Publish Advisories

GHSA-8fgx-wgvr-pcx8
GHSA-wp29-qmvj-frvp

Author: advisory-database[bot]

…-8fgx-wgvr-pcx8/GHSA-8fgx-wgvr-pcx8.json …-8fgx-wgvr-pcx8/GHSA-8fgx-wgvr-pcx8.jsonadvisories/unreviewed/2026/04/GHSA-8fgx-wgvr-pcx8/GHSA-8fgx-wgvr-pcx8.json renamed to advisories/github-reviewed/2026/04/GHSA-8fgx-wgvr-pcx8/GHSA-8fgx-wgvr-pcx8.json advisories/unreviewed/2026/04/GHSA-8fgx-wgvr-pcx8/GHSA-8fgx-wgvr-pcx8.json renamed to advisories/github-reviewed/2026/04/GHSA-8fgx-wgvr-pcx8/GHSA-8fgx-wgvr-pcx8.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8fgx-wgvr-pcx8",
-  "modified": "2026-04-10T00:30:31Z",
+  "modified": "2026-04-10T20:34:42Z",
   "published": "2026-04-10T00:30:31Z",
   "aliases": [
     "CVE-2026-5986"
   ],
+  "summary": "Zod jsVideoUrlParser vulnerable to ReDoS in util.js",
   "details": "A weakness has been identified in Zod jsVideoUrlParser up to 0.5.1. The impacted element is the function getTime in the library lib/util.js. This manipulation of the argument timestamp causes inefficient regular expression complexity. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "js-video-url-parser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.5.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -31,6 +52,10 @@
       "type": "WEB",
       "url": "https://github.com/Zod-/jsVideoUrlParser/issues/121#issue-4159661957"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Zod-/jsVideoUrlParser"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/submit/791911"
@@ -49,8 +74,8 @@
       "CWE-400"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-10T20:34:42Z",
     "nvd_published_at": "2026-04-09T23:17:01Z"
   }
 }

…-wp29-qmvj-frvp/GHSA-wp29-qmvj-frvp.json …-wp29-qmvj-frvp/GHSA-wp29-qmvj-frvp.jsonadvisories/unreviewed/2026/04/GHSA-wp29-qmvj-frvp/GHSA-wp29-qmvj-frvp.json renamed to advisories/github-reviewed/2026/04/GHSA-wp29-qmvj-frvp/GHSA-wp29-qmvj-frvp.json advisories/unreviewed/2026/04/GHSA-wp29-qmvj-frvp/GHSA-wp29-qmvj-frvp.json renamed to advisories/github-reviewed/2026/04/GHSA-wp29-qmvj-frvp/GHSA-wp29-qmvj-frvp.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wp29-qmvj-frvp",
-  "modified": "2026-04-09T21:31:30Z",
+  "modified": "2026-04-10T20:34:27Z",
   "published": "2026-04-09T21:31:30Z",
   "aliases": [
     "CVE-2026-5972"
   ],
+  "summary": "FoundationAgents MetaGPT vulnerable to os command injection via the Terminal.run_command",
   "details": "A vulnerability has been found in FoundationAgents MetaGPT up to 0.8.1. This issue affects the function Terminal.run_command in the library metagpt/tools/libs/terminal.py. The manipulation leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is d04ffc8dc67903e8b327f78ec121df5e190ffc7b. Applying a patch is the recommended action to fix this issue.",
   "severity": [
     {
@@ -14,10 +15,33 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "metagpt"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.8.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.8.1"
+      }
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -32,7 +56,7 @@
       "url": "https://github.com/paipeline/MetaGPT/commit/d04ffc8dc67903e8b327f78ec121df5e190ffc7b"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/FoundationAgents/MetaGPT"
     },
     {
@@ -53,8 +77,8 @@
       "CWE-77"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-10T20:34:27Z",
     "nvd_published_at": "2026-04-09T20:16:28Z"
   }
 }