Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit d9b2d4ba7c18 · 2026-01-21T23:02:36.000Z
GHSA-36p8-mvp6-cv38 GHSA-pchf-49fh-w34r GHSA-xxjr-mmjv-4gpg
diff --git a/advisories/github-reviewed/2026/01/GHSA-36p8-mvp6-cv38/GHSA-36p8-mvp6-cv38.json b/advisories/github-reviewed/2026/01/GHSA-36p8-mvp6-cv38/GHSA-36p8-mvp6-cv38.json
@@ -0,0 +1,92 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-36p8-mvp6-cv38",
+  "modified": "2026-01-21T23:00:35Z",
+  "published": "2026-01-21T23:00:35Z",
+  "aliases": [
+    "CVE-2026-0933"
+  ],
+  "summary": "Wrangler affected by OS Command Injection in `wrangler pages deploy`",
+  "details": "**Summary**\n\nA command injection vulnerability (CWE-78) has been found to exist in the `wrangler pages deploy` command. The issue occurs because the `--commit-hash` parameter is passed directly to a shell command without proper validation or sanitization, allowing an attacker with control of `--commit-hash` to execute arbitrary commands on the system running Wrangler.\n\n**Root cause**\n\nThe `commitHash` variable, derived from user input via the `--commit-hash` CLI argument, is interpolated directly into a shell command using template literals (e.g., ``execSync(`git show -s --format=%B ${commitHash}`)``). Shell metacharacters are interpreted by the shell, enabling command execution.\n\n**Impact**\n\nThis vulnerability is generally hard to exploit, as it requires `--commit-hash` to be attacker controlled. The vulnerability primarily affects CI/CD environments where `wrangler pages deploy` is used in automated pipelines and the `--commit-hash` parameter is populated from external, potentially untrusted sources. An attacker could exploit this to:\n\n- Run any shell command.\n- Exfiltrate environment variables.\n- Compromise the CI runner to install backdoors or modify build artifacts.\n\n**Mitigation**\n\n- Wrangler v4 users are requested to upgrade to Wrangler v4.59.1 or higher. \n- Wrangler v3 users are requested to upgrade to Wrangler v3.114.17 or higher. \n- Users on Wrangler v2 (EOL) should upgrade to a supported major version.\n\n**Credits**\n\nDisclosed responsibly by kny4hacker.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:H/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "wrangler"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.15"
+            },
+            {
+              "fixed": "3.114.17"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "wrangler"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.59.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/cloudflare/workers-sdk/security/advisories/GHSA-36p8-mvp6-cv38"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0933"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cloudflare/workers-sdk/commit/99b1f328a9afe181b49f1114ed47f15f6d25f0be"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/cloudflare/workers-sdk"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%403.114.17"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cloudflare/workers-sdk/releases/tag/wrangler%404.59.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T23:00:35Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-pchf-49fh-w34r/GHSA-pchf-49fh-w34r.json b/advisories/github-reviewed/2026/01/GHSA-pchf-49fh-w34r/GHSA-pchf-49fh-w34r.json
@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-pchf-49fh-w34r",
+  "modified": "2026-01-21T23:02:07Z",
+  "published": "2026-01-21T23:02:07Z",
+  "aliases": [],
+  "summary": "Soft Serve Affected by an Authentication Bypass",
+  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\nThis issue impacts every Soft Serve instance.\n\nA critical authentication bypass allows an attacker to impersonate any user (including Admin) by \"offering\" the victim's public key during the SSH handshake before authenticating with their own valid key. This occurs because the user identity is stored in the session context during the \"offer\" phase and is not cleared if that specific authentication attempt fails.\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nYes, please upgrade to version 0.11.3 as soon as possible.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nYou need to upgrade",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/charmbracelet/soft-serve"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.11.3"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.11.2"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-pchf-49fh-w34r"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/commit/8539f9ad39918b67d612a35785a2b4326efc8741"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/charmbracelet/soft-serve"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/charmbracelet/soft-serve/releases/tag/v0.11.3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-289"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T23:02:07Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/01/GHSA-xxjr-mmjv-4gpg/GHSA-xxjr-mmjv-4gpg.json b/advisories/github-reviewed/2026/01/GHSA-xxjr-mmjv-4gpg/GHSA-xxjr-mmjv-4gpg.json
@@ -0,0 +1,135 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xxjr-mmjv-4gpg",
+  "modified": "2026-01-21T23:01:22Z",
+  "published": "2026-01-21T23:01:22Z",
+  "aliases": [
+    "CVE-2025-13465"
+  ],
+  "summary": "Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
+  "details": "### Impact\n\nLodash versions 4.0.0 through 4.17.22 are vulnerable to prototype pollution in the `_.unset` and `_.omit` functions. An attacker can pass crafted paths which cause Lodash to delete methods from global prototypes. \n\nThe issue permits deletion of properties but does not allow overwriting their original behavior.  \n\n### Patches\n\nThis issue is patched on 4.17.23.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:H/SI:H/SA:H/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "lodash"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.17.23"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.17.22"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "lodash.unset"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "last_affected": "4.5.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "lodash-es"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.17.23"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.17.22"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "lodash-amd"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.17.23"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.17.22"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/lodash/lodash/security/advisories/GHSA-xxjr-mmjv-4gpg"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13465"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/lodash/lodash/commit/edadd452146f7e4bad4ea684e955708931d84d81"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/lodash/lodash"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-01-21T23:01:22Z",
+    "nvd_published_at": "2026-01-21T20:16:05Z"
+  }
+}
