Publish Advisories

GHSA-2wvg-62qm-gj33
GHSA-3p65-76g6-3w7r
GHSA-436g-fhfc-9g5w
GHSA-4q27-4rrq-fx95
GHSA-5ghq-42rg-769x
GHSA-6326-w46w-ppjw
GHSA-737v-mqg7-c878
GHSA-73jv-44c3-j5p2
GHSA-9cqf-439c-j96r
GHSA-cqgf-f4x7-g6wc
GHSA-fgv4-6jr3-jgfw
GHSA-hm7r-c7qw-ghp6
GHSA-jg4p-7fhp-p32p
GHSA-mcv8-8m8x-48pg
GHSA-rp9m-7r4c-75qg
GHSA-v959-cwq9-7hr6
GHSA-vr5f-2r24-w5hc
GHSA-x9w5-xccw-5h9w

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-2wvg-62qm-gj33/GHSA-2wvg-62qm-gj33.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2wvg-62qm-gj33",
-  "modified": "2026-04-04T04:18:43Z",
+  "modified": "2026-04-06T23:43:23Z",
   "published": "2026-04-04T04:18:43Z",
   "aliases": [
     "CVE-2026-35187"
@@ -40,6 +40,14 @@
       "type": "WEB",
       "url": "https://github.com/pyload/pyload/security/advisories/GHSA-2wvg-62qm-gj33"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35187"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pyload/pyload/commit/4032e57d61d8f864e39f4dcfdb567527a50a9e1f"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/pyload/pyload"
@@ -52,6 +60,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-04T04:18:43Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T20:16:27Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-3p65-76g6-3w7r/GHSA-3p65-76g6-3w7r.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3p65-76g6-3w7r",
-  "modified": "2026-04-06T17:52:52Z",
+  "modified": "2026-04-06T23:42:43Z",
   "published": "2026-04-06T17:52:52Z",
   "aliases": [
     "CVE-2026-33540"
   ],
   "summary": "Distribution affected by pull-through cache credential exfiltration via www-authenticate bearer realm",
-  "details": "commit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 (as-of 2026-01-31)\ncontact: GitHub Security Advisory (https://github.com/distribution/distribution/security/advisories/new)\n\n## summary\n\nin pull-through cache mode, distribution discovers token auth endpoints by parsing `WWW-Authenticate` challenges returned by the configured upstream registry. the `realm` URL from a bearer challenge is used without validating that it matches the upstream registry host. as a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled `realm` URL.\n\nthis is the same vulnerability class as CVE-2020-15157 (containerd), but in distribution’s pull-through cache proxy auth flow.\n\n## severity\n\nHIGH\n\nnote: the baseline impact is credential disclosure of the configured upstream credentials. if a deployment uses broader credentials for upstream auth (for example cloud iam credentials), the downstream impact can be higher; i am not claiming this as default for all deployments.\n\n## impact\n\ncredential exfiltration of the upstream authentication material configured for the pull-through cache.\n\nattacker starting positions that make this realistic:\n- supply chain / configuration: an operator configures a proxy cache to use an upstream that becomes attacker-controlled (compromised registry, stale domain, or a malicious mirror)\n- network: MitM on the upstream connection in environments where the upstream is reachable over insecure transport or a compromised network path\n\n## affected components\n\n- `registry/proxy/proxyauth.go:66-81` (`getAuthURLs`): extracts bearer `realm` from upstream `WWW-Authenticate` without validating destination\n- `internal/client/auth/session.go:485-510` (`fetchToken`): uses the realm URL directly for token fetch\n- `internal/client/auth/session.go:429-434` (`fetchTokenWithBasicAuth`): sends credentials via basic auth to the realm URL\n\n## reproduction\n\nattachment: `poc.zip` (local harness) with canonical and control runs.\n\nthe harness is local and does not contact a real registry: it uses two local HTTP servers (upstream + attacker token service) to demonstrate whether basic auth is sent to an attacker-chosen realm.\n\n```bash\nunzip -q -o poc.zip -d poc\ncd poc\nmake canonical\nmake control\n```\n\nexpected output (excerpt):\n\n```\n[CALLSITE_HIT]: getAuthURLs::configureAuth\n[PROOF_MARKER]: basic_auth_sent=true realm_host=127.0.0.1 account_param=user authorization_prefix=Basic\n```\n\ncontrol output (excerpt):\n\n```\n[CALLSITE_HIT]: getAuthURLs::configureAuth\n[NC_MARKER]: realm_validation=PASS basic_auth_sent=false\n```\n\n## suggested remediation\n\nvalidate that the token `realm` destination is within the intended trust boundary before associating credentials with it or sending any authentication to it. one conservative option is strict same-host binding: only accept a realm whose host matches the configured upstream host.\n\n## fix accepted when\n\n- distribution does not send configured upstream credentials to an attacker-chosen realm URL\n- a regression test covers the canonical and blocked cases\n\n[addendum.md](https://github.com/user-attachments/files/24984637/addendum.md)\n[poc.zip](https://github.com/user-attachments/files/24984638/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/24984639/PR_DESCRIPTION.md)\n[RUNNABLE_POC.md](https://github.com/user-attachments/files/24984640/RUNNABLE_POC.md)",
