github
diff --git a/‎advisories/github-reviewed/2026/04/GHSA-245v-p8fj-vwm2/GHSA-245v-p8fj-vwm2.json‎
Lines changed: 61 additions & 0 deletions b/‎advisories/github-reviewed/2026/04/GHSA-245v-p8fj-vwm2/GHSA-245v-p8fj-vwm2.json‎
Lines changed: 61 additions & 0 deletions
diff --git a/‎advisories/unreviewed/2024/08/GHSA-xh96-vq46-m9ww/GHSA-xh96-vq46-m9ww.json‎
Lines changed: 15 additions & 4 deletions b/‎advisories/unreviewed/2024/08/GHSA-xh96-vq46-m9ww/GHSA-xh96-vq46-m9ww.json‎
Lines changed: 15 additions & 4 deletions
diff --git a/‎advisories/unreviewed/2025/12/GHSA-5r97-vg42-wrjj/GHSA-5r97-vg42-wrjj.json‎
Lines changed: 5 additions & 1 deletion b/‎advisories/unreviewed/2025/12/GHSA-5r97-vg42-wrjj/GHSA-5r97-vg42-wrjj.json‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2025/12/GHSA-p5jg-472w-q92f/GHSA-p5jg-472w-q92f.json‎
Lines changed: 40 additions & 8 deletions b/‎advisories/unreviewed/2025/12/GHSA-p5jg-472w-q92f/GHSA-p5jg-472w-q92f.json‎
Lines changed: 40 additions & 8 deletions
diff --git a/‎advisories/unreviewed/2026/01/GHSA-68r3-334c-qmr3/GHSA-68r3-334c-qmr3.json‎
Lines changed: 8 additions & 3 deletions b/‎advisories/unreviewed/2026/01/GHSA-68r3-334c-qmr3/GHSA-68r3-334c-qmr3.json‎
Lines changed: 8 additions & 3 deletions
diff --git a/‎advisories/unreviewed/2026/03/GHSA-cjvf-cwjj-wrgm/GHSA-cjvf-cwjj-wrgm.json‎
Lines changed: 5 additions & 1 deletion b/‎advisories/unreviewed/2026/03/GHSA-cjvf-cwjj-wrgm/GHSA-cjvf-cwjj-wrgm.json‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2026/03/GHSA-jh6p-v59c-g7f9/GHSA-jh6p-v59c-g7f9.json‎
Lines changed: 5 additions & 1 deletion b/‎advisories/unreviewed/2026/03/GHSA-jh6p-v59c-g7f9/GHSA-jh6p-v59c-g7f9.json‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2026/03/GHSA-m6wx-rxrp-cc9p/GHSA-m6wx-rxrp-cc9p.json‎
Lines changed: 5 additions & 1 deletion b/‎advisories/unreviewed/2026/03/GHSA-m6wx-rxrp-cc9p/GHSA-m6wx-rxrp-cc9p.json‎
Lines changed: 5 additions & 1 deletion
diff --git a/‎advisories/unreviewed/2026/04/GHSA-255w-8g7g-qmg6/GHSA-255w-8g7g-qmg6.json‎
Lines changed: 45 additions & 0 deletions b/‎advisories/unreviewed/2026/04/GHSA-255w-8g7g-qmg6/GHSA-255w-8g7g-qmg6.json‎
Lines changed: 45 additions & 0 deletions
@@ -0,0 +1,61 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-245v-p8fj-vwm2",
+  "modified": "2026-04-03T18:29:54Z",
+  "published": "2026-04-03T18:29:54Z",
+  "aliases": [
+    "CVE-2025-68153"
+  ],
+  "summary": "Juju has a resource poisoning vulnerability",
+  "details": "### Summary\nAny authenticated user, machine or controller under a Juju controller can modify the resources of an application within the entire controller.\n\nThis one is very straightforward to just read in the code:\n\n**Step 1:**\nThe authorisation mechanism for the resource handler is defined [here](https://github.com/juju/juju/blob/1a8d84ec114c2e4f9921e30081e5a5549f7cbfc4/apiserver/internal/handlers/resources/resources.go#L77). One is only required to have been authed as either a user, machine or controller to pass this check. One requires no permissions on the controller nor does one need any further permissions on the models themselves.\n\nThis handler is available under the following path format `/:modeluuid/applications/:application/resources/:resources`. See [here](https://github.com/juju/juju/blob/1a8d84ec114c2e4f9921e30081e5a5549f7cbfc4/apiserver/apiserver.go#L949). The handler defines no authorizer as supported by the handler struct [here](https://github.com/juju/juju/blob/1a8d84ec114c2e4f9921e30081e5a5549f7cbfc4/apiserver/apiserver.go#L696).\n\nOne needs to know the following three bits of information to poison the resource cache on the controller:\n- model uuid\n- application name in the model\n- resource name in the model\n\nGiven that a lot of deployments use the charm name for applications and the resources for charms are published on charm hub, this is a very low bar to meet, only requiring the model uuid.\n\n**Step 2:**\nIf one passes the very basic authz check of step 1, one is now allowed free rein for 'PUT' and 'GET' methods to the handler. This security report will only focus on 'PUT' as it is the most interesting. The 'PUT' handler will gladly take whatever is uploaded to it as long as it has the same file extension defined by the resource.