Publish Advisories

GHSA-32vr-5gcf-3pw2
GHSA-3j3q-wp9x-585p
GHSA-56p5-8mhr-2fph
GHSA-5mwj-v5jw-5c97
GHSA-f292-66h9-fpmf
GHSA-gjw9-34gf-rp6m
GHSA-hfvc-g4fc-pqhx
GHSA-hwg5-x759-7wjg
GHSA-mmg9-6m6j-jqqx
GHSA-p423-j2cm-9vmq
GHSA-qf73-2hrx-xprp
GHSA-rv5g-f82m-qrvv
GHSA-v273-448j-v4qj
GHSA-v6ph-xcq9-qxxj
GHSA-w8rr-5gcm-pp58
GHSA-w8wv-vfpc-hw2w

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-32vr-5gcf-3pw2/GHSA-32vr-5gcf-3pw2.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-32vr-5gcf-3pw2",
-  "modified": "2026-04-08T19:17:11Z",
+  "modified": "2026-04-09T14:29:45Z",
   "published": "2026-04-08T19:17:11Z",
   "aliases": [
     "CVE-2026-39890"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-32vr-5gcf-3pw2"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39890"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/MervinPraison/PraisonAI"
@@ -59,6 +63,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T19:17:11Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T21:17:01Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-3j3q-wp9x-585p/GHSA-3j3q-wp9x-585p.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3j3q-wp9x-585p",
-  "modified": "2026-04-08T15:04:23Z",
+  "modified": "2026-04-09T14:28:52Z",
   "published": "2026-04-08T15:04:22Z",
   "aliases": [
     "CVE-2026-39429"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/kcp-dev/kcp/security/advisories/GHSA-3j3q-wp9x-585p"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39429"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/kcp-dev/kcp"
@@ -74,12 +78,13 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-302",
       "CWE-306",
       "CWE-862"
     ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T15:04:22Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T21:16:59Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-56p5-8mhr-2fph/GHSA-56p5-8mhr-2fph.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-56p5-8mhr-2fph",
-  "modified": "2026-04-08T15:03:47Z",
+  "modified": "2026-04-09T14:28:22Z",
   "published": "2026-04-08T15:03:47Z",
   "aliases": [
     "CVE-2026-35525"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-56p5-8mhr-2fph"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35525"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/harttle/liquidjs/pull/867"
@@ -63,6 +67,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T15:03:47Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T20:16:24Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-5mwj-v5jw-5c97/GHSA-5mwj-v5jw-5c97.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5mwj-v5jw-5c97",
-  "modified": "2026-04-08T15:04:30Z",
+  "modified": "2026-04-09T14:28:56Z",
   "published": "2026-04-08T15:04:30Z",
   "aliases": [
     "CVE-2026-39411"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39411"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/lobehub/lobehub/pull/13535"
@@ -69,6 +73,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T15:04:30Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T20:16:25Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-f292-66h9-fpmf/GHSA-f292-66h9-fpmf.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f292-66h9-fpmf",
-  "modified": "2026-04-08T19:21:14Z",
+  "modified": "2026-04-09T14:29:15Z",
   "published": "2026-04-08T19:21:14Z",
   "aliases": [
     "CVE-2026-39889"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-f292-66h9-fpmf"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39889"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/MervinPraison/PraisonAI"
@@ -59,6 +63,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T19:21:14Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T21:17:01Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-gjw9-34gf-rp6m/GHSA-gjw9-34gf-rp6m.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gjw9-34gf-rp6m",
-  "modified": "2026-04-03T21:53:32Z",
+  "modified": "2026-04-09T14:28:10Z",
   "published": "2026-04-03T21:53:32Z",
   "aliases": [
     "CVE-2026-25044"
   ],
   "summary": "Budibase: Command Injection in Bash Automation Step",
   "details": "**Location**: `packages/server/src/automations/steps/bash.ts`  \n\n#### Description\nThe bash automation step executes user-provided commands using `execSync` without proper sanitization or validation. User input is processed through `processStringSync` which allows template interpolation, potentially allowing arbitrary command execution.\n\n#### Code Reference\n```21:28:packages/server/src/automations/steps/bash.ts\n    const command = processStringSync(inputs.code, context)\n\n    let stdout,\n      success = true\n    try {\n      stdout = execSync(command, {\n        timeout: environment.QUERY_THREAD_TIMEOUT,\n      }).toString()\n```\n\n#### Attack Vector\nAn attacker with access to create or modify automations can inject malicious shell commands by including template syntax that evaluates to command injection payloads (e.g., `$(rm -rf /)`, `; malicious-command`, `| malicious-command`).\n\n#### Impact\n- Remote code execution (RCE)\n- Complete system compromise\n- Data exfiltration\n- Lateral movement within the infrastructure\n\n#### Recommendation\n1. **Immediate**: Disable bash automation step in production until fixed\n2. Implement a whitelist of allowed commands\n3. Use parameterized command execution with proper escaping\n4. Implement command argument validation\n5. Consider using a restricted shell or command sandboxing\n6. Add rate limiting and monitoring for command execution\n\n#### Example Fix\n```typescript\nimport { spawn } from \"child_process\"\n\n// Validate against whitelist\nconst ALLOWED_COMMANDS = [\"echo\", \"date\", \"pwd\"] // Extend as needed\n\nfunction sanitizeCommand(input: string): string {\n  // Remove dangerous characters and command chaining\n  return input.replace(/[;&|`$(){}[\\]]/g, \"\").trim()\n}\n\nfunction validateCommand(cmd: string): boolean {\n  const parts = cmd.split(/\\s+/)\n  return ALLOWED_COMMANDS.includes(parts[0])\n}\n\nexport async function run({ inputs, context }) {\n  if (!inputs.code) {\n    return { stdout: \"Budibase bash automation failed: Invalid inputs\" }\n  }\n\n  const processedCommand = processStringSync(inputs.code, context)\n  const sanitized = sanitizeCommand(processedCommand)\n  \n  if (!validateCommand(sanitized)) {\n    return {\n      success: false,\n      stdout: \"Command not allowed\"\n    }\n  }\n\n  // Use spawn instead of execSync with proper argument handling\n  return new Promise((resolve) => {\n    const [command, ...args] = sanitized.split(/\\s+/)\n    const proc = spawn(command, args, {\n      timeout: environment.QUERY_THREAD_TIMEOUT,\n    })\n    \n    let stdout = \"\"\n    proc.stdout.on(\"data\", (data) => { stdout += data })\n    proc.on(\"close\", (code) => {\n      resolve({ stdout, success: code === 0 })\n    })\n  })\n}\n```",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"

