Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 67e762167d43 · 2026-01-29T02:37:02.000Z
GHSA-9fm9-hp7p-53mf GHSA-f9qj-4c5x-cpcw GHSA-c336-7962-wfj2
diff --git a/advisories/github-reviewed/2025/05/GHSA-9fm9-hp7p-53mf/GHSA-9fm9-hp7p-53mf.json b/advisories/github-reviewed/2025/05/GHSA-9fm9-hp7p-53mf/GHSA-9fm9-hp7p-53mf.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9fm9-hp7p-53mf",
-  "modified": "2025-05-28T16:08:47Z",
+  "modified": "2026-01-29T02:35:55Z",
   "published": "2025-05-28T12:30:34Z",
   "aliases": [
     "CVE-2025-3864"
@@ -44,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/benoitc/hackney/issues/717"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/benoitc/hackney/commit/8f13ddac50d1626f8b9a47a08bd599e4efe1773d"
+    },
     {
       "type": "WEB",
       "url": "https://cert.pl/en/posts/2025/05/CVE-2025-3864"
diff --git a/advisories/github-reviewed/2025/08/GHSA-f9qj-4c5x-cpcw/GHSA-f9qj-4c5x-cpcw.json b/advisories/github-reviewed/2025/08/GHSA-f9qj-4c5x-cpcw/GHSA-f9qj-4c5x-cpcw.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f9qj-4c5x-cpcw",
-  "modified": "2025-08-21T15:41:42Z",
+  "modified": "2026-01-29T02:36:18Z",
   "published": "2025-08-20T15:31:42Z",
   "aliases": [
     "CVE-2025-50864"
@@ -56,6 +56,10 @@
       "type": "WEB",
       "url": "https://github.com/elysiajs/elysia-cors/blob/main/src/index.ts"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elysiajs/elysia-cors/tree/main"
+    },
     {
       "type": "WEB",
       "url": "https://medium.com/@raghavagrawal_23036/cors-bypass-in-popular-opensource-library-ad27fb41e16a"
diff --git a/advisories/github-reviewed/2026/01/GHSA-c336-7962-wfj2/GHSA-c336-7962-wfj2.json b/advisories/github-reviewed/2026/01/GHSA-c336-7962-wfj2/GHSA-c336-7962-wfj2.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c336-7962-wfj2",
-  "modified": "2026-01-16T19:11:05Z",
+  "modified": "2026-01-29T02:35:29Z",
   "published": "2026-01-16T16:58:16Z",
   "aliases": [
     "CVE-2026-23528"
   ],
   "summary": "Dask Distributed is Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard",
-  "details": "### Impact\nWhen [Jupyter Lab](https://jupyterlab.readthedocs.io/en/latest/), [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy) and [Dask distributed](https://github.com/dask/distributed) are all run together it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard.\n\nIt is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel.\n\nIn order for a user to be impacted they must be running Jupyter Lab locally on the default port (with the [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy)) and a Dask distributed cluster on the default port. Then they would need to click the link which would execute the malicious code.\n\n### Patches\nThis has been fixed in the `2026.1.1` release. All users should upgrade to this version.\n\n### Mitigations\nThere are no known workarounds for this bug. The only complete solution is to upgrade to a newer release of Dask. However, there are a few things you could do to reduce your risk.\n\nIt is possible to avoid code execution via Jupyter by uninstalling the [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy) and accessing the Dask dashboard directly at it's URL. However, it is still possible for an attacker to craft a URL that executes JavaScript in the user's browser in the Dask dashboard. Which is still a moderate vulnerability. Therefore we recommend all users upgrade to the latest Dask release.\n\nAnother potential mitigation is to ensure both Jupyter and the Dask dashboard are running on non-standard ports. While this doesn't resolve the problem it reduces the chance of this being exploited. If an attacker knew which ports you were using they could still craft a malicious URL, but it would require a more targeted attack.",
+  "details": "### Impact\nWhen [Jupyter Lab](https://jupyterlab.readthedocs.io/en/latest/), [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy) and [Dask distributed](https://github.com/dask/distributed) are all run together it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard.\n\nIt is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel.\n\nIn order for a user to be impacted they must be running Jupyter Lab locally on the default port (with the [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy)) and a Dask distributed cluster on the default port. Then they would need to click the link which would execute the malicious code.\n\n### Patches\nThis has been fixed in the `2026.1.0` release. All users should upgrade to this version.\n\n### Mitigations\nThere are no known workarounds for this bug. The only complete solution is to upgrade to a newer release of Dask. However, there are a few things you could do to reduce your risk.\n\nIt is possible to avoid code execution via Jupyter by uninstalling the [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy) and accessing the Dask dashboard directly at it's URL. However, it is still possible for an attacker to craft a URL that executes JavaScript in the user's browser in the Dask dashboard. Which is still a moderate vulnerability. Therefore we recommend all users upgrade to the latest Dask release.\n\nAnother potential mitigation is to ensure both Jupyter and the Dask dashboard are running on non-standard ports. While this doesn't resolve the problem it reduces the chance of this being exploited. If an attacker knew which ports you were using they could still craft a malicious URL, but it would require a more targeted attack.",