+  "details": "hi guys,\n\ncommit: 40594bd98e6d6ed993b5c6021c93fdf96d2e5851 (as-of 2026-01-31)\ncontact: GitHub Security Advisory (https://github.com/distribution/distribution/security/advisories/new)\n\n## summary\n\nin pull-through cache mode, distribution discovers token auth endpoints by parsing `WWW-Authenticate` challenges returned by the configured upstream registry. the `realm` URL from a bearer challenge is used without validating that it matches the upstream registry host. as a result, an attacker-controlled upstream (or an attacker with MitM position to the upstream) can cause distribution to send the configured upstream credentials via basic auth to an attacker-controlled `realm` URL.\n\nthis is the same vulnerability class as CVE-2020-15157 (containerd), but in distribution’s pull-through cache proxy auth flow.\n\n## severity\n\nHIGH\n\nnote: the baseline impact is credential disclosure of the configured upstream credentials. if a deployment uses broader credentials for upstream auth (for example cloud iam credentials), the downstream impact can be higher; i am not claiming this as default for all deployments.\n\n## impact\n\ncredential exfiltration of the upstream authentication material configured for the pull-through cache.\n\nattacker starting positions that make this realistic:\n- supply chain / configuration: an operator configures a proxy cache to use an upstream that becomes attacker-controlled (compromised registry, stale domain, or a malicious mirror)\n- network: MitM on the upstream connection in environments where the upstream is reachable over insecure transport or a compromised network path\n\n## affected components\n\n- `registry/proxy/proxyauth.go:66-81` (`getAuthURLs`): extracts bearer `realm` from upstream `WWW-Authenticate` without validating destination\n- `internal/client/auth/session.go:485-510` (`fetchToken`): uses the realm URL directly for token fetch\n- `internal/client/auth/session.go:429-434` (`fetchTokenWithBasicAuth`): sends credentials via basic auth to the realm URL\n\n## reproduction\n\nattachment: `poc.zip` (local harness) with canonical and control runs.\n\nthe harness is local and does not contact a real registry: it uses two local HTTP servers (upstream + attacker token service) to demonstrate whether basic auth is sent to an attacker-chosen realm.\n\n```bash\nunzip -q -o poc.zip -d poc\ncd poc\nmake canonical\nmake control\n```\n\nexpected output (excerpt):\n\n```\n[CALLSITE_HIT]: getAuthURLs::configureAuth\n[PROOF_MARKER]: basic_auth_sent=true realm_host=127.0.0.1 account_param=user authorization_prefix=Basic\n```\n\ncontrol output (excerpt):\n\n```\n[CALLSITE_HIT]: getAuthURLs::configureAuth\n[NC_MARKER]: realm_validation=PASS basic_auth_sent=false\n```\n\n## suggested remediation\n\nvalidate that the token `realm` destination is within the intended trust boundary before associating credentials with it or sending any authentication to it. one conservative option is strict same-host binding: only accept a realm whose host matches the configured upstream host.\n\n## fix accepted when\n\n- distribution does not send configured upstream credentials to an attacker-chosen realm URL\n- a regression test covers the canonical and blocked cases\n\n[addendum.md](https://github.com/user-attachments/files/24984637/addendum.md)\n[poc.zip](https://github.com/user-attachments/files/24984638/poc.zip)\n[PR_DESCRIPTION.md](https://github.com/user-attachments/files/24984639/PR_DESCRIPTION.md)\n[RUNNABLE_POC.md](https://github.com/user-attachments/files/24984640/RUNNABLE_POC.md)\n\n\nbest,\noleh",
   "severity": [
     {
       "type": "CVSS_V3",

advisories/github-reviewed/2026/04/GHSA-436g-fhfc-9g5w/GHSA-436g-fhfc-9g5w.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-436g-fhfc-9g5w",
-  "modified": "2026-04-03T03:44:39Z",
+  "modified": "2026-04-06T23:41:13Z",
   "published": "2026-04-03T03:44:39Z",
   "aliases": [
     "CVE-2026-35052"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/man-group/dtale/security/advisories/GHSA-436g-fhfc-9g5w"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35052"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/man-group/dtale"
@@ -52,6 +56,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-03T03:44:39Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T18:16:42Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-4q27-4rrq-fx95/GHSA-4q27-4rrq-fx95.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4q27-4rrq-fx95",
-  "modified": "2026-04-03T23:43:23Z",
+  "modified": "2026-04-06T23:43:19Z",
   "published": "2026-04-03T23:43:23Z",
   "aliases": [
