Publish Advisories

GHSA-37mj-c2wf-cx96
GHSA-5cx5-wh4m-82fh
GHSA-cgcg-q9jh-5pr2
GHSA-q485-cg9q-xq2r
GHSA-w5g8-5849-vj76
GHSA-x4ff-q6h8-v7gw

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-37mj-c2wf-cx96/GHSA-37mj-c2wf-cx96.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-37mj-c2wf-cx96",
-  "modified": "2026-03-24T20:17:02Z",
+  "modified": "2026-03-27T21:55:02Z",
   "published": "2026-03-24T20:17:02Z",
   "aliases": [
     "CVE-2026-33627"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-37mj-c2wf-cx96"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33627"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10278"
@@ -67,6 +71,14 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/pull/10279"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/5b8998e6866bcf75be7b5bb625e27d23bfaf912c"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parse-community/parse-server/commit/875cf10ac979bd60f70e7a0c534e2bc194d6982f"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/parse-community/parse-server"
@@ -79,6 +91,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-24T20:17:02Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T19:16:55Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-5cx5-wh4m-82fh/GHSA-5cx5-wh4m-82fh.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5cx5-wh4m-82fh",
-  "modified": "2026-03-20T19:48:53Z",
+  "modified": "2026-03-27T21:57:21Z",
   "published": "2026-03-19T17:56:37Z",
   "aliases": [
     "CVE-2026-33322"
@@ -40,18 +40,23 @@
       "type": "WEB",
       "url": "https://github.com/minio/minio/security/advisories/GHSA-5cx5-wh4m-82fh"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33322"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/minio/minio"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-287",
       "CWE-327"
     ],
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T17:56:37Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:27Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-cgcg-q9jh-5pr2/GHSA-cgcg-q9jh-5pr2.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cgcg-q9jh-5pr2",
-  "modified": "2026-03-19T18:37:42Z",
+  "modified": "2026-03-27T21:57:29Z",
   "published": "2026-03-19T18:37:42Z",
   "aliases": [
     "CVE-2026-33326"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33326"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/keystonejs/keystone"
@@ -55,6 +59,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T18:37:42Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:28Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-q485-cg9q-xq2r/GHSA-q485-cg9q-xq2r.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q485-cg9q-xq2r",
-  "modified": "2026-03-19T17:55:53Z",
+  "modified": "2026-03-27T21:57:12Z",
   "published": "2026-03-19T17:55:53Z",
   "aliases": [
     "CVE-2026-33314"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/pyload/pyload/security/advisories/GHSA-q485-cg9q-xq2r"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33314"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/pyload/pyload"
@@ -56,6 +60,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T17:55:53Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:27Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-w5g8-5849-vj76/GHSA-w5g8-5849-vj76.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w5g8-5849-vj76",
-  "modified": "2026-03-19T18:48:27Z",
+  "modified": "2026-03-27T21:57:40Z",
   "published": "2026-03-19T18:48:27Z",
   "aliases": [
     "CVE-2026-33332"
@@ -47,18 +47,31 @@
       "type": "WEB",
       "url": "https://github.com/zauberzeug/nicegui/security/advisories/GHSA-w5g8-5849-vj76"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33332"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/commit/9026962b8c4f3f225c98b2fbc35aa6b60cb3495b"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/zauberzeug/nicegui"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/zauberzeug/nicegui/releases/tag/v3.9.0"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-20",
       "CWE-770"
     ],
