Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit eade348dfed5 · 2026-03-13T18:57:44.000Z
GHSA-45vh-rpc8-hxpp GHSA-4w32-2493-32g7 GHSA-j6jp-78w8-34x6 GHSA-m83q-5wr4-4gfp GHSA-qwc6-vc2v-2ggj GHSA-x8qh-7475-c5mp
diff --git a/advisories/github-reviewed/2026/03/GHSA-45vh-rpc8-hxpp/GHSA-45vh-rpc8-hxpp.json b/advisories/github-reviewed/2026/03/GHSA-45vh-rpc8-hxpp/GHSA-45vh-rpc8-hxpp.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-45vh-rpc8-hxpp",
+  "modified": "2026-03-13T18:56:51Z",
+  "published": "2026-03-13T18:56:51Z",
+  "aliases": [
+    "CVE-2026-30961"
+  ],
+  "summary": "Gokapi's File Request MaxSize Limit Bypassed via Multi-Chunk Upload",
+  "details": "### Summary\n\nThe chunked upload completion path for file requests does not validate the total file size against the per-request `MaxSize` limit. An attacker with a public file request link can split an oversized file into chunks each under `MaxSize` and upload them sequentially, bypassing the size restriction entirely. Files up to the server's global `MaxFileSizeMB` are accepted regardless of the file request's configured limit.\n\n### Impact\n\nAny guest with access to a shared file request link can upload files far larger than the administrator-configured size limit, up to the server's global `MaxFileSizeMB`. This allows unauthorized storage consumption, circumvention of administrative resource policies, and potential service disruption through storage exhaustion. No data exposure or privilege escalation occurs.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/forceu/gokapi"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.2.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-45vh-rpc8-hxpp"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Forceu/Gokapi"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T18:56:51Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-4w32-2493-32g7/GHSA-4w32-2493-32g7.json b/advisories/github-reviewed/2026/03/GHSA-4w32-2493-32g7/GHSA-4w32-2493-32g7.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4w32-2493-32g7",
+  "modified": "2026-03-13T18:57:19Z",
+  "published": "2026-03-13T18:57:19Z",
+  "aliases": [
+    "CVE-2026-31814"
+  ],
+  "summary": "Yamux vulnerable to remote Panic via malformed WindowUpdate credit",
+  "details": "### Sumary\nThe Rust implementation of Yamux accepts `WindowUpdate` credit values from the remote peer and applies them to per-stream send-window state.  \nA specially crafted `WindowUpdate` can cause arithmetic overflow in send-window accounting, which triggers a panic in the connection state machine. This is remotely reachable over a normal network connection and does not require authentication.\n#### Attack Scenario  \nAn attacker that can establish a Yamux session with a target node can crash the target by sending two validly encoded Yamux frames:\n1. Open a stream (e.g. DATA + SYN) so the stream exists with initial send-window state (`DEFAULT_CREDIT`).\n2. Send a WindowUpdate on that stream with a very large credit value (e.g. 0xFFFF_0000) such that adding credit to the current send-window overflows u32.\n### Impact\nRemote unauthenticated denial of service.  \nAn attacker can repeatedly trigger panics by reconnecting and replaying the crafted frame sequence.\n### Patches\nUsers should upgrade to `yamux` `v0.13.9`\n\nThis vulnerability was originally submitted by @revofusion to the Ethereum Foundation bug bounty program",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "yamux"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0.13.0"
+            },
+            {
+              "fixed": "0.13.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/libp2p/rust-yamux/security/advisories/GHSA-4w32-2493-32g7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/libp2p/rust-yamux/pull/221"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/libp2p/rust-yamux/commit/b1aae09d60c0bd6a5915a5448f4e8cbc5174db53"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/libp2p/rust-yamux"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/libp2p/rust-yamux/releases/tag/yamux-v0.13.9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-190"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T18:57:19Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-j6jp-78w8-34x6/GHSA-j6jp-78w8-34x6.json b/advisories/github-reviewed/2026/03/GHSA-j6jp-78w8-34x6/GHSA-j6jp-78w8-34x6.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j6jp-78w8-34x6",
+  "modified": "2026-03-13T18:56:32Z",
+  "published": "2026-03-13T18:56:32Z",
+  "aliases": [
+    "CVE-2026-30943"
+  ],
+  "summary": "Gokapi vulnerable to Privilege Escalation in File Replace",
+  "details": "## Summary\n\nAn insufficient authorization check in the file replace API allows a user with only list visibility permission (`UserPermListOtherUploads`) to delete another user's file by abusing the `deleteNewFile` flag, bypassing the requirement for `UserPermDeleteOtherUploads`.\n\n### Impact\n\nAny authenticated user with `PERM_REPLACE` (replace own files) and `PERM_LIST` (view other users' uploads) can delete any other user's file without needing `PERM_DELETE`.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/forceu/gokapi"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.2.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-j6jp-78w8-34x6"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Forceu/Gokapi"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T18:56:32Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-m83q-5wr4-4gfp/GHSA-m83q-5wr4-4gfp.json b/advisories/github-reviewed/2026/03/GHSA-m83q-5wr4-4gfp/GHSA-m83q-5wr4-4gfp.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m83q-5wr4-4gfp",
+  "modified": "2026-03-13T18:56:14Z",
+  "published": "2026-03-13T18:56:14Z",
+  "aliases": [
+    "CVE-2026-30915"
+  ],
+  "summary": "SFTPGo improperly sanitizes placeholders in group home directories/key prefixes",
+  "details": "### Impact\n\nSFTPGo versions before v2.7.1 contain an input validation issue in the handling of dynamic group paths, for example, home directories or key prefixes.\n\nWhen a group is configured with a dynamic home directory or key prefix using placeholders like `%username%`, the value replacing the placeholder is not strictly sanitized against relative path components. Consequently, if a user is created with a specially crafted username the resulting path may resolve to a parent directory instead of the intended sub-directory.\n\n### Patches\n\nThis issue is fixed in version v2.7.1",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/drakkan/sftpgo/v2"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.3.0"
+            },
+            {
+              "fixed": "2.7.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.7.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/drakkan/sftpgo/security/advisories/GHSA-m83q-5wr4-4gfp"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/drakkan/sftpgo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T18:56:14Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-qwc6-vc2v-2ggj/GHSA-qwc6-vc2v-2ggj.json b/advisories/github-reviewed/2026/03/GHSA-qwc6-vc2v-2ggj/GHSA-qwc6-vc2v-2ggj.json
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-qwc6-vc2v-2ggj",
+  "modified": "2026-03-13T18:56:46Z",
+  "published": "2026-03-13T18:56:46Z",
+  "aliases": [
+    "CVE-2026-30955"
+  ],
+  "summary": "Gokapi vulnerable to DoS in E2E Metadata Parser",
+  "details": "### Summary\n\nAn API endpoint accepts unbounded request bodies without any size limit. An authenticated user can cause an OOM kill and complete service disruption for all users.\n\n\n### Impact\n\nAny authenticated user can crash the Gokapi server by sending concurrent large payloads.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/forceu/gokapi"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.2.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-qwc6-vc2v-2ggj"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Forceu/Gokapi"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Forceu/Gokapi/releases/tag/v2.2.4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-400"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-13T18:56:46Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-x8qh-7475-c5mp/GHSA-x8qh-7475-c5mp.json b/advisories/github-reviewed/2026/03/GHSA-x8qh-7475-c5mp/GHSA-x8qh-7475-c5mp.json
