef0\nREAD of size 2 at 0x7bedc3934700 thread T0\n    #0 0x7bf1f100f497 in wdec14_4 /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_piz.c:148\n    #1 0x7bf1f100f497 in wav_2D_decode /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_piz.c:403\n    #2 0x7bf1f100f497 in internal_exr_undo_piz /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_piz.c:727\n    #3 0x7bf1f115b038 in exr_uncompress_chunk /home/pop/sec/openexr/src/lib/OpenEXRCore/compression.c:546\n    #4 0x7bf1f1161168 in exr_decoding_run /home/pop/sec/openexr/src/lib/OpenEXRCore/decoding.c:580\n    #5 0x7bf1f2a71add in run_decode /home/pop/sec/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:586\n    #6 0x7bf1f2a83dc4 in Imf_4_0::ScanLineInputFile::Data::readPixels(Imf_4_0::FrameBuffer const&, int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:500\n    #7 0x7bf1f28c6a81 in Imf_4_0::InputFile::Data::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfInputFile.cpp:458\n    #8 0x7bf1f3bfe2dc in readScanline<Imf_4_0::InputPart> /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:239\n    #9 0x7bf1f3c05b04 in readMultiPart /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:905\n    #10 0x7bf1f3c126fd in runChecks<char const*> /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1171\n    #11 0x7bf1f3c146b9 in Imf_4_0::checkOpenEXRFile(char const*, bool, bool, bool) /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1835\n    #12 0x5d9675fce8f8 in exrCheck(char const*, bool, bool, bool, bool) /home/pop/sec/openexr/src/bin/exrcheck/main.cpp:96\n    #13 0x5d9675fcb2b1 in main /home/pop/sec/openexr/src/bin/exrcheck/main.cpp:164\n    #14 0x7bf1efe2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n    #15 0x7bf1efe2a28a in __libc_start_main_impl ../csu/libc-start.c:360\n    #16 0x5d9675fcc844 in _start (/home/pop/sec/openexr/build-asan/bin/exrcheck+0xe844) (BuildId: 087c972343a5372940c42c0a2e7bce4a84288aec)\n\n0x7bedc3934700 is located 256 bytes before 8590720784-byte region [0x7bedc3934800,0x7befc39f4710)\nallocated by thread T0 here:\n    #0 0x7bf1f40fd9c7 in malloc ../../../../src/libsanitizer/asan/asan_malloc_linux.cpp:69\n    #1 0x7bf1f115883e in internal_decode_alloc_buffer /home/pop/sec/openexr/src/lib/OpenEXRCore/coding.c:256\n    #2 0x7bf1f100da97 in internal_exr_undo_piz /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_piz.c:643\n    #3 0x7bf1f115b038 in exr_uncompress_chunk /home/pop/sec/openexr/src/lib/OpenEXRCore/compression.c:546\n    #4 0x7bf1f1161168 in exr_decoding_run /home/pop/sec/openexr/src/lib/OpenEXRCore/decoding.c:580\n    #5 0x7bf1f2a71add in run_decode /home/pop/sec/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:586\n    #6 0x7bf1f2a83dc4 in Imf_4_0::ScanLineInputFile::Data::readPixels(Imf_4_0::FrameBuffer const&, int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:500\n    #7 0x7bf1f28c6a81 in Imf_4_0::InputFile::Data::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfInputFile.cpp:458\n    #8 0x7bf1f3bfe2dc in readScanline<Imf_4_0::InputPart> /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:239\n    #9 0x7bf1f3c05b04 in readMultiPart /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:905\n    #10 0x7bf1f3c126fd in runChecks<char const*> /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1171\n    #11 0x7bf1f3c146b9 in Imf_4_0::checkOpenEXRFile(char const*, bool, bool, bool) /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1835\n    #12 0x5d9675fce8f8 in exrCheck(char const*, bool, bool, bool, bool) /home/pop/sec/openexr/src/bin/exrcheck/main.cpp:96\n    #13 0x5d9675fcb2b1 in main /home/pop/sec/openexr/src/bin/exrcheck/main.cpp:164\n    #14 0x7bf1efe2a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n    #15 0x7bf1efe2a28a in __libc_start_main_impl ../csu/libc-start.c:360\n    #16 0x5d9675fcc844 in _start (/home/pop/sec/openexr/build-asan/bin/exrcheck+0xe844) (BuildId: 087c972343a5372940c42c0a2e7bce4a84288aec)\n\nSUMMARY: AddressSanitizer: heap-buffer-overflow /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_piz.c:148 in wdec14_4\nShadow bytes around the buggy address:\n  0x7bedc3934480: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n  0x7bedc3934500: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n  0x7bedc3934580: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n  0x7bedc3934600: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n  0x7bedc3934680: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n=>0x7bedc3934700:[fa]fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n  0x7bedc3934780: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa\n  0x7bedc3934800: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x7bedc3934880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x7bedc3934900: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\n  