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T18:48:27Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:28Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-x4ff-q6h8-v7gw/GHSA-x4ff-q6h8-v7gw.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x4ff-q6h8-v7gw",
-  "modified": "2026-03-24T16:04:12Z",
+  "modified": "2026-03-27T21:57:02Z",
   "published": "2026-03-24T16:04:12Z",
   "aliases": [
     "CVE-2026-32948"
   ],
   "summary": "sbt: Source dependency feature (via crafted VCS URL) leads to arbitrary code execution on Windows",
-  "details": "### Summary\nOn Windows, sbt uses `Process(\"cmd\", \"/c\", ...)` to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because `cmd /c` interprets `&`, `|`, and `;` as command separators, a malicious fragment can execute arbitrary commands.\n\n### Details\n- [Resolvers.scala L84–95](https://github.com/sbt/sbt/blob/dc90f160dfb563f46fd1a7b97945c381d15e2a6c/main/src/main/scala/sbt/Resolvers.scala#L84-L95) — git resolver passes `uri.getFragment()` to `run()` without sanitization\n- [Resolvers.scala L137–145](https://github.com/sbt/sbt/blob/dc90f160dfb563f46fd1a7b97945c381d15e2a6c/main/src/main/scala/sbt/Resolvers.scala#L137-L145) — `run()` uses `Process(\"cmd\", \"/c\", ...)` on Windows, so `cmd` interprets `&&` as command separator\n\n### PoC\n```sh\n# build.properties\n# sbt.version=1.12.5  # Tested on those two versions of sbt\nsbt.version=2.0.0-RC9\n```\n\n```scala\n// build.sbt\n\nThisBuild / scalaVersion := \"2.12.19\"\n\nlazy val root = project\n  .in(file(\".\"))\n  .dependsOn(vulnerable)\n\nlazy val vulnerable = RootProject(\n  uri(\"https://github.com/sbt/io.git#develop%26%26calc.exe\")\n)\n```\n\n### Impact\n\nWindows users are impacted. An attacker can execute arbitrary Windows commands if they control the dependency URI.",
+  "details": "### Summary\nOn Windows, sbt uses `Process(\"cmd\", \"/c\", ...)` to run VCS commands (git, hg, svn). The URI fragment (branch, tag, revision) is user-controlled via the build definition and passed to these commands without validation. Because `cmd /c` interprets `&`, `|`, and `;` as command separators, a malicious fragment can execute arbitrary commands.\n\n### Patched version\n\nTechnically, sbt 1.12.7 is patched, but it has a bug that makes source dependency non-functional, so update to **sbt 1.12.8** or later instead.\n\n### Details\n- [Resolvers.scala L84–95](https://github.com/sbt/sbt/blob/dc90f160dfb563f46fd1a7b97945c381d15e2a6c/main/src/main/scala/sbt/Resolvers.scala#L84-L95) — git resolver passes `uri.getFragment()` to `run()` without sanitization\n- [Resolvers.scala L137–145](https://github.com/sbt/sbt/blob/dc90f160dfb563f46fd1a7b97945c381d15e2a6c/main/src/main/scala/sbt/Resolvers.scala#L137-L145) — `run()` uses `Process(\"cmd\", \"/c\", ...)` on Windows, so `cmd` interprets `&&` as command separator\n\n### PoC\n```sh\n# build.properties\n# sbt.version=1.12.5  # Tested on those two versions of sbt\nsbt.version=2.0.0-RC9\n```\n\n```scala\n// build.sbt\n\nThisBuild / scalaVersion := \"2.12.19\"\n\nlazy val root = project\n  .in(file(\".\"))\n  .dependsOn(vulnerable)\n\nlazy val vulnerable = RootProject(\n  uri(\"https://github.com/sbt/io.git#develop%26%26calc.exe\")\n)\n```\n\n### Impact\n\nWindows users are impacted. An attacker can execute arbitrary Windows commands if they control the dependency URI.",
   "severity": [
     {
       "type": "CVSS_V4",
@@ -28,18 +28,25 @@
               "introduced": "0.9.5"
             },
             {
-              "fixed": "1.12.7"
+              "fixed": "1.12.8"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 1.12.7"
+      }
     }
   ],
   "references": [
     {
       "type": "WEB",
       "url": "https://github.com/sbt/sbt/security/advisories/GHSA-x4ff-q6h8-v7gw"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32948"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/sbt/sbt/commit/1ce945b6b79cbe3cef6c0fe9efbbd2904e0f479e"
@@ -64,6 +71,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-24T16:04:12Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:27Z"
   }
 }