Publish Advisories

GHSA-247x-7qw8-fp98
GHSA-6gm8-3g4h-w82m
GHSA-85v3-4m8g-hrh6
GHSA-hgjq-p8cr-gg4h
GHSA-jgfx-74g2-9r6g
GHSA-vx58-fwwq-5g8j
GHSA-xph3-r2jf-4vp3
GHSA-xw45-cc32-442f
GHSA-xw59-hvm2-8pj6

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-247x-7qw8-fp98/GHSA-247x-7qw8-fp98.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-247x-7qw8-fp98",
-  "modified": "2026-03-31T05:17:35Z",
+  "modified": "2026-04-06T17:31:46Z",
   "published": "2026-03-25T18:31:52Z",
   "aliases": [
     "CVE-2026-26233"
@@ -89,28 +89,6 @@
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "< 10.11.2"
-      }
-    },
-    {
-      "package": {
-        "ecosystem": "Go",
-        "name": "github.com/mattermost/mattermost-server"
-      },
-      "ranges": [
-        {
-          "type": "ECOSYSTEM",
-          "events": [
-            {
-              "introduced": "8.0.0-20260105080200-d27a2195068d"
-            },
-            {
-              "fixed": "8.0.0-20260217110922-b7d4a1f1f59b"
-            }
-          ]
-        }
       ]
     }
   ],

