Publish Advisories

GHSA-wxf3-4fvj-vqqx
GHSA-63vm-454h-vhhq
GHSA-mmwx-79f6-67jg
GHSA-pcjq-j3mq-jv5j
GHSA-vrgw-pc9c-qrrc
GHSA-w54x-r83c-x79q

Author: advisory-database[bot]

advisories/github-reviewed/2023/07/GHSA-wxf3-4fvj-vqqx/GHSA-wxf3-4fvj-vqqx.json

@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wxf3-4fvj-vqqx",
-  "modified": "2023-09-06T19:20:43Z",
+  "modified": "2026-01-16T21:55:54Z",
   "published": "2023-07-27T19:28:02Z",
   "aliases": [],
   "summary": "Unsafe plugins can be installed via pack import by tenant admins",
-  "details": "### Summary\nUnsafe plugins (for instance `sql-list`) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables\n\n### Details\nI have an example\nhttps://bot20230704.saltcorn.com/view/all_plugins\nIt's publicly accessible (but has not so secure values except list of tenants).\nBut using this mech one can read **any** data from other tenants.\n\n### Impact\nAll tenants of installation (i.e. `saltcorn.com`), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants\n\n### Revived after 0.8.7\nAfter patch in 0.8.7 this is not fixed completely.\n\nHere are steps to reproduce:\n1. Publish to NPM plugin that was not approved by admin (in case of saltcorn.com) by @glutamate. I've just published this one: https://www.npmjs.com/package/saltcorn-qrcode\n2. Publish somewhere plugin store that includes plugin from previous step: https://gist.github.com/pyhedgehog/f1fd7cb13f4d0a7ccf6a965748d19bd2\n3. Add plugin store link to tenant store.\n4. Install plugin.\n5. Use it in tenant: https://bot20230704.saltcorn.com/view/testqr_show/1\n\nHere are logic:\nUnsafe plugins checked against this list:\nhttps://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191\nBut it's under control of tenant admin, not server admin.\nProposed login:\n```javascript\nconst safes = getRootState().getConfig(\"available_plugins\",[]).filter(p=>!p.unsafe).map(p=>p.location);\n```\n",
+  "details": "### Summary\nUnsafe plugins (for instance `sql-list`) can be installed in subdomain tenants via pack import even if unsafe plugin installation for tenants is disables\n\n### Details\nI have an example\nhttps://bot20230704.saltcorn.com/view/all_plugins\nIt's publicly accessible (but has not so secure values except list of tenants).\nBut using this mech one can read **any** data from other tenants.\n\n### Impact\nAll tenants of installation (i.e. `saltcorn.com`), can be compromised from tenant user has admin access. If an untrusted user has admin rights to a tenant instance, they will be able to install a plug-in that can access information from other tenants\n\n### Revived after 0.8.7\nAfter patch in 0.8.7 this is not fixed completely.\n\nHere are steps to reproduce:\n1. Publish to NPM plugin that was not approved by admin (in case of saltcorn.com) by @glutamate. I've just published this one: https://www.npmjs.com/package/saltcorn-qrcode\n2. Publish somewhere plugin store that includes plugin from previous step: https://gist.github.com/pyhedgehog/f1fd7cb13f4d0a7ccf6a965748d19bd2\n3. Add plugin store link to tenant store.\n4. Install plugin.\n5. Use it in tenant: https://bot20230704.saltcorn.com/view/testqr_show/1\n\nHere are logic:\nUnsafe plugins checked against this list:\nhttps://github.com/saltcorn/saltcorn/blob/99fe277e497fd193bb070acd8c663aa254a9907c/packages/server/load_plugins.js#L191\nBut it's under control of tenant admin, not server admin.\nProposed login:\n```javascript\nconst safes = getRootState().getConfig(\"available_plugins\",[]).filter(p=>!p.unsafe).map(p=>p.location);\n```",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -26,7 +26,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "1.0"
+              "fixed": "0.8.8-beta.2"
             }
           ]
         }

