Publish Advisories

GHSA-464q-cqxq-xhgr
GHSA-4f9r-x588-pp2h
GHSA-5jx8-q4cp-rhh6
GHSA-8qwj-4jxw-m8jw
GHSA-wvqx-v3f6-w8rh

Author: advisory-database[bot]

…-464q-cqxq-xhgr/GHSA-464q-cqxq-xhgr.json …-464q-cqxq-xhgr/GHSA-464q-cqxq-xhgr.jsonadvisories/unreviewed/2026/03/GHSA-464q-cqxq-xhgr/GHSA-464q-cqxq-xhgr.json renamed to advisories/github-reviewed/2026/03/GHSA-464q-cqxq-xhgr/GHSA-464q-cqxq-xhgr.json advisories/unreviewed/2026/03/GHSA-464q-cqxq-xhgr/GHSA-464q-cqxq-xhgr.json renamed to advisories/github-reviewed/2026/03/GHSA-464q-cqxq-xhgr/GHSA-464q-cqxq-xhgr.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-464q-cqxq-xhgr",
-  "modified": "2026-03-23T18:30:30Z",
+  "modified": "2026-03-30T19:30:16Z",
   "published": "2026-03-23T06:30:29Z",
   "aliases": [
     "CVE-2026-4603"
   ],
+  "summary": "jsrsasign: Division by Zero Allows Invalid JWK Modulus to Cause Deterministic Zero Output in RSA Operations",
   "details": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Division by zero due to the RSASetPublic/KEYUTIL parsing path in ext/rsa.js and the BigInteger.modPowInt reduction logic in ext/jsbn.js. An attacker can force RSA public-key operations (e.g., verify and encryption) to collapse to deterministic zero outputs and hide “invalid key” errors by supplying a JWK whose modulus decodes to zero.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "jsrsasign"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.1.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -35,6 +56,10 @@
       "type": "WEB",
       "url": "https://gist.github.com/Kr0emer/5366b7364c4fbf7e754bc377f321e9f3"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kjur/jsrsasign"
+    },
     {
       "type": "WEB",
       "url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371176"
@@ -44,9 +69,9 @@
     "cwe_ids": [
       "CWE-369"
     ],
-    "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-30T19:30:16Z",
     "nvd_published_at": "2026-03-23T06:16:22Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-4f9r-x588-pp2h/GHSA-4f9r-x588-pp2h.json

@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4f9r-x588-pp2h",
+  "modified": "2026-03-30T19:29:13Z",
+  "published": "2026-03-30T19:29:13Z",
+  "aliases": [
+    "CVE-2026-34389"
+  ],
+  "summary": "Fleet's user account creation via invite does not enforce invited email address",
+  "details": "### Summary\n\nFleet contained an issue in the user invitation flow where the email address provided during invite acceptance was not validated against the email address associated with the invite. An attacker who obtained a valid invite token could create an account under an arbitrary email address while inheriting the role granted by the invite, including global admin.\n\n### Impact\n\nIf an attacker gains access to a valid invite token, they can create a Fleet user account with an email address of their choosing while inheriting the invite’s assigned role and team memberships.\n\nThis issue:\n\n- Requires possession of a valid invite token\n- Does not bypass authentication controls beyond invite-based account creation\n- Does not expose data without successful account creation\n\n### Workarounds\n\nIf upgrading immediately is not possible:\n\n- Treat invite links as sensitive credentials and avoid sharing them in public or semi-public channels (e.g., Slack, Teams).\n- Revoke and reissue invites if there is any concern that an invite link may have been exposed.\n- Prefer issuing invites with the minimum required privileges and elevating roles after account creation when appropriate.\n\n### For more information\n\nIf there are any questions or comments about this advisory:\n\nSend an email to [security@fleetdm.com](mailto:security@fleetdm.com)\n\n### Credits\n\nFleet thanks @fuzzztf for responsibly reporting this issue.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/fleetdm/fleet/v4"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.81.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/fleetdm/fleet/security/advisories/GHSA-4f9r-x588-pp2h"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34389"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/fleetdm/fleet"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-30T19:29:13Z",
+    "nvd_published_at": "2026-03-27T20:16:35Z"
+  }
+}

