Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 77178ce1c02a · 2026-04-06T17:20:03.000Z
GHSA-7p93-6934-f4q7 GHSA-98gw-w575-h2ph GHSA-q4r8-xm5f-56gw GHSA-qhj7-v7h7-q4c7 GHSA-vv7q-7jx5-f767 GHSA-38m8-xrfj-v38x GHSA-3gw8-3mg3-jmpc GHSA-5crx-pfhq-4hgg GHSA-9q5m-jfc4-wc92 GHSA-cv2g-8cj8-vgc7 GHSA-gcp9-5jc8-976x GHSA-whv5-4q2f-q68g
diff --git a/advisories/github-reviewed/2026/03/GHSA-7p93-6934-f4q7/GHSA-7p93-6934-f4q7.json b/advisories/github-reviewed/2026/03/GHSA-7p93-6934-f4q7/GHSA-7p93-6934-f4q7.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7p93-6934-f4q7",
-  "modified": "2026-03-30T17:00:54Z",
+  "modified": "2026-04-06T17:18:18Z",
   "published": "2026-03-30T17:00:54Z",
   "aliases": [
     "CVE-2026-33533"
@@ -40,9 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-7p93-6934-f4q7"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33533"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nicolargo/glances/commit/dcb39c3f12b2a1eec708c58d22d7a1d62bdf5fa1"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/nicolargo/glances"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.3"
     }
   ],
   "database_specific": {
@@ -52,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-30T17:00:54Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T15:16:39Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-98gw-w575-h2ph/GHSA-98gw-w575-h2ph.json b/advisories/github-reviewed/2026/03/GHSA-98gw-w575-h2ph/GHSA-98gw-w575-h2ph.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-98gw-w575-h2ph",
-  "modified": "2026-03-31T22:48:45Z",
+  "modified": "2026-04-06T17:18:07Z",
   "published": "2026-03-31T22:48:45Z",
   "aliases": [
     "CVE-2026-32629"
@@ -65,9 +65,17 @@
       "type": "WEB",
       "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-98gw-w575-h2ph"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32629"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/thorsten/phpMyFAQ"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
     }
   ],
   "database_specific": {
@@ -78,6 +86,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-31T22:48:45Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T15:16:38Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-q4r8-xm5f-56gw/GHSA-q4r8-xm5f-56gw.json b/advisories/github-reviewed/2026/03/GHSA-q4r8-xm5f-56gw/GHSA-q4r8-xm5f-56gw.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q4r8-xm5f-56gw",
-  "modified": "2026-03-20T21:35:17Z",
+  "modified": "2026-04-06T17:19:40Z",
   "published": "2026-03-19T16:27:53Z",
   "aliases": [
     "CVE-2026-30836"
   ],
   "summary": "step-ca has Unauthenticated Certificate Issuance via SCEP UpdateReq (MessageType=18)",
-  "details": "⚠️ **Limited Disclosure — Full Details Pending**\n\nA critical security vulnerability has been identified in Step CA. An updated version, v0.30.0, is available and all operators are strongly encouraged to upgrade immediately.\n\nFull details of this vulnerability will be published in this security advisory on March 30, 2026.\nIf you have urgent questions in the meantime, please contact [security@smallstep.com](mailto:security@smallstep.com).",
+  "details": "## Summary\n\nAn attacker can force a Step CA SCEP provisioner to create certificates without completing certain protocol authorization checks.\n\n## Details\n\nSCEP requests carry a message type. On receipt of a SCEP request, Step CA starts processing it by parsing its contents. Message types that were considered valid, but not explicitly supported in Step CA, would result in getting parsed successfully. While processing the parsed SCEP message, authorization logic would be skipped for the non-supported message types.\n\nAs a result, the request would be treated as authorized, bypassing the authorization checks normally enforced as part of the SCEP protocol and its implementation in Step CA.\n\nAuthorization webhooks and regular CA policies, such as allowed names and restrictions on certificate validity periods, remain in place.\n\n## Mitigations\n\nIf you are unable to upgrade to v0.30.0 or newer, the attack can be mitigated by (temporarily) disabling or removing SCEP provisioners, or restricting access to SCEP provisioners to trusted clients only.