advisories/github-reviewed/2026/04/GHSA-6gm8-3g4h-w82m/GHSA-6gm8-3g4h-w82m.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6gm8-3g4h-w82m",
-  "modified": "2026-04-01T22:59:13Z",
+  "modified": "2026-04-06T17:32:47Z",
   "published": "2026-04-01T22:59:12Z",
   "aliases": [
     "CVE-2026-34761"
@@ -43,9 +43,17 @@
       "type": "WEB",
       "url": "https://github.com/ellanetworks/core/security/advisories/GHSA-6gm8-3g4h-w82m"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34761"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/ellanetworks/core"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ellanetworks/core/releases/tag/v1.8.0"
     }
   ],
   "database_specific": {
@@ -55,6 +63,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T22:59:12Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T20:16:25Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-85v3-4m8g-hrh6/GHSA-85v3-4m8g-hrh6.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-85v3-4m8g-hrh6",
-  "modified": "2026-04-01T22:28:49Z",
+  "modified": "2026-04-06T17:32:29Z",
   "published": "2026-04-01T22:28:49Z",
   "aliases": [
     "CVE-2026-34726"
@@ -40,9 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/copier-org/copier/security/advisories/GHSA-85v3-4m8g-hrh6"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34726"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/copier-org/copier/commit/cb80a3ffc9c3787de3ed837e04ca29a0ff8ca3df"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/copier-org/copier"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"
     }
   ],
   "database_specific": {
@@ -52,6 +64,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T22:28:49Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T19:21:32Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-hgjq-p8cr-gg4h/GHSA-hgjq-p8cr-gg4h.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hgjq-p8cr-gg4h",
-  "modified": "2026-04-01T22:38:39Z",
+  "modified": "2026-04-06T17:32:36Z",
   "published": "2026-04-01T22:38:39Z",
   "aliases": [
     "CVE-2026-34730"
@@ -43,9 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/copier-org/copier/security/advisories/GHSA-hgjq-p8cr-gg4h"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34730"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/copier-org/copier/commit/5413062eb17b73dc885f5e645cdc161e69ef641b"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/copier-org/copier"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/copier-org/copier/releases/tag/v9.14.1"
     }
   ],
   "database_specific": {
@@ -55,6 +67,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T22:38:39Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T19:21:32Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-jgfx-74g2-9r6g/GHSA-jgfx-74g2-9r6g.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jgfx-74g2-9r6g",
-  "modified": "2026-04-01T20:58:48Z",
+  "modified": "2026-04-06T17:32:15Z",
   "published": "2026-04-01T20:58:48Z",
   "aliases": [
     "CVE-2026-34581"
@@ -37,9 +37,21 @@
       "type": "WEB",
       "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jgfx-74g2-9r6g"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34581"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/patrickhener/goshs/commit/6fb224ed15c2ccc0c61a5ebe22f2401eb06e9216"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/patrickhener/goshs"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/patrickhener/goshs/releases/tag/v2.0.0-beta.2"
     }
   ],
   "database_specific": {
@@ -49,6 +61,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T20:58:48Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T19:21:32Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-vx58-fwwq-5g8j/GHSA-vx58-fwwq-5g8j.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vx58-fwwq-5g8j",
-  "modified": "2026-04-01T23:44:37Z",
+  "modified": "2026-04-06T17:32:57Z",
   "published": "2026-04-01T23:44:37Z",
   "aliases": [
     "CVE-2026-34825"
@@ -43,13 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-vx58-fwwq-5g8j"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34825"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/nocobase/nocobase/commit/75da3dddc4aba739c398f7072725dcf7f5487f5c"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/nocobase/nocobase"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nocobase/nocobase/releases/tag/v2.0.30"
     }
   ],
   "database_specific": {
@@ -59,6 +67,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T23:44:37Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T20:16:26Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-xph3-r2jf-4vp3/GHSA-xph3-r2jf-4vp3.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xph3-r2jf-4vp3",
-  "modified": "2026-04-01T22:56:09Z",
+  "modified": "2026-04-06T17:32:41Z",
   "published": "2026-04-01T22:56:09Z",
   "aliases": [
     "CVE-2026-34752"
   ],
   "summary": "Haraka affected by DoS via `__proto__` email header",
   "details": "### Summary\n\nSending an email with `__proto__:` as a header name crashes the Haraka worker process. \n\n### Details\n\nThe header parser at `node_modules/haraka-email-message/lib/header.js:215-218` stores headers in a plain `{}` object:\n\n```javascript\n_add_header(key, value, method) {\n    this.headers[key] ??= []          // line 216\n    this.headers[key][method](value)  // line 217\n}\n```\n\nWhen `key` is `__proto__`:\n1. `this.headers['__proto__']` returns `Object.prototype` (the prototype getter)\n2. `Object.prototype` is not null/undefined, so `??=` is skipped\n3. `Object.prototype.push(value)` throws `TypeError: not a function`\n\nThe TypeError reaches the global `uncaughtException` handler at `haraka.js:26-33`, which calls `process.exit(1)`:\n\n```js\nprocess.on('uncaughtException', (err) => {\n    if (err.stack) {\n        err.stack.split('\\n').forEach((line) => logger.crit(line))\n    } else {\n        logger.crit(`Caught exception: ${JSON.stringify(err)}`)\n    }\n    logger.dump_and_exit(1)\n})\n```\n\n### PoC\n\n```python\nimport socket, time\n\nsock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\nsock.settimeout(5)\nsock.connect((\"127.0.0.1\", 2525))\nsock.recv(4096)\nsock.sendall(b\"EHLO evil\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"MAIL FROM:<x@x.com>\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"RCPT TO:<user@haraka.local>\\r\\n\"); sock.recv(4096)\nsock.sendall(b\"DATA\\r\\n\"); sock.recv(4096)\n# Crash payload\nsock.sendall(b\"From: x@x.com\\r\\n__proto__: crash\\r\\n\\r\\nbody\\r\\n.\\r\\n\")\n```\n\n### Impact\n\nIn single-process mode (`nodes=0`), the entire server goes down. In cluster mode, the master restarts the worker, but all sessions are lost.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
@@ -43,9 +47,17 @@
       "type": "WEB",
       "url": "https://github.com/haraka/Haraka/security/advisories/GHSA-xph3-r2jf-4vp3"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34752"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/haraka/Haraka"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/haraka/Haraka/releases/tag/v3.1.4"
     }
   ],
   "database_specific": {
@@ -55,6 +67,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T22:56:09Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T19:21:33Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-xw45-cc32-442f/GHSA-xw45-cc32-442f.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xw45-cc32-442f",
-  "modified": "2026-04-01T22:59:50Z",
+  "modified": "2026-04-06T17:32:53Z",
   "published": "2026-04-01T22:59:50Z",
   "aliases": [
     "CVE-2026-34762"
@@ -43,13 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/ellanetworks/core/security/advisories/GHSA-xw45-cc32-442f"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34762"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/ellanetworks/core/commit/7f64b7a7c7a22cb9c05ac2c1c3a0cf0eaefac3e5"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/ellanetworks/core"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ellanetworks/core/releases/tag/v1.8.0"
     }
   ],
   "database_specific": {
@@ -59,6 +67,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T22:59:50Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T20:16:25Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-xw59-hvm2-8pj6/GHSA-xw59-hvm2-8pj6.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xw59-hvm2-8pj6",
-  "modified": "2026-04-01T21:09:09Z",
+  "modified": "2026-04-06T17:32:23Z",
   "published": "2026-04-01T21:09:09Z",
   "aliases": [
     "CVE-2026-34742"
   ],
   "summary": "DNS Rebinding Protection Disabled by Default in Model Context Protocol Go SDK for Servers Running on Localhost",
   "details": "The Model Context Protocol (MCP) Go SDK does not enable DNS rebinding protection by default for HTTP-based servers. When an HTTP-based MCP server is run on localhost without authentication with `StreamableHTTPHandler` or `SSEHandler`, a malicious website could exploit DNS rebinding to bypass same-origin policy restrictions and send requests to the local MCP server. This could allow an attacker to invoke tools or access resources exposed by the MCP server on behalf of the user in those limited circumstances.\n\nNote that running HTTP-based MCP servers locally without authentication is not recommended per MCP security best practices. This issue does not affect servers using stdio transport.\n\nServers created via `StreamableHTTPHandler` or `SSEHandler` now have this protection enabled by default when binding to `localhost`. Users are advised to update to version `1.4.0` to receive this automatic protection.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N"
@@ -40,9 +44,25 @@
       "type": "WEB",
       "url": "https://github.com/modelcontextprotocol/go-sdk/security/advisories/GHSA-xw59-hvm2-8pj6"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34742"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/modelcontextprotocol/go-sdk/pull/760"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/modelcontextprotocol/go-sdk/commit/67bd3f2e2b53ce11a16db8d976cdb8ff1e986b6d"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/modelcontextprotocol/go-sdk"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/modelcontextprotocol/go-sdk/releases/tag/v1.4.0"
     }
   ],
   "database_specific": {
@@ -52,6 +72,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T21:09:09Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T19:21:33Z"
   }
 }