Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 3474c99c4671 · 2026-01-22T18:07:51.000Z
GHSA-3jqf-v4mv-747g GHSA-3v2x-9xcv-2v2v GHSA-7jxj-rpx7-ph2c GHSA-qqpg-mvqg-649v GHSA-qqpg-mvqg-649v
diff --git a/advisories/github-reviewed/2026/01/GHSA-3jqf-v4mv-747g/GHSA-3jqf-v4mv-747g.json b/advisories/github-reviewed/2026/01/GHSA-3jqf-v4mv-747g/GHSA-3jqf-v4mv-747g.json
@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3jqf-v4mv-747g",
+  "modified": "2026-01-22T18:06:55Z",
+  "published": "2026-01-22T18:06:54Z",
+  "aliases": [],
+  "summary": "Moonraker affected by LDAP search filter injection",
+  "details": "### Impact\n\nInstances of Moonraker configured with the `ldap` component enabled are vulnerable to LDAP search filter injection techniques via the login endpoint.   The 401 error response message can be used to determine whether or not a search was successful, allowing for brute force methods to discover LDAP entries on the server such as user IDs and user attributes.\n\n### Patches\n\nUsers should upgrade to Moonraker 0.10.0 which patches this vulnerability.\n\n### Workarounds\n\nAdmins can set the `max_login_attempts` option in the `[authorization]` section to a reasonable value.    Any IP attempting to exploit this vulnerability will be locked out after it has reached the specified number of consecutive failed login attempts.  This condition is cleared after a Moonraker restart.   Note that if an attacker knows a valid user password they can bypass this protection by successfully logging in.\n\nThe most secure workaround for users unable to upgrade is to remove the `ldap` section from `moonraker.conf` and rely on the built in user authentication.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "moonraker"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.10.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Arksine/moonraker/security/advisories/GHSA-3jqf-v4mv-747g"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Arksine/moonraker/commit/74c5d8e44c4a4abbfbb06fb991e7ebb9ac947f42"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Arksine/moonraker"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-90"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-22T18:06:54Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-3v2x-9xcv-2v2v/GHSA-3v2x-9xcv-2v2v.json b/advisories/github-reviewed/2026/01/GHSA-3v2x-9xcv-2v2v/GHSA-3v2x-9xcv-2v2v.json
@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3v2x-9xcv-2v2v",
+  "modified": "2026-01-22T18:06:15Z",
+  "published": "2026-01-22T18:06:15Z",
+  "aliases": [],
+  "summary": "SurrealDB Affected by Confused Deputy Privilege Escalation through Future Fields and Functions",
+  "details": "Unprivileged users (for example, those with the database editor role) can create or modify fields in records that contain functions or `futures`. `Futures` are values which are only computed when the value is queried. The query executes in the context of the querying user, rather than the user who originally defined the future. Likewise, fields containing functions or custom-defined logic (`closures`) are executed under the privileges of the invoking user, not the creator.\n\nThis results in a confused deputy vulnerability: an attacker with limited privileges can define a malicious function or future field that performs privileged actions. When a higher-privileged user (such as a root owner or namespace administrator) executes the function or queries or modifies that record, the function executes with their elevated permissions. \n\n### Impact\nAn attacker who can create or update function/future fields can plant logic that executes with a privileged user’s context. If a privileged user performs a write that touches the malicious field, the attacker can achieve full privilege escalation (e.g., create a root owner and take over the server). \n\nIf a privileged user performs a read action on the malicious field, this attack vector could still be potentially be used to perform limited denial of service or, in the specific case where the network capability was explicitly enabled and unrestricted, exfiltrate database information over the network.\n\n### Patches\n\nVersions prior to 2.5.0 and 3.0.0-beta.3 are vulnerable.\n\nFor SurrealDB 3.0, `futures` are no longer supported, replaced by `computed`  fields, only available within schemaful tables. \n\nFurther to this patches for 2.5.0 and 3.0.0-beta.3: \n- Implements an `auth_limit` on defined apis, functions, fields and events, that limits execution to the permissions of the creating user instead of the invoking user.\n- Prevents `closures` from being stored, that eliminates a potential attack surface. For 2.5.0 this can still be allowed by using the `insecure_storable_closures` capability\n- Ensures the proper auth level is used to compute expressions in signin & signup\n\n\n### Workarounds\nUsers unable to patch are advised to evaluate their use of the database to identify where low privileged users are able to define logic subsequently executed by privileged users, such as apis, functions, futures fields and events, and recommended to minimise these instances.\n\n### References\n[Futures](https://surrealdb.com/docs/surrealql/datamodel/futures)\n[Closures](https://surrealdb.com/docs/surrealql/datamodel/closures)\n[SurrealDB Environment Variables](https://surrealdb.com/docs/surrealdb/cli/env)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "surrealdb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.5.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "surrealdb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0-alpha.1"