\n\n## Fix\n\nIn v0.30.0, additional validation was added to SCEP provisioners, so that they reject unsupported message types.\n\n## Acknowledgements\n\nThis issue was identified and reported by Prasanth Sundararajan.\n\n## Embargo List\n\nIf your organization runs Step CA in production and would like advance, embargoed notification of future security updates, visit https://u.step.sm/disclosure to request inclusion on our embargo list.\n\nStay safe, and thank you for helping us keep the ecosystem secure.\n\nIf you have urgent questions, please contact [security@smallstep.com](mailto:security@smallstep.com).",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2026/03/GHSA-qhj7-v7h7-q4c7/GHSA-qhj7-v7h7-q4c7.json b/advisories/github-reviewed/2026/03/GHSA-qhj7-v7h7-q4c7/GHSA-qhj7-v7h7-q4c7.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qhj7-v7h7-q4c7",
-  "modified": "2026-03-30T17:01:27Z",
+  "modified": "2026-04-06T17:18:29Z",
   "published": "2026-03-30T17:01:27Z",
   "aliases": [
     "CVE-2026-33641"
@@ -40,9 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/nicolargo/glances/security/advisories/GHSA-qhj7-v7h7-q4c7"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33641"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nicolargo/glances/commit/358d76a225fc21a9f95d2c4d7e46fafe64a644c6"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/nicolargo/glances"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nicolargo/glances/releases/tag/v4.5.3"
     }
   ],
   "database_specific": {
@@ -52,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-30T17:01:27Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T15:16:40Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-vv7q-7jx5-f767/GHSA-vv7q-7jx5-f767.json b/advisories/github-reviewed/2026/03/GHSA-vv7q-7jx5-f767/GHSA-vv7q-7jx5-f767.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vv7q-7jx5-f767",
-  "modified": "2026-03-31T22:53:21Z",
+  "modified": "2026-04-06T17:18:14Z",
   "published": "2026-03-31T22:53:21Z",
   "aliases": [
     "CVE-2026-32871"
@@ -40,9 +40,25 @@
       "type": "WEB",
       "url": "https://github.com/PrefectHQ/fastmcp/security/advisories/GHSA-vv7q-7jx5-f767"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32871"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/PrefectHQ/fastmcp/pull/3507"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/PrefectHQ/fastmcp/commit/40bdfb6b1de0ce30609ee9ba5bb95ecd04a9fb71"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/PrefectHQ/fastmcp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/PrefectHQ/fastmcp/releases/tag/v3.2.0"
     }
   ],
   "database_specific": {
@@ -52,6 +68,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-31T22:53:21Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T15:16:38Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-38m8-xrfj-v38x/GHSA-38m8-xrfj-v38x.json b/advisories/github-reviewed/2026/04/GHSA-38m8-xrfj-v38x/GHSA-38m8-xrfj-v38x.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-38m8-xrfj-v38x",
-  "modified": "2026-04-01T22:30:32Z",
+  "modified": "2026-04-06T17:18:35Z",
   "published": "2026-04-01T22:30:32Z",
   "aliases": [
     "CVE-2026-34728"
@@ -43,9 +43,17 @@
       "type": "WEB",
       "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-38m8-xrfj-v38x"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34728"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/thorsten/phpMyFAQ"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
     }
   ],
   "database_specific": {
@@ -55,6 +63,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T22:30:32Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T15:16:41Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-3gw8-3mg3-jmpc/GHSA-3gw8-3mg3-jmpc.json b/advisories/github-reviewed/2026/04/GHSA-3gw8-3mg3-jmpc/GHSA-3gw8-3mg3-jmpc.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3gw8-3mg3-jmpc",
-  "modified": "2026-04-01T19:46:00Z",
+  "modified": "2026-04-06T17:17:50Z",
   "published": "2026-04-01T19:46:00Z",
   "aliases": [