     "CVE-2026-35181"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-4q27-4rrq-fx95"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35181"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/WWBN/AVideo"
@@ -52,6 +56,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-03T23:43:23Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T20:16:26Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-5ghq-42rg-769x/GHSA-5ghq-42rg-769x.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5ghq-42rg-769x",
-  "modified": "2026-04-06T17:53:02Z",
+  "modified": "2026-04-06T23:41:42Z",
   "published": "2026-04-06T17:53:02Z",
   "aliases": [
     "CVE-2026-35035"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-5ghq-42rg-769x"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35035"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/ci4-cms-erp/ci4ms"
@@ -59,6 +63,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-06T17:53:02Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T17:17:12Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-6326-w46w-ppjw/GHSA-6326-w46w-ppjw.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6326-w46w-ppjw",
-  "modified": "2026-04-03T03:46:48Z",
+  "modified": "2026-04-06T23:41:16Z",
   "published": "2026-04-03T03:46:48Z",
   "aliases": [
     "CVE-2026-35167"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-6326-w46w-ppjw"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35167"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/kedro-org/kedro/pull/5442"
@@ -56,6 +60,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-03T03:46:48Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T18:16:43Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-737v-mqg7-c878/GHSA-737v-mqg7-c878.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-737v-mqg7-c878",
-  "modified": "2026-04-04T06:17:53Z",
+  "modified": "2026-04-06T23:42:28Z",
   "published": "2026-04-04T06:17:53Z",
   "aliases": [
     "CVE-2026-35209"
@@ -43,9 +43,25 @@
       "type": "WEB",
       "url": "https://github.com/unjs/defu/security/advisories/GHSA-737v-mqg7-c878"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35209"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/unjs/defu/pull/156"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/unjs/defu/commit/3942bfbbcaa72084bd4284846c83bd61ed7c8b29"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/unjs/defu"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/unjs/defu/releases/tag/v6.1.5"
     }
   ],
   "database_specific": {
@@ -55,6 +71,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-04T06:17:53Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T18:16:44Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-73jv-44c3-j5p2/GHSA-73jv-44c3-j5p2.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-73jv-44c3-j5p2",
-  "modified": "2026-04-03T03:57:43Z",
+  "modified": "2026-04-06T23:41:37Z",
   "published": "2026-04-03T03:57:43Z",
   "aliases": [
     "CVE-2026-35175"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/ajenti/ajenti/security/advisories/GHSA-73jv-44c3-j5p2"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35175"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/ajenti/ajenti"
@@ -56,6 +60,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-03T03:57:43Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T18:16:43Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-9cqf-439c-j96r/GHSA-9cqf-439c-j96r.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9cqf-439c-j96r",
-  "modified": "2026-04-03T03:48:48Z",
+  "modified": "2026-04-06T23:41:20Z",
   "published": "2026-04-03T03:48:48Z",
   "aliases": [
     "CVE-2026-35171"
@@ -40,19 +40,23 @@
       "type": "WEB",
       "url": "https://github.com/kedro-org/kedro/security/advisories/GHSA-9cqf-439c-j96r"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35171"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/kedro-org/kedro"
     }
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-94",
-      "CWE-502"
+      "CWE-502",
+      "CWE-94"
     ],
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-03T03:48:48Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T18:16:43Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-cqgf-f4x7-g6wc/GHSA-cqgf-f4x7-g6wc.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cqgf-f4x7-g6wc",
-  "modified": "2026-04-03T03:33:00Z",
+  "modified": "2026-04-06T23:41:08Z",
   "published": "2026-04-03T03:33:00Z",
   "aliases": [
     "CVE-2026-35037"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/lin-snow/Ech0/security/advisories/GHSA-cqgf-f4x7-g6wc"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35037"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/lin-snow/Ech0"
@@ -52,6 +56,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-03T03:33:00Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T17:17:13Z"
   }
 }