Skip to content

Commit 5a5d6fe

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-3fc5-9x9m-vqc4 GHSA-6426-9fv3-65x8 GHSA-vwhw-vp9v-q9c9 GHSA-6426-9fv3-65x8 GHSA-vwhw-vp9v-q9c9
1 parent 2ae9425 commit 5a5d6fe

5 files changed

Lines changed: 268 additions & 82 deletions

File tree

advisories/github-reviewed/2019/06/GHSA-3fc5-9x9m-vqc4/GHSA-3fc5-9x9m-vqc4.json

Lines changed: 4 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1,11 +1,12 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-3fc5-9x9m-vqc4",
4-
"modified": "2021-08-04T21:25:59Z",
4+
"modified": "2026-02-03T19:36:21Z",
55
"published": "2019-06-03T17:31:32Z",
6+
"withdrawn": "2026-02-03T19:36:21Z",
67
"aliases": [],
7-
"summary": "Privilege Escalation in express-cart",
8-
"details": "Versions of `express-cart` before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users.\n\n\n## Recommendation\n\nUpdate to version 1.1.6 or later.",
8+
"summary": "Duplicate Advisory: Privilege Escalation in express-cart",
9+
"details": "## Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-hr89-w7p6-pjmq. This link is maintained to preserve external references.\n\n## Original Description\nVersions of `express-cart` before 1.1.6 are vulnerable to privilege escalation. This vulnerability can be exploited so that normal users can escalate their privilege and add new administrator users.\n\n\n## Recommendation\n\nUpdate to version 1.1.6 or later.",
910
"severity": [
1011
{
1112
"type": "CVSS_V3",

advisories/github-reviewed/2026/02/GHSA-6426-9fv3-65x8/GHSA-6426-9fv3-65x8.json

Lines changed: 115 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,115 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-6426-9fv3-65x8",
4+
"modified": "2026-02-03T19:35:57Z",
5+
"published": "2026-02-03T15:30:24Z",
6+
"aliases": [
7+
"CVE-2026-1312"
8+
],
9+
"summary": "Django has an SQL Injection issue",
10+
"details": "An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28.\n\n`.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected.\n\nDjango would like to thank Solomon Kebede for reporting this issue.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "Django"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "6.0a1"
29+
},
30+
{
31+
"fixed": "6.0.2"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "PyPI",
40+
"name": "Django"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "5.2a1"
48+
},
49+
{
50+
"fixed": "5.2.11"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "PyPI",
59+
"name": "Django"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.2a1"
67+
},
68+
{
69+
"fixed": "4.2.28"
70+
}
71+
]
72+
}
73+
]
74+
}
75+
],
76+
"references": [
77+
{
78+
"type": "ADVISORY",
79+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1312"
80+
},
81+
{
82+
"type": "WEB",
83+
"url": "https://github.com/django/django/commit/005d60d97c4dfb117503bdb6f2facfcaf9315d84"
84+
},
85+
{
86+
"type": "WEB",
87+
"url": "https://github.com/django/django/commit/69065ca869b0970dff8fdd8fafb390bf8b3bf222"
88+
},
89+
{
90+
"type": "WEB",
91+
"url": "https://docs.djangoproject.com/en/dev/releases/security"
92+
},
93+
{
94+
"type": "PACKAGE",
95+
"url": "https://github.com/django/django"
96+
},
97+
{
98+
"type": "WEB",
99+
"url": "https://groups.google.com/g/django-announce"
100+
},
101+
{
102+
"type": "WEB",
103+
"url": "https://www.djangoproject.com/weblog/2026/feb/03/security-releases"
104+
}
105+
],
106+
"database_specific": {
107+
"cwe_ids": [
108+
"CWE-89"
109+
],
110+
"severity": "HIGH",
111+
"github_reviewed": true,
112+
"github_reviewed_at": "2026-02-03T19:35:56Z",
113+
"nvd_published_at": "2026-02-03T15:16:13Z"
114+
}
115+
}