     "CVE-2026-28805"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/devcode-it/openstamanager/security/advisories/GHSA-3gw8-3mg3-jmpc"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28805"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/devcode-it/openstamanager/commit/50b9089c506ba2ca249afb1dfead2af5d42c10e7"
@@ -67,6 +71,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T19:46:00Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T14:16:26Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-5crx-pfhq-4hgg/GHSA-5crx-pfhq-4hgg.json b/advisories/github-reviewed/2026/04/GHSA-5crx-pfhq-4hgg/GHSA-5crx-pfhq-4hgg.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5crx-pfhq-4hgg",
-  "modified": "2026-04-01T23:42:47Z",
+  "modified": "2026-04-06T17:18:58Z",
   "published": "2026-04-01T23:42:47Z",
   "aliases": [
     "CVE-2026-34974"
@@ -43,9 +43,17 @@
       "type": "WEB",
       "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-5crx-pfhq-4hgg"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34974"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/thorsten/phpMyFAQ"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
     }
   ],
   "database_specific": {
@@ -55,6 +63,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T23:42:47Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T15:16:51Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-9q5m-jfc4-wc92/GHSA-9q5m-jfc4-wc92.json b/advisories/github-reviewed/2026/04/GHSA-9q5m-jfc4-wc92/GHSA-9q5m-jfc4-wc92.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9q5m-jfc4-wc92",
-  "modified": "2026-04-01T19:52:04Z",
+  "modified": "2026-04-06T17:18:24Z",
   "published": "2026-04-01T19:52:04Z",
   "aliases": [
     "CVE-2026-33544"
@@ -40,9 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/steveiliop56/tinyauth/security/advisories/GHSA-9q5m-jfc4-wc92"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33544"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/steveiliop56/tinyauth/commit/f26c2171610d5c2dfbba2edb6ccd39490e349803"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/steveiliop56/tinyauth"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/steveiliop56/tinyauth/releases/tag/v5.0.5"
     }
   ],
   "database_specific": {
@@ -52,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T19:52:04Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T15:16:39Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-cv2g-8cj8-vgc7/GHSA-cv2g-8cj8-vgc7.json b/advisories/github-reviewed/2026/04/GHSA-cv2g-8cj8-vgc7/GHSA-cv2g-8cj8-vgc7.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cv2g-8cj8-vgc7",
-  "modified": "2026-04-01T22:31:44Z",
+  "modified": "2026-04-06T17:18:46Z",
   "published": "2026-04-01T22:31:44Z",
   "aliases": [
     "CVE-2026-34729"
@@ -43,9 +43,17 @@
       "type": "WEB",
       "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-cv2g-8cj8-vgc7"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34729"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/thorsten/phpMyFAQ"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
     }
   ],
   "database_specific": {
@@ -55,6 +63,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T22:31:44Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T15:16:42Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-gcp9-5jc8-976x/GHSA-gcp9-5jc8-976x.json b/advisories/github-reviewed/2026/04/GHSA-gcp9-5jc8-976x/GHSA-gcp9-5jc8-976x.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gcp9-5jc8-976x",
-  "modified": "2026-04-01T23:41:49Z",
+  "modified": "2026-04-06T17:18:54Z",
   "published": "2026-04-01T23:41:49Z",
   "aliases": [
     "CVE-2026-34973"
@@ -40,9 +40,17 @@
       "type": "WEB",
       "url": "https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-gcp9-5jc8-976x"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34973"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/thorsten/phpMyFAQ"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thorsten/phpMyFAQ/releases/tag/4.1.1"
     }
   ],
   "database_specific": {
@@ -52,6 +60,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-01T23:41:49Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-02T15:16:51Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-whv5-4q2f-q68g/GHSA-whv5-4q2f-q68g.json b/advisories/github-reviewed/2026/04/GHSA-whv5-4q2f-q68g/GHSA-whv5-4q2f-q68g.json