0x7bedc3934980: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00\nShadow byte legend (one shadow byte represents 8 application bytes):\n  Addressable:           00\n  Partially addressable: 01 02 03 04 05 06 07\n  Heap left redzone:       fa\n  Freed heap region:       fd\n  Stack left redzone:      f1\n  Stack mid redzone:       f2\n  Stack right redzone:     f3\n  Stack after return:      f5\n  Stack use after scope:   f8\n  Global redzone:          f9\n  Global init order:       f6\n  Poisoned by user:        f7\n  Container overflow:      fc\n  Array cookie:            ac\n  Intra object redzone:    bb\n  ASan internal:           fe\n  Left alloca redzone:     ca\n  Right alloca redzone:    cb\n==1711239==ABORTING\n```\n\nTo prove this is both READ and WRITE, we can also `memcheck` against non-ASAN release build:\n\n```sh\nvalgrind --tool=memcheck --leak-check=no --track-origins=no \\\n  --error-limit=no --num-callers=20 \\\n  ./build-relwithdebinfo/bin/exrcheck /tmp/piz_scanline_redzone.exr\n```\n\nObserved result:\n\n- `Invalid read of size 2` at [internal_piz.c:150](/home/pop/sec/openexr/src/lib/OpenEXRCore/internal_piz.c#L150)\n- `Invalid write of size 2` at [internal_piz.c:171](/home/pop/sec/openexr/src/lib/OpenEXRCore/internal_piz.c#L171)\n\nThis confirms the bug is an OOB read/write, not only a read-first crash.\n\n### Redzone-Oriented File\n\n- width: `67108862`\n- height: `32`\n- channel A: `FLOAT`, sampling `1 x 1`\n- channel B: `HALF`, sampling `33554431 x 16`\n\nThis makes:\n\n```text\nwidth * 32 * 2 = 4294967168\n```\n\nwhich wraps signed 32-bit arithmetic to `-128`.\n\nThat places the next `wavbuf` access just before the allocated buffer, producing a clean heap-overflow report.\n\n## Impact\n\nA crafted EXR file can trigger out-of-bounds memory access during PIZ decompression. The primitive includes both invalid reads and invalid writes. Depending on allocator layout and surrounding memory, this could lead to process crash, memory corruption, or potentially stronger exploitation outcomes.\n\n## Recommended Fix\n\n- compute channel span in 64-bit arithmetic\n- reject any overflow in `nx * ny * wcount`\n- validate cumulative per-channel decoded footprint against `outsz` before wavelet decode\n- fail decompression if channel-derived layout does not exactly fit the decompression buffer\n--------\nFound by: Quang Luong of Calif.io",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "OpenEXR"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.1.0"
+            },
+            {
+              "fixed": "3.2.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "OpenEXR"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.3.0"
+            },
+            {
+              "fixed": "3.3.9"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "OpenEXR"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.4.0"
+            },
+            {
+              "fixed": "3.4.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-588r-cr5c-w6hf"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34588"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125",
+      "CWE-190",
+      "CWE-787"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-08T15:09:01Z",
+    "nvd_published_at": "2026-04-06T16:16:35Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-p8xc-w3q4-h64x/GHSA-p8xc-w3q4-h64x.json b/advisories/github-reviewed/2026/04/GHSA-p8xc-w3q4-h64x/GHSA-p8xc-w3q4-h64x.json
@@ -0,0 +1,116 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p8xc-w3q4-h64x",
+  "modified": "2026-04-08T15:09:05Z",
+  "published": "2026-04-08T15:09:05Z",
+  "aliases": [
+    "CVE-2026-34589"
+  ],
+  "summary": "OpenEXR: DWA Lossy Decoder Heap Out-of-Bounds Write",
+  "details": "## Summary\n\nThe DWA lossy decoder constructs temporary per-component block pointers using signed 32-bit arithmetic. For a large enough width, the calculation overflows and later decoder stores operate on a wrapped pointer outside the allocated `rowBlock` backing store.\n\nThis bug is reachable from the public decoder path and can be reproduced through the shipped `exrcheck` tool with a crafted scanline DWAA file. The confirmed dynamic symptom is a write-side crash in the lossy DCT execution path.\n\nTested on commit: 7820b7e1b93405ba1d551c43a945018226b75bc5\n\n## Root Cause and Data Flow\n\nThe vulnerable pointer construction lives in `src/lib/OpenEXRCore/internal_dwa_decoder.h`:\n\n```c\nfor (int comp = 1; comp < numComp; ++comp)\n    rowBlock[comp] = rowBlock[comp - 1] + numBlocksX * 64;\n```\n\nThe expression `numBlocksX * 64` is computed as signed `int`. Once `numBlocksX` is large enough, the multiplication wraps, and `rowBlock[comp]` points backward rather than forward into the temporary decode buffer.