advisories/github-reviewed/2026/02/GHSA-vwhw-vp9v-q9c9/GHSA-vwhw-vp9v-q9c9.json

Lines changed: 149 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,149 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-vwhw-vp9v-q9c9",
4+
"modified": "2026-02-03T19:36:41Z",
5+
"published": "2026-02-03T12:30:29Z",
6+
"aliases": [
7+
"CVE-2025-67855"
8+
],
9+
"summary": "Moodle vulnerable to Cross-site Scripting",
10+
"details": "A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user's browser.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V3",
14+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "Packagist",
21+
"name": "moodle/moodle"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "4.1.22"
32+
}
33+
]
34+
}
35+
]
36+
},
37+
{
38+
"package": {
39+
"ecosystem": "Packagist",
40+
"name": "moodle/moodle"
41+
},
42+
"ranges": [
43+
{
44+
"type": "ECOSYSTEM",
45+
"events": [
46+
{
47+
"introduced": "4.4.0-beta"
48+
},
49+
{
50+
"fixed": "4.4.12"
51+
}
52+
]
53+
}
54+
]
55+
},
56+
{
57+
"package": {
58+
"ecosystem": "Packagist",
59+
"name": "moodle/moodle"
60+
},
61+
"ranges": [
62+
{
63+
"type": "ECOSYSTEM",
64+
"events": [
65+
{
66+
"introduced": "4.5.0-beta"
67+
},
68+
{
69+
"fixed": "4.5.8"
70+
}
71+
]
72+
}
73+
]
74+
},
75+
{
76+
"package": {
77+
"ecosystem": "Packagist",
78+
"name": "moodle/moodle"
79+
},
80+
"ranges": [
81+
{
82+
"type": "ECOSYSTEM",
83+
"events": [
84+
{
85+
"introduced": "5.0.0-beta"
86+
},
87+
{
88+
"fixed": "5.0.4"
89+
}
90+
]
91+
}
92+
]
93+
},
94+
{
95+
"package": {
96+
"ecosystem": "Packagist",
97+
"name": "moodle/moodle"
98+
},
99+
"ranges": [
100+
{
101+
"type": "ECOSYSTEM",
102+
"events": [
103+
{
104+
"introduced": "5.1.0-beta"
105+
},
106+
{
107+
"fixed": "5.1.1"
108+
}
109+
]
110+
}
111+
]
112+
}
113+
],
114+
"references": [
115+
{
116+
"type": "ADVISORY",
117+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67855"
118+
},
119+
{
120+
"type": "WEB",
121+
"url": "https://github.com/moodle/moodle/commit/0c146aa2612fb6d0544f200a018cb42da75db713"
122+
},
123+
{
124+
"type": "WEB",
125+
"url": "https://access.redhat.com/security/cve/CVE-2025-67855"
126+
},
127+
{
128+
"type": "WEB",
129+
"url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423861"
130+
},
131+
{
132+
"type": "PACKAGE",
133+
"url": "https://github.com/moodle/moodle"
134+
},
135+
{
136+
"type": "WEB",
137+
"url": "https://moodle.org/mod/forum/discuss.php?d=471305"
138+
}
139+
],
140+
"database_specific": {
141+
"cwe_ids": [
142+
"CWE-79"
143+
],
144+
"severity": "MODERATE",
145+
"github_reviewed": true,
146+
"github_reviewed_at": "2026-02-03T19:36:41Z",
147+
"nvd_published_at": "2026-02-03T11:15:55Z"
148+
}
149+
}

advisories/unreviewed/2026/02/GHSA-6426-9fv3-65x8/GHSA-6426-9fv3-65x8.json

Lines changed: 0 additions & 39 deletions
This file was deleted.

advisories/unreviewed/2026/02/GHSA-vwhw-vp9v-q9c9/GHSA-vwhw-vp9v-q9c9.json

Lines changed: 0 additions & 40 deletions
This file was deleted.

0 commit comments

Comments
 (0)