Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 288a46ca97c6 · 2026-03-27T22:22:13.000Z
GHSA-cw7v-45wm-mcf2 GHSA-qp6f-w4r3-h8wg
diff --git a/advisories/github-reviewed/2026/03/GHSA-cw7v-45wm-mcf2/GHSA-cw7v-45wm-mcf2.json b/advisories/github-reviewed/2026/03/GHSA-cw7v-45wm-mcf2/GHSA-cw7v-45wm-mcf2.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cw7v-45wm-mcf2",
+  "modified": "2026-03-27T22:21:26Z",
+  "published": "2026-03-27T22:21:26Z",
+  "aliases": [
+    "CVE-2026-29905"
+  ],
+  "summary": "Kirby CMS has Persistent DoS via Malformed Image Upload",
+  "details": "## Summary\n\nKirby CMS through version 5.1.4 allows an authenticated user with Editor permissions to cause a persistent Denial of Service (DoS) via a malformed image upload.\n\n## Details\n\nThe vulnerability is caused by improper validation of the return value of PHP's `getimagesize()` function. When a malformed file is uploaded with a valid image extension (e.g., `.jpg`), the function returns `false` instead of an expected array.\n\nThe application fails to handle this condition properly and proceeds with image processing, resulting in a fatal `TypeError`. This leads to persistent application crashes when the affected file is accessed.\n\n## Impact\n\n- Persistent Denial of Service (DoS)\n- Affected pages return HTTP 500 errors\n- Requires manual removal of the malformed file to restore functionality\n- Exploitable by authenticated users with Editor permissions",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "getkirby/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.2.0-rc.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Stalin-143/CVE-2026-29905/security/advisories/GHSA-cw7v-45wm-mcf2"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29905"
+    },
+    {
+      "type": "WEB",
+      "url": "https://drive.google.com/file/d/1MwvvSYIwnC8kOIzjycGMQZw4d2K2ef8h/view?usp=sharing"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Stalin-143/CVE-2026-29905"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/getkirby/kirby/releases/tag/5.2.0-rc.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T22:21:26Z",
+    "nvd_published_at": "2026-03-26T17:16:34Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-qp6f-w4r3-h8wg/GHSA-qp6f-w4r3-h8wg.json b/advisories/github-reviewed/2026/03/GHSA-qp6f-w4r3-h8wg/GHSA-qp6f-w4r3-h8wg.json
@@ -0,0 +1,85 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qp6f-w4r3-h8wg",
+  "modified": "2026-03-27T22:19:24Z",
+  "published": "2026-03-27T22:19:24Z",
+  "aliases": [
+    "CVE-2026-34202"
+  ],
+  "summary": "Zebra node crash — V5 transaction hash panic (P2P reachable)",
+  "details": "---\n\n# Remote Denial of Service via Crafted V5 Transactions\n\n## Summary\nA vulnerability in Zebra's transaction processing logic allows a remote, unauthenticated attacker to cause a Zebra node to panic (crash). This is triggered by sending a specially crafted V5 transaction that passes initial deserialization but fails during transaction ID calculation.\n\n## Severity\n**Critical** - This is a Remote Denial of Service (DoS) that requires no authentication and can be triggered by a single network message.\n\n## Affected Versions\nAll Zebra versions supporting V5 transactions (Network Upgrade 5 and later) prior to **version 4.3.0**.\n\n## Description\nThe vulnerability stems from Zebra lazily validating transaction fields that are eagerly validated in the librustzcash parsing logic used when Zebra computes transaction ids and auth digests for V5 transactions where Zebra panics if those computations fail.\n\n`PushTransaction` messages with malformed V5 transactions are successfully deserialized as the zebra-chain `Transaction` type by the network codec, but when Zebra converts those transactions into internal types to compute the TxID expecting it to succeed, it triggers a panic/crash.\n\nAn attacker can trigger this crash by sending a single crafted `tx` message to a Zebra node's public P2P port. The same issue can be triggered via the `sendrawtransaction` RPC method.\n\n## Impact\n**Remote Denial of Service**\n* **Attack Vector:** Remote, unauthenticated.\n* **Effect:** Immediate crash of the Zebra node.\n* **Scope:** Any node with an open P2P port (default 8233) or exposed RPC interface is vulnerable.\n\n## Fixed Versions\nThis issue is fixed in **Zebra 4.3.0**. \n\nThe fix ensures that any transaction that would fail TxID calculation is rejected during the initial deserialization phase, and replaces internal panics with graceful error handling.\n\n## Mitigation\nUsers should upgrade to **Zebra 4.3.0** or later immediately. \n\nIf an immediate upgrade is not possible, users should ensure their RPC port is not exposed to the Internet. However, the P2P port must remain closed or restricted to trusted peers to fully mitigate the risk, which may impact the node's ability to sync with the network.\n\n## Credits\nZebra thanks [robustfengbin](https://github.com/robustfengbin), who discovered this issue and reported it via coordinated disclosure process.\n\n---",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "zebrad"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "4.3.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "zebra-chain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ZcashFoundation/zebra/security/advisories/GHSA-qp6f-w4r3-h8wg"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ZcashFoundation/zebra"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ZcashFoundation/zebra/releases/tag/v4.3.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://zfnd.org/zebra-4-3-0-critical-security-fixes-zip-235-support-and-performance-improvements"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1336",
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-27T22:19:24Z",
+    "nvd_published_at": null
+  }
+}
