Publish Advisories

GHSA-7f6v-3gx7-27q8
GHSA-hh8v-hgvp-g3f5
GHSA-jv87-32hw-hh99
GHSA-ph8x-4jfv-v9v8
GHSA-pv9c-9mfh-hvxq
GHSA-r7mc-x6x7-cqxx
GHSA-v2wj-7wpq-c8vv
GHSA-xgxp-f695-6vrp

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-7f6v-3gx7-27q8/GHSA-7f6v-3gx7-27q8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7f6v-3gx7-27q8",
-  "modified": "2026-03-20T17:25:56Z",
+  "modified": "2026-03-27T21:58:58Z",
   "published": "2026-03-20T17:25:56Z",
   "aliases": [
     "CVE-2026-33331"
@@ -43,9 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/middleapi/orpc/security/advisories/GHSA-7f6v-3gx7-27q8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33331"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/middleapi/orpc/commit/4f0efa8a1d3fa8e8317a4b03cc3945a5dfd68add"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/middleapi/orpc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/middleapi/orpc/releases/tag/v1.13.9"
     }
   ],
   "database_specific": {
@@ -55,6 +67,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-20T17:25:56Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:28Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-hh8v-hgvp-g3f5/GHSA-hh8v-hgvp-g3f5.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hh8v-hgvp-g3f5",
-  "modified": "2026-03-20T21:25:29Z",
+  "modified": "2026-03-27T21:58:03Z",
   "published": "2026-03-19T19:04:24Z",
   "aliases": [
     "CVE-2026-33347"
   ],
   "summary": "league/commonmark has an embed extension allowed_domains bypass",
-  "details": "### Impact\n\nThe `DomainFilteringAdapter` in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like `youtube.com.evil` passes the allowlist check when `youtube.com` is an allowed domain.\n\nThis enables two attack vectors:\n\n- **SSRF**: The `OscaroteroEmbedAdapter` makes server-side HTTP requests to the embed URL via the `embed/embed` library. A bypassed domain filter causes the server to make outbound requests to an attacker-controlled host, potentially probing internal services or exfiltrating request metadata.\n- **XSS**: `EmbedRenderer` outputs the oEmbed response HTML directly into the page with no sanitization. An attacker controlling the bypassed domain can return arbitrary HTML/JavaScript in their oEmbed response, which is rendered verbatim.\n\nAny application using the `Embed` extension and relying on `allowed_domains` to restrict domains when processing untrusted Markdown input is affected.\n\n### Patches\n\nThis has been patched in version **2.8.2**. The fix replaces the regex-based domain check with explicit hostname parsing using `parse_url()`, ensuring exact domain and subdomain matching only.\n\n### Workarounds\n\n- Disable the `Embed` extension, or restrict its use to trusted users\n- Provide your own domain-filtering implementation of `EmbedAdapterInterface`\n- Enable a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) and outbound firewall restrictions\n\n### References\n\n- https://commonmark.thephpleague.com/2.x/extensions/embed/#configuration",
+  "details": "### Impact\n\nThe `DomainFilteringAdapter` in the Embed extension is vulnerable to an allowlist bypass due to a missing hostname boundary assertion in the domain-matching regex. An attacker-controlled domain like `youtube.com.evil` passes the allowlist check when `youtube.com` is an allowed domain.\n\nThis enables two attack vectors:\n\n- **SSRF**: The `OscaroteroEmbedAdapter` makes server-side HTTP requests to the embed URL via the `embed/embed` library. A bypassed domain filter causes the server to make outbound requests to an attacker-controlled host, potentially probing internal services or exfiltrating request metadata.\n- **XSS**: `EmbedRenderer` outputs the oEmbed response HTML directly into the page with no sanitization. An attacker controlling the bypassed domain can return arbitrary HTML/JavaScript in their oEmbed response, which is rendered verbatim.\n\nAny application using the `Embed` extension and relying on `allowed_domains` to restrict domains when processing untrusted Markdown input is affected.\n\n### Patches\n\nThis has been patched in version **2.8.2**. The fix replaces the regex-based domain check with explicit hostname parsing using `parse_url()`, ensuring exact domain and subdomain matching only.\n\n### Workarounds\n\n- Disable the `Embed` extension, or restrict its use to trusted users\n- Provide your own domain-filtering implementation of `EmbedAdapterInterface`\n- Enable a [Content Security Policy (CSP)](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) and outbound firewall restrictions",
   "severity": [
     {
       "type": "CVSS_V4",
@@ -43,9 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/thephpleague/commonmark/security/advisories/GHSA-hh8v-hgvp-g3f5"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33347"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thephpleague/commonmark/commit/59fb075d2101740c337c7216e3f32b36c204218b"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/thephpleague/commonmark"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/thephpleague/commonmark/releases/tag/2.8.2"
     }
   ],