…-5jx8-q4cp-rhh6/GHSA-5jx8-q4cp-rhh6.json …-5jx8-q4cp-rhh6/GHSA-5jx8-q4cp-rhh6.jsonadvisories/unreviewed/2026/03/GHSA-5jx8-q4cp-rhh6/GHSA-5jx8-q4cp-rhh6.json renamed to advisories/github-reviewed/2026/03/GHSA-5jx8-q4cp-rhh6/GHSA-5jx8-q4cp-rhh6.json advisories/unreviewed/2026/03/GHSA-5jx8-q4cp-rhh6/GHSA-5jx8-q4cp-rhh6.json renamed to advisories/github-reviewed/2026/03/GHSA-5jx8-q4cp-rhh6/GHSA-5jx8-q4cp-rhh6.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5jx8-q4cp-rhh6",
-  "modified": "2026-03-23T06:30:29Z",
+  "modified": "2026-03-30T19:29:39Z",
   "published": "2026-03-23T06:30:29Z",
   "aliases": [
     "CVE-2026-4599"
   ],
+  "summary": "jsrsasign: Incomplete Comparison Allows DSA Private Key Recovery via Biased Nonce Generation",
   "details": "Versions of the package jsrsasign from 7.0.0 and before 11.1.1 are vulnerable to Incomplete Comparison with Missing Factors via the getRandomBigIntegerZeroToMax and getRandomBigIntegerMinToMax functions in src/crypto-1.1.js; an attacker can recover the private key by exploiting the incorrect compareTo checks that accept out-of-range candidates and thus bias DSA nonces during signature generation.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "jsrsasign"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "7.0.0"
+            },
+            {
+              "fixed": "11.1.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -35,6 +56,10 @@
       "type": "WEB",
       "url": "https://gist.github.com/Kr0emer/081681818b51605c91945126d74b4f20"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kjur/jsrsasign"
+    },
     {
       "type": "WEB",
       "url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370939"
@@ -45,8 +70,8 @@
       "CWE-1023"
     ],
     "severity": "CRITICAL",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-30T19:29:39Z",
     "nvd_published_at": "2026-03-23T06:16:21Z"
   }
 }

…-8qwj-4jxw-m8jw/GHSA-8qwj-4jxw-m8jw.json …-8qwj-4jxw-m8jw/GHSA-8qwj-4jxw-m8jw.jsonadvisories/unreviewed/2026/03/GHSA-8qwj-4jxw-m8jw/GHSA-8qwj-4jxw-m8jw.json renamed to advisories/github-reviewed/2026/03/GHSA-8qwj-4jxw-m8jw/GHSA-8qwj-4jxw-m8jw.json advisories/unreviewed/2026/03/GHSA-8qwj-4jxw-m8jw/GHSA-8qwj-4jxw-m8jw.json renamed to advisories/github-reviewed/2026/03/GHSA-8qwj-4jxw-m8jw/GHSA-8qwj-4jxw-m8jw.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8qwj-4jxw-m8jw",
-  "modified": "2026-03-23T06:30:29Z",
+  "modified": "2026-03-30T19:30:01Z",
   "published": "2026-03-23T06:30:29Z",
   "aliases": [
     "CVE-2026-4602"
   ],
+  "summary": "jsrsasign: Negative Exponent Handling Leads to Signature Verification Bypass",
   "details": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Incorrect Conversion between Numeric Types due to handling negative exponents in ext/jsbn2.js. An attacker can force the computation of incorrect modular inverses and break signature verification by calling modPow with a negative exponent.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "jsrsasign"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.1.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -35,6 +56,10 @@
       "type": "WEB",
       "url": "https://gist.github.com/Kr0emer/7ecd2be7d17419e4677315ef3758faf5"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kjur/jsrsasign"
+    },
     {
       "type": "WEB",
       "url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15371175"
@@ -45,8 +70,8 @@
       "CWE-681"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-30T19:30:01Z",
     "nvd_published_at": "2026-03-23T06:16:22Z"
   }
 }

…-wvqx-v3f6-w8rh/GHSA-wvqx-v3f6-w8rh.json …-wvqx-v3f6-w8rh/GHSA-wvqx-v3f6-w8rh.jsonadvisories/unreviewed/2026/03/GHSA-wvqx-v3f6-w8rh/GHSA-wvqx-v3f6-w8rh.json renamed to advisories/github-reviewed/2026/03/GHSA-wvqx-v3f6-w8rh/GHSA-wvqx-v3f6-w8rh.json advisories/unreviewed/2026/03/GHSA-wvqx-v3f6-w8rh/GHSA-wvqx-v3f6-w8rh.json renamed to advisories/github-reviewed/2026/03/GHSA-wvqx-v3f6-w8rh/GHSA-wvqx-v3f6-w8rh.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wvqx-v3f6-w8rh",
-  "modified": "2026-03-23T06:30:29Z",
+  "modified": "2026-03-30T19:29:53Z",
   "published": "2026-03-23T06:30:29Z",
   "aliases": [
     "CVE-2026-4600"
   ],
+  "summary": "jsrsasign: DSA signatures or X.509 certificates can be forged via DSA domain-parameter validation in KJUR.crypto.DSA.setPublic",
   "details": "Versions of the package jsrsasign before 11.1.1 are vulnerable to Improper Verification of Cryptographic Signature via the DSA domain-parameter validation in KJUR.crypto.DSA.setPublic (and the related DSA/X509 verification flow in src/dsa-2.0.js). An attacker can forge DSA signatures or X.509 certificates that X509.verifySignature() accepts by supplying malicious domain parameters such as g=1, y=1, and a fixed r=1, which make the verification equation true for any hash.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "jsrsasign"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "11.1.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -35,6 +56,10 @@
       "type": "WEB",
       "url": "https://gist.github.com/Kr0emer/bf15ddc097176e951659a24a8e9002a7"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/kjur/jsrsasign"
+    },
     {
       "type": "WEB",
       "url": "https://security.snyk.io/vuln/SNYK-JS-JSRSASIGN-15370940"
@@ -44,9 +69,9 @@
     "cwe_ids": [
       "CWE-347"
     ],
-    "severity": "CRITICAL",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-30T19:29:53Z",
     "nvd_published_at": "2026-03-23T06:16:21Z"
   }
 }