\n\nLater, `LossyDctDecoder_execute()` uses those derived pointers for real loads and stores during the block shuffle and reconstruction process. At that point the decoder is no longer operating within the bounds of the allocation created for `rowBlockHandle`.\n\nThe public control flow is the standard one:\n\n```c\nInputFile / ScanLineInputFile public read\n  -> exr_decoding_run(...)\n     -> exr_uncompress_chunk(...)\n        -> internal_exr_undo_dwaa(...)\n           -> DwaCompressor_uncompress(...)\n              -> LossyDctDecoder_execute(...)\n```\n\nUBSan gives a clean root-cause diagnosis on the overflowing multiply, while ASAN shows the later memory error in the write-side decode path.\n\n## Reproduction\n\n[dwa_scanline_exrcheck.zip](https://github.com/user-attachments/files/26318786/dwa_scanline_exrcheck.zip)\n\nBuild with `exrcheck` with ASAN and run:\n\n```\n❯ ./build-asan/bin/exrcheck /tmp/dwa_scanline_exrcheck.exr\n file /tmp/dwa_scanline_exrcheck.exr /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_dwa_decoder.h:331:58: runtime error: signed integer overflow: 33554432 * 64 cannot be represented in type 'int'\nAddressSanitizer:DEADLYSIGNAL\n=================================================================\n==1684058==ERROR: AddressSanitizer: SEGV on unknown address 0x758f8e5f0800 (pc 0x75979e850336 bp 0x7ffe8f1d3420 sp 0x7ffe8f1d30f0 T0)\n==1684058==The signal is caused by a WRITE memory access.\n    #0 0x75979e850336 in LossyDctDecoder_execute /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_dwa_decoder.h:524\n    #1 0x75979e879592 in DwaCompressor_uncompress /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_dwa_compressor.h:1210\n    #2 0x75979e879592 in internal_exr_undo_dwaa /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_dwa.c:231\n    #3 0x75979e95f878 in exr_uncompress_chunk /home/pop/sec/openexr/src/lib/OpenEXRCore/compression.c:542\n    #4 0x75979e9659a8 in exr_decoding_run /home/pop/sec/openexr/src/lib/OpenEXRCore/decoding.c:580\n    #5 0x7597a0271add in run_decode /home/pop/sec/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:586\n    #6 0x7597a0283dc4 in Imf_4_0::ScanLineInputFile::Data::readPixels(Imf_4_0::FrameBuffer const&, int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfScanLineInputFile.cpp:500\n    #7 0x7597a00c6a81 in Imf_4_0::InputFile::Data::readPixels(int, int) /home/pop/sec/openexr/src/lib/OpenEXR/ImfInputFile.cpp:458\n    #8 0x7597a13fe2dc in readScanline<Imf_4_0::InputPart> /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:239\n    #9 0x7597a1405b04 in readMultiPart /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:905\n    #10 0x7597a14126fd in runChecks<char const*> /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1171\n    #11 0x7597a14146b9 in Imf_4_0::checkOpenEXRFile(char const*, bool, bool, bool) /home/pop/sec/openexr/src/lib/OpenEXRUtil/ImfCheckFile.cpp:1835\n    #12 0x61ba9582b8f8 in exrCheck(char const*, bool, bool, bool, bool) /home/pop/sec/openexr/src/bin/exrcheck/main.cpp:96\n    #13 0x61ba958282b1 in main /home/pop/sec/openexr/src/bin/exrcheck/main.cpp:164\n    #14 0x75979d62a1c9 in __libc_start_call_main ../sysdeps/nptl/libc_start_call_main.h:58\n    #15 0x75979d62a28a in __libc_start_main_impl ../csu/libc-start.c:360\n    #16 0x61ba95829844 in _start (/home/pop/sec/openexr/build-asan/bin/exrcheck+0xe844) (BuildId: 087c972343a5372940c42c0a2e7bce4a84288aec)\n\nAddressSanitizer can not provide additional info.\nSUMMARY: AddressSanitizer: SEGV /home/pop/sec/openexr/src/lib/OpenEXRCore/internal_dwa_decoder.h:524 in LossyDctDecoder_execute\n==1684058==ABORTING\n```\n-------\nFound by: Quang Luong of Calif.io",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:N/I:N/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "OpenEXR"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.2.0"
+            },
+            {
+              "fixed": "3.2.7"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "OpenEXR"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.3.0"
+            },
+            {
+              "fixed": "3.3.9"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "OpenEXR"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.4.0"
+            },
+            {
+              "fixed": "3.4.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr/security/advisories/GHSA-p8xc-w3q4-h64x"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34589"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.2.7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.3.9"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AcademySoftwareFoundation/openexr/releases/tag/v3.4.9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-190",
+      "CWE-787"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-08T15:09:05Z",
+    "nvd_published_at": "2026-04-06T16:16:36Z"
+  }
+}