   "database_specific": {
@@ -57,6 +69,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T19:04:24Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:29Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-jv87-32hw-hh99/GHSA-jv87-32hw-hh99.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jv87-32hw-hh99",
-  "modified": "2026-03-20T20:47:54Z",
+  "modified": "2026-03-27T21:59:08Z",
   "published": "2026-03-20T20:47:54Z",
   "aliases": [
     "CVE-2026-33419"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/minio/minio/security/advisories/GHSA-jv87-32hw-hh99"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33419"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/minio/minio"
@@ -53,6 +57,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-20T20:47:54Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:29Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-ph8x-4jfv-v9v8/GHSA-ph8x-4jfv-v9v8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-ph8x-4jfv-v9v8",
-  "modified": "2026-03-19T19:25:44Z",
+  "modified": "2026-03-27T21:57:52Z",
   "published": "2026-03-19T19:25:44Z",
   "aliases": [
     "CVE-2026-33344"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/dagu-org/dagu/security/advisories/GHSA-ph8x-4jfv-v9v8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33344"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/dagu-org/dagu/commit/7d07fda8f9de3ae73dfb081ccd0639f8059c56bb"
@@ -56,6 +60,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T19:25:44Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:28Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-pv9c-9mfh-hvxq/GHSA-pv9c-9mfh-hvxq.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pv9c-9mfh-hvxq",
-  "modified": "2026-03-24T19:13:41Z",
+  "modified": "2026-03-27T22:00:24Z",
   "published": "2026-03-24T19:13:41Z",
   "aliases": [
     "CVE-2026-33635"
@@ -40,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/icalendar/icalendar/security/advisories/GHSA-pv9c-9mfh-hvxq"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33635"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/icalendar/icalendar/commit/b8d23b490363ee5fffaec1d269a8618a912ca265"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/icalendar/icalendar"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/icalendar/CVE-2026-33635.yml"
     }
   ],
   "database_specific": {
@@ -56,6 +64,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-24T19:13:41Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-26T21:17:07Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-r7mc-x6x7-cqxx/GHSA-r7mc-x6x7-cqxx.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r7mc-x6x7-cqxx",
-  "modified": "2026-03-20T21:50:30Z",
+  "modified": "2026-03-27T21:59:17Z",
   "published": "2026-03-20T21:50:30Z",
   "aliases": [
     "CVE-2026-33509"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/pyload/pyload/security/advisories/GHSA-r7mc-x6x7-cqxx"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33509"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/pyload/pyload/commit/f5e284fcdfeaf08436bb03e5fcf697aaac659d8b"
@@ -56,6 +60,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-20T21:50:30Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:30Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-v2wj-7wpq-c8vv/GHSA-v2wj-7wpq-c8vv.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v2wj-7wpq-c8vv",
-  "modified": "2026-03-05T20:25:12Z",
+  "modified": "2026-03-27T21:59:55Z",
   "published": "2026-03-03T18:31:33Z",
   "aliases": [
     "CVE-2026-0540"
@@ -69,14 +69,26 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0540"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cure53/DOMPurify/commit/302b51de22535cc90235472c52e3401bedd46f80"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/cure53/DOMPurify/commit/fca0a938b4261ddc9c0293a289935a9029c049f5"
     },
+    {
+      "type": "WEB",
+      "url": "https://fluidattacks.com/advisories/daft"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/cure53/DOMPurify"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cure53/DOMPurify/releases/tag/3.3.2"
+    },
     {
       "type": "WEB",
       "url": "https://www.vulncheck.com/advisories/dompurify-xss-via-missing-rawtext-elements-in-safe-for-xml"

advisories/github-reviewed/2026/03/GHSA-xgxp-f695-6vrp/GHSA-xgxp-f695-6vrp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xgxp-f695-6vrp",
-  "modified": "2026-03-19T19:27:58Z",
+  "modified": "2026-03-27T21:58:26Z",
   "published": "2026-03-19T19:27:58Z",
   "aliases": [
     "CVE-2026-33353"
@@ -40,9 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-xgxp-f695-6vrp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33353"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/commit/c147421caf234bcfc1570c79d728ecbbe5813e55"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/charmbracelet/soft-serve"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.6"
     }
   ],
   "database_specific": {
@@ -53,6 +65,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-19T19:27:58Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-24T20:16:29Z"
   }
 }