advisories/github-reviewed/2026/01/GHSA-63vm-454h-vhhq/GHSA-63vm-454h-vhhq.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-63vm-454h-vhhq",
-  "modified": "2026-01-16T19:19:25Z",
+  "modified": "2026-01-16T21:55:59Z",
   "published": "2026-01-16T19:19:25Z",
   "aliases": [
     "CVE-2026-23490"
@@ -43,6 +43,14 @@
       "type": "WEB",
       "url": "https://github.com/pyasn1/pyasn1/security/advisories/GHSA-63vm-454h-vhhq"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23490"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pyasn1/pyasn1/commit/3908f144229eed4df24bd569d16e5991ace44970"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/pyasn1/pyasn1/commit/be353d755f42ea36539b4f5053c652ddf56979a6"
@@ -62,11 +70,12 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-400"
+      "CWE-400",
+      "CWE-770"
     ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-16T19:19:25Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-16T19:16:19Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-mmwx-79f6-67jg/GHSA-mmwx-79f6-67jg.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mmwx-79f6-67jg",
-  "modified": "2026-01-16T16:58:26Z",
+  "modified": "2026-01-16T21:56:08Z",
   "published": "2026-01-16T16:58:26Z",
   "aliases": [
     "CVE-2026-23535"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/WeblateOrg/wlc/security/advisories/GHSA-mmwx-79f6-67jg"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23535"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/WeblateOrg/wlc/pull/1128"
@@ -51,6 +55,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/WeblateOrg/wlc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WeblateOrg/wlc/releases/tag/1.17.2"
     }
   ],
   "database_specific": {
@@ -60,6 +68,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-16T16:58:26Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-16T19:16:19Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-pcjq-j3mq-jv5j/GHSA-pcjq-j3mq-jv5j.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pcjq-j3mq-jv5j",
-  "modified": "2026-01-16T19:22:08Z",
+  "modified": "2026-01-16T21:56:47Z",
   "published": "2026-01-16T19:22:08Z",
   "aliases": [
     "CVE-2026-23645"
@@ -10,8 +10,8 @@
   "details": "### Summary\nA Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan Note. The application does not sanitize uploaded SVG files. If a user uploads and views a malicious SVG file (e.g., imported from an untrusted source), arbitrary JavaScript code is executed in the context of their authenticated session.\n\n### Details\nThe application allows authenticated users to upload files, including .svg images, without sanitizing the input to remove embedded JavaScript code (such as <script> tags or event handlers).\n\n### PoC\n1. Create a new \"Daily note\" in the workspace.\n<img width=\"1287\" height=\"572\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3a4389b9-695d-4e1b-94dc-72efdb047aa9\" />\n2. Create a file named  test.svg with malicious JavaScript inside:\n\n```\n<svg xmlns=\"http://www.w3.org/2000/svg\" width=\"200\" height=\"200\" viewBox=\"0 0 124 124\" fill=\"none\">\n<rect width=\"124\" height=\"124\" rx=\"24\" fill=\"red\"/>\n   <script type=\"text/javascript\">  \n      alert(window.origin);\n   </script>\n</svg>\n```\n3. Upload a file in current daily note:\n<img width=\"1617\" height=\"316\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6e14318a-08ec-48e5-b278-9174ad17cfcb\" />\n<img width=\"1482\" height=\"739\" alt=\"image\" src=\"https://github.com/user-attachments/assets/95c996e8-5591-436a-9467-ab56c9ffbde0\" />\n<img width=\"1321\" height=\"548\" alt=\"image\" src=\"https://github.com/user-attachments/assets/249fb187-3caa-4372-a9c9-56dfda6b8a8f\" />\n4. Open the file:\n\n- Right-click the uploaded asset in the note.\n- Select \"Export\"\n<img width=\"934\" height=\"718\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ec943dfa-92ba-47f6-8b1e-56e53f1b0ca6\" />\n5. The JavaScript code executes immediately.\n<img width=\"1033\" height=\"632\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a1611291-d333-4f8e-9da9-62104aaa1bdd\" />\n<img width=\"1381\" height=\"641\" alt=\"image\" src=\"https://github.com/user-attachments/assets/d5018203-dbd0-4285-8702-8cb3e7c5cd07\" />\n\n### Impact\nThe vulnerability allows  to upload an SVG file containing malicious scripts. When a user  exports this file, the embedded arbitrary JavaScript code is executed within their browser context\n\n###  Notes\nTested  version: \n<img width=\"1440\" height=\"534\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a62271e4-6850-4f59-be88-c4f8055429c0\" />\n\n### Solution\n\nhttps://github.com/siyuan-note/siyuan/issues/16844",
   "severity": [
     {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
     }
   ],
   "affected": [
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-pcjq-j3mq-jv5j"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23645"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/siyuan-note/siyuan/issues/16844"
@@ -60,6 +64,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-16T19:22:08Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-16T20:15:49Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-vrgw-pc9c-qrrc/GHSA-vrgw-pc9c-qrrc.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vrgw-pc9c-qrrc",
-  "modified": "2026-01-13T19:54:05Z",
+  "modified": "2026-01-16T21:54:55Z",
   "published": "2026-01-13T19:54:05Z",
   "aliases": [
     "CVE-2025-68924"
@@ -40,9 +40,25 @@
       "type": "WEB",
       "url": "https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-vrgw-pc9c-qrrc"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68924"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/advisories/GHSA-vrgw-pc9c-qrrc"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/umbraco/Umbraco.Forms.Issues"
+    },
+    {
+      "type": "WEB",
+      "url": "https://our.umbraco.com/packages/developer-tools/umbraco-forms"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.nuget.org/packages/UmbracoForms"
     }
   ],
   "database_specific": {
@@ -55,6 +71,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-13T19:54:05Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-16T19:16:18Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-w54x-r83c-x79q/GHSA-w54x-r83c-x79q.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w54x-r83c-x79q",
-  "modified": "2026-01-16T15:21:14Z",
+  "modified": "2026-01-16T21:56:18Z",
   "published": "2026-01-15T20:14:31Z",
   "aliases": [
     "CVE-2026-23634"
@@ -44,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/defenseunicorns/pepr/security/advisories/GHSA-w54x-r83c-x79q"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23634"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/defenseunicorns/pepr/pull/2883"
@@ -63,11 +67,12 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-272",
       "CWE-276"
     ],
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-15T20:14:31Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-16T20:15:49Z"
   }
 }