+            },
+            {
+              "fixed": "3.0.0-beta.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/surrealdb/surrealdb/security/advisories/GHSA-3v2x-9xcv-2v2v"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/surrealdb/surrealdb/commit/f515c91363ee735aa1bc08580d9e7fa0de6e736f"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/surrealdb/surrealdb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/surrealdb/surrealdb/releases/tag/v2.5.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/surrealdb/surrealdb/releases/tag/v3.0.0-beta.2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-441"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-22T18:06:15Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-7jxj-rpx7-ph2c/GHSA-7jxj-rpx7-ph2c.json b/advisories/github-reviewed/2026/01/GHSA-7jxj-rpx7-ph2c/GHSA-7jxj-rpx7-ph2c.json
@@ -0,0 +1,93 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7jxj-rpx7-ph2c",
+  "modified": "2026-01-22T18:06:01Z",
+  "published": "2026-01-22T18:06:01Z",
+  "aliases": [],
+  "summary": "Umbraco.Forms CDN may cache sensitive form uploads when processed by ImageSharp",
+  "details": "### Impact\nProtected files uploaded through Umbraco Forms may be served to unauthenticated users when a CDN or caching layer is present and ImageSharp processes the request. ImageSharp sets aggressive cache headers by default, which can cause intermediary caches to store and serve files that should require authentication.\n\n### Patches\nThis issue affects all (supported) versions Umbraco Forms and is patched in 13.9.0, 16.4.0 and 17.1.0.\n\n### Workarounds\nAdd middleware to set cache headers for form uploads. Place the following code in your `Startup.cs` or `Program.cs` after `app.UseStaticFiles()` and any image processing middleware:\n\n```cs\napp.Use(async (context, next) =>\n{\n    var path = context.Request.Path.Value;\n\n    if (!string.IsNullOrEmpty(path) && path.StartsWith(\"/media/forms/upload/\", StringComparison.OrdinalIgnoreCase))\n    {\n        context.Response.OnStarting(() =>\n        {\n            context.Response.Headers[\"Cache-Control\"] = \"private, no-store, no-cache, must-revalidate\";\n            context.Response.Headers[\"Pragma\"] = \"no-cache\";\n            context.Response.Headers[\"Expires\"] = \"0\";\n            return Task.CompletedTask;\n        });\n    }\n\n    await next();\n});\n```\n\nAlternatively, configure your CDN to bypass caching for URLs matching `/media/forms/upload/*`.\n\n  Note: The vulnerability requires:\n  - A CDN in front of the website\n  - An authenticated user having previously requested the image\n  - Knowledge of the form GUID, entry GUID, and image filename\n\n  If no CDN is in use, this vulnerability does not apply.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "Umbraco.Forms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "13.9.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "Umbraco.Forms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "14.0.0-beta001"
+            },
+            {
+              "fixed": "16.4.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "Umbraco.Forms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "17.0.0-rc1"
+            },
+            {
+              "fixed": "17.1.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-7jxj-rpx7-ph2c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/umbraco/Umbraco.Forms.Issues"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-524"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-22T18:06:01Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-qqpg-mvqg-649v/GHSA-qqpg-mvqg-649v.json b/advisories/github-reviewed/2026/01/GHSA-qqpg-mvqg-649v/GHSA-qqpg-mvqg-649v.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qqpg-mvqg-649v",
+  "modified": "2026-01-22T18:06:44Z",
+  "published": "2026-01-22T12:31:22Z",
+  "aliases": [
+    "CVE-2026-1225"
+  ],
+  "summary": "Logback allows an attacker to instantiate classes already present on the class path",
+  "details": "ACE vulnerability in configuration file processing  by QOS.CH logback-core up to and including version 1.5.24 in Java applications, allows an attacker to instantiate classes already present on the class path by compromising an existing logback configuration file.\n\nThe instantiation of a potentially malicious Java class requires that said class is present on the user's class-path. In addition, the attacker must  have write access to a configuration file. However, after successful instantiation, the instance is very likely to be discarded with no further ado.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:H/AT:P/PR:H/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "ch.qos.logback:logback-core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.5.25"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1225"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/qos-ch/logback/issues/997"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/qos-ch/logback/commit/1f97ae1844b1be8486e4e9cade98d7123d3eded5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/qos-ch/logback"
+    },
+    {
+      "type": "WEB",
+      "url": "https://logback.qos.ch/news.html#1.5.25"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-22T18:06:44Z",
+    "nvd_published_at": "2026-01-22T10:16:07Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-qqpg-mvqg-649v/GHSA-qqpg-mvqg-649v.json b/advisories/unreviewed/2026/01/GHSA-qqpg-mvqg-649v/GHSA-qqpg-mvqg-649v.json
