Publish Advisories

GHSA-595p-g7xc-c333
GHSA-7cw6-7h3h-v8pf
GHSA-g9mf-h72j-4rw9

Author: advisory-database[bot]

advisories/github-reviewed/2026/01/GHSA-595p-g7xc-c333/GHSA-595p-g7xc-c333.json

@@ -0,0 +1,88 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-595p-g7xc-c333",
+  "modified": "2026-01-14T21:46:11Z",
+  "published": "2026-01-14T21:46:11Z",
+  "aliases": [],
+  "summary": "Algolia Search & Discovery for Magento 2 Has Untrusted Data Handling",
+  "details": "### Impact\n\nVersions of the Algolia Search & Discovery extension for Magento 2 prior to **3.17.2** and **3.16.2** contain a vulnerability where data read from the database was treated as a trusted source during job execution.\n\nIf an attacker is able to modify records used by the extension’s indexing queue, this could result in **arbitrary PHP code execution** when the affected job is processed.\n\nExploitation requires the ability to write malicious data to the Magento database and for the indexing queue to be enabled.\n\n---\n\n### Patches\n\nThis vulnerability has been fixed in the following versions:\n\n- **3.17.2**\n- **3.16.2**\n\nMerchants should upgrade to a supported patched version immediately.\n\nVersions outside the supported maintenance window do **not** receive security updates and remain vulnerable.\n\n---\n\n### Workarounds\n\nUpgrading to a patched version is the only recommended remediation.\n\nIf an immediate upgrade is not possible, the following temporary risk mitigations may reduce exposure:\n\n- Disable the Algolia indexing queue to prevent queued jobs from being executed.\n- Restrict job execution logic to an explicit allowlist of permitted operations.\n- Review the contents of the `algoliasearch_queue` table for unexpected or unrecognized entries.\n- If queue archiving is enabled, review historical records in `algoliasearch_queue_archive`.\n\nThese mitigations are provided as guidance only and do not replace upgrading to a patched version.\n\n---\n\n### References\n\n- Algolia Search & Discovery for Magento 2 releases:\n  - [3.16.2](https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.16.2)\n  - [3.17.2](https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.17.2)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "algolia/algoliasearch-magento-2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.17.0-beta.1"
+            },
+            {
+              "fixed": "3.17.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.17.1"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "algolia/algoliasearch-magento-2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.16.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.16.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/algolia/algoliasearch-magento-2/security/advisories/GHSA-595p-g7xc-c333"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/algolia/algoliasearch-magento-2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.16.2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/algolia/algoliasearch-magento-2/releases/tag/3.17.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-14T21:46:11Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/01/GHSA-7cw6-7h3h-v8pf/GHSA-7cw6-7h3h-v8pf.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7cw6-7h3h-v8pf",
-  "modified": "2026-01-14T16:54:27Z",
+  "modified": "2026-01-14T21:46:46Z",
   "published": "2026-01-14T16:54:27Z",
   "aliases": [
     "CVE-2026-23498"
@@ -59,6 +59,14 @@
       "type": "WEB",
       "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7cw6-7h3h-v8pf"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23498"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shopware/shopware/commit/3966b05590e29432b8485ba47b4fcd14dd0b8475"
+    },
     {
       "type": "ADVISORY",
       "url": "https://github.com/advisories/GHSA-7v2v-9rm4-7m8f"
@@ -75,6 +83,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-14T16:54:27Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-14T19:16:48Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-g9mf-h72j-4rw9/GHSA-g9mf-h72j-4rw9.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g9mf-h72j-4rw9",
-  "modified": "2026-01-14T21:06:08Z",
+  "modified": "2026-01-14T21:46:26Z",
   "published": "2026-01-14T21:06:08Z",
   "aliases": [
     "CVE-2026-22036"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22036"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3"
@@ -75,6 +79,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-14T21:06:08Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-14T19:16:47Z"
   }
 }