advisories/github-reviewed/2026/04/GHSA-hfvc-g4fc-pqhx/GHSA-hfvc-g4fc-pqhx.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hfvc-g4fc-pqhx",
-  "modified": "2026-04-08T19:22:12Z",
+  "modified": "2026-04-09T14:29:41Z",
   "published": "2026-04-08T19:22:12Z",
   "aliases": [
     "CVE-2026-39883"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-hfvc-g4fc-pqhx"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39883"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/open-telemetry/opentelemetry-go"
@@ -59,6 +63,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T19:22:12Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T21:17:00Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-hwg5-x759-7wjg/GHSA-hwg5-x759-7wjg.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hwg5-x759-7wjg",
-  "modified": "2026-04-08T19:21:22Z",
+  "modified": "2026-04-09T14:29:49Z",
   "published": "2026-04-08T19:21:22Z",
   "aliases": [
     "CVE-2026-39891"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-hwg5-x759-7wjg"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39891"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/MervinPraison/PraisonAI"
@@ -59,6 +63,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T19:21:22Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T21:17:01Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-mmg9-6m6j-jqqx/GHSA-mmg9-6m6j-jqqx.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mmg9-6m6j-jqqx",
-  "modified": "2026-04-08T15:00:29Z",
+  "modified": "2026-04-09T14:28:18Z",
   "published": "2026-04-08T15:00:29Z",
   "aliases": [
     "CVE-2026-34166"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/harttle/liquidjs/security/advisories/GHSA-mmg9-6m6j-jqqx"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34166"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/harttle/liquidjs/commit/abc058be0f33d6372cd2216f4945183167abeb25"
@@ -63,6 +67,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T15:00:29Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T19:25:21Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-p423-j2cm-9vmq/GHSA-p423-j2cm-9vmq.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p423-j2cm-9vmq",
-  "modified": "2026-04-08T19:23:08Z",
+  "modified": "2026-04-09T14:29:58Z",
   "published": "2026-04-08T19:23:08Z",
   "aliases": [
     "CVE-2026-39892"
@@ -40,9 +40,17 @@
       "type": "WEB",
       "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-p423-j2cm-9vmq"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39892"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/pyca/cryptography"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/08/12"
     }
   ],
   "database_specific": {
@@ -52,6 +60,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-08T19:23:08Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-08T21:17:01Z"
   }
 }