Publish Advisories

GHSA-6r62-w2q3-48hf
GHSA-6x96-7vc8-cm3p
GHSA-796p-j2gh-9m2q
GHSA-99p7-6v5w-7xg8
GHSA-m733-5w8f-5ggw
GHSA-xpqm-wm3m-f34h

Author: advisory-database[bot]

advisories/github-reviewed/2026/01/GHSA-6r62-w2q3-48hf/GHSA-6r62-w2q3-48hf.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6r62-w2q3-48hf",
-  "modified": "2026-01-26T21:17:16Z",
+  "modified": "2026-01-29T03:23:35Z",
   "published": "2026-01-26T21:17:16Z",
   "aliases": [
     "CVE-2026-24123"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24123"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4"
@@ -60,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-26T21:17:16Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-26T23:16:08Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-6x96-7vc8-cm3p/GHSA-6x96-7vc8-cm3p.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6x96-7vc8-cm3p",
-  "modified": "2026-01-26T21:02:45Z",
+  "modified": "2026-01-29T03:23:02Z",
   "published": "2026-01-26T21:02:44Z",
   "aliases": [
     "CVE-2026-23889"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-6x96-7vc8-cm3p"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23889"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0"
@@ -60,6 +64,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-26T21:02:44Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-26T22:15:56Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-796p-j2gh-9m2q/GHSA-796p-j2gh-9m2q.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-796p-j2gh-9m2q",
-  "modified": "2026-01-26T18:55:13Z",
+  "modified": "2026-01-29T03:22:29Z",
   "published": "2026-01-26T18:55:13Z",
   "aliases": [
     "CVE-2026-22696"
@@ -119,6 +119,10 @@
       "type": "WEB",
       "url": "https://github.com/Phala-Network/dcap-qvl/security/advisories/GHSA-796p-j2gh-9m2q"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22696"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/Phala-Network/dcap-qvl"
@@ -132,6 +136,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-26T18:55:13Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-26T22:15:55Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-99p7-6v5w-7xg8/GHSA-99p7-6v5w-7xg8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-99p7-6v5w-7xg8",
-  "modified": "2026-01-26T18:57:14Z",
+  "modified": "2026-01-29T03:22:51Z",
   "published": "2026-01-26T18:57:14Z",
   "aliases": [
     "CVE-2026-22709"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22709"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29"
@@ -65,6 +69,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-26T18:57:14Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-26T22:15:55Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-m733-5w8f-5ggw/GHSA-m733-5w8f-5ggw.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m733-5w8f-5ggw",
-  "modified": "2026-01-26T21:02:33Z",
+  "modified": "2026-01-29T03:23:22Z",
   "published": "2026-01-26T21:02:33Z",
   "aliases": [
     "CVE-2026-24056"
   ],
   "summary": "pnpm has symlink traversal in file:/git dependencies",
   "details": "### Summary\nWhen pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file's contents into `node_modules`, leaking local data.\n\n**Preconditions:** Only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected.\n\n### Details\nThe vulnerability exists in `store/cafs/src/addFilesFromDir.ts`. The code uses `fs.statSync()` and `readFileSync()` which follow symlinks by default:\n\n```typescript\nconst absolutePath = path.join(dirname, relativePath)\nconst stat = fs.statSync(absolutePath)  // Follows symlinks!\nconst buffer = fs.readFileSync(absolutePath)  // Reads symlink TARGET\n```\n\nThere is no check that `absolutePath` resolves to a location inside the package directory.\n\n### PoC\n```bash\n# Create malicious package\nmkdir -p /tmp/evil && cd /tmp/evil\nln -s /etc/passwd leaked-passwd.txt\necho '{\"name\":\"evil\",\"version\":\"1.0.0\",\"files\":[\"*.txt\"]}' > package.json\n\n# Victim installs\nmkdir /tmp/victim && cd /tmp/victim\npnpm init && pnpm add file:../evil\n\n# Leaked!\ncat node_modules/evil/leaked-passwd.txt\n```\n\n### Impact\n- Developers installing local/file dependencies\n- CI/CD pipelines installing git dependencies\n- Credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`\n\n### Suggested Fix\nUse `lstatSync` to detect symlinks and reject those pointing outside the package root in `store/cafs/src/addFilesFromDir.ts`.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"
@@ -40,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24056"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f"
@@ -61,6 +69,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-26T21:02:33Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-26T22:15:56Z"
   }
 }

advisories/github-reviewed/2026/01/GHSA-xpqm-wm3m-f34h/GHSA-xpqm-wm3m-f34h.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xpqm-wm3m-f34h",
-  "modified": "2026-01-26T21:02:39Z",
+  "modified": "2026-01-29T03:23:11Z",
   "published": "2026-01-26T21:02:39Z",
   "aliases": [
     "CVE-2026-23890"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23890"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d"
@@ -60,6 +64,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-26T21:02:39Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-01-26T22:15:56Z"
   }
 }