   "severity": [
     {
       "type": "CVSS_V4",
@@ -28,7 +28,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "2026.1.1"
+              "fixed": "2026.1.0"
             }
           ]
         }

Original file line number	Diff line number	Diff line change
`@@ -1,13 +1,13 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-c336-7962-wfj2",`
`4`		`- "modified": "2026-01-16T19:11:05Z",`
	`4`	`+ "modified": "2026-01-29T02:35:29Z",`
`5`	`5`	`"published": "2026-01-16T16:58:16Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2026-23528"`
`8`	`8`	`],`
`9`	`9`	`"summary": "Dask Distributed is Vulnerable to Remote Code Execution via Jupyter Proxy and Dashboard",`
`10`		- "details": "### Impact\nWhen [Jupyter Lab](https://jupyterlab.readthedocs.io/en/latest/), [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy) and [Dask distributed](https://github.com/dask/distributed) are all run together it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard.\n\nIt is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel.\n\nIn order for a user to be impacted they must be running Jupyter Lab locally on the default port (with the [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy)) and a Dask distributed cluster on the default port. Then they would need to click the link which would execute the malicious code.\n\n### Patches\nThis has been fixed in the `2026.1.1` release. All users should upgrade to this version.\n\n### Mitigations\nThere are no known workarounds for this bug. The only complete solution is to upgrade to a newer release of Dask. However, there are a few things you could do to reduce your risk.\n\nIt is possible to avoid code execution via Jupyter by uninstalling the [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy) and accessing the Dask dashboard directly at it's URL. However, it is still possible for an attacker to craft a URL that executes JavaScript in the user's browser in the Dask dashboard. Which is still a moderate vulnerability. Therefore we recommend all users upgrade to the latest Dask release.\n\nAnother potential mitigation is to ensure both Jupyter and the Dask dashboard are running on non-standard ports. While this doesn't resolve the problem it reduces the chance of this being exploited. If an attacker knew which ports you were using they could still craft a malicious URL, but it would require a more targeted attack.",
	`10`	+ "details": "### Impact\nWhen [Jupyter Lab](https://jupyterlab.readthedocs.io/en/latest/), [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy) and [Dask distributed](https://github.com/dask/distributed) are all run together it is possible to craft a URL which will result in code being executed by Jupyter due to a cross-side-scripting (XSS) bug in the Dask dashboard.\n\nIt is possible for attackers to craft a phishing URL that assumes Jupyter Lab and Dask may be running on localhost and using default ports. If a user clicks on the malicious link it will open an error page in the Dask Dashboard via the Jupyter Lab proxy which will cause code to be executed by the default Jupyter Python kernel.\n\nIn order for a user to be impacted they must be running Jupyter Lab locally on the default port (with the [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy)) and a Dask distributed cluster on the default port. Then they would need to click the link which would execute the malicious code.\n\n### Patches\nThis has been fixed in the `2026.1.0` release. All users should upgrade to this version.\n\n### Mitigations\nThere are no known workarounds for this bug. The only complete solution is to upgrade to a newer release of Dask. However, there are a few things you could do to reduce your risk.\n\nIt is possible to avoid code execution via Jupyter by uninstalling the [jupyter-server-proxy](https://github.com/jupyterhub/jupyter-server-proxy) and accessing the Dask dashboard directly at it's URL. However, it is still possible for an attacker to craft a URL that executes JavaScript in the user's browser in the Dask dashboard. Which is still a moderate vulnerability. Therefore we recommend all users upgrade to the latest Dask release.\n\nAnother potential mitigation is to ensure both Jupyter and the Dask dashboard are running on non-standard ports. While this doesn't resolve the problem it reduces the chance of this being exploited. If an attacker knew which ports you were using they could still craft a malicious URL, but it would require a more targeted attack.",
`11`	`11`	`"severity": [`
`12`	`12`	`{`
`13`	`13`	`"type": "CVSS_V4",`
`@@ -28,7 +28,7 @@`
`28`	`28`	`"introduced": "0"`
`29`	`29`	`},`
`30`	`30`	`{`
`31`		`- "fixed": "2026.1.1"`
	`31`	`+ "fixed": "2026.1.0"`
`32`	`32`	`}`
`33`	`33`	`]`
`34`	`34`	`}`