\n\nIf the resource already exists in the controller's cache, it will be uploaded with whatever is supplied by the upload, see [here](https://github.com/juju/juju/blob/1a8d84ec114c2e4f9921e30081e5a5549f7cbfc4/apiserver/internal/handlers/resources/resources.go#L219) and [here](https://github.com/juju/juju/blob/1a8d84ec114c2e4f9921e30081e5a5549f7cbfc4/domain/resource/service/resource.go#L388).\n\nThat is it. One can successfully poison the resource cache for any model in the controller.\n\n### PoC\nA proof of concept has not been done for this because it is so obvious from the code read that it is not deemed necessary.\n\nA realistic example of how this can be used: if there is a compromised workload in Juju that has machine credentials, then one can modify the OCI resources for any other model in the controller. For example, if the controller was running a k8s vault, one could change the docker image in use to a trojan horse version that allows obtaining root access to all the vault secrets.\n\nOnce this poison has been performed, the attacker can then leverage the vault secrets to go other places.\n\n### Impact\nAny charm deployment where a resource could be modified to inject security vulnerabilities into another workload. The most obvious is OCI containers as one gets execution escalation, but if a file resource had security controls in it, this could also be leveraged. For the file case, this would need to be examined on a case-by-case basis.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/juju/juju"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.0.0-20260120044552-26ff93c903d5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/juju/juju/security/advisories/GHSA-245v-p8fj-vwm2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/juju/juju/commit/26ff93c903d55b0712c6fb3f6b254710edb971d4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/juju/juju"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-03T18:29:54Z",
+    "nvd_published_at": null
+  }
+}
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xh96-vq46-m9ww",
-  "modified": "2024-08-23T15:30:34Z",
+  "modified": "2026-04-03T18:31:03Z",
   "published": "2024-08-23T15:30:34Z",
   "aliases": [
     "CVE-2024-42040"
   ],
   "details": "Buffer Overflow vulnerability in the net/bootp.c in DENEX U-Boot from its initial commit in 2002 (3861aa5) up to today on any platform allows an attacker on the local network to leak memory from four up to 32 bytes of memory stored behind the packet to the network depending on the later use of DHCP-provided parameters via crafted DHCP responses.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -21,11 +26,17 @@
     {
       "type": "WEB",
       "url": "https://www.schutzwerk.com/advisories/SCHUTZWERK-SA-2024-004.txt"
+    },
+    {
+      "type": "WEB",
+      "url": "http://seclists.org/fulldisclosure/2024/Aug/38"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2024-08-23T15:15:16Z"
 
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5r97-vg42-wrjj",
-  "modified": "2026-04-02T18:31:34Z",
+  "modified": "2026-04-03T18:31:03Z",
   "published": "2025-12-20T03:31:35Z",
   "aliases": [
     "CVE-2025-8065"
@@ -23,6 +23,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8065"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.tp-link.com/en/support/download/tapo-c200/v3/#Firmware-Release-Notes"
+    },
     {
       "type": "WEB",
       "url": "https://www.tp-link.com/en/support/download/tapo-c520ws/#Firmware-Release-Notes"
 
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p5jg-472w-q92f",
-  "modified": "2025-12-04T15:30:33Z",
+  "modified": "2026-04-03T18:31:03Z",
   "published": "2025-12-04T15:30:33Z",
   "aliases": [
     "CVE-2025-40219"
@@ -16,35 +16,67 @@
     },
     {
       "type": "WEB",
-      "url": "https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520"
+      "url": "https://git.kernel.org/stable/c/f3015627b6e9ddf85cfeaf42405b3c194dde2c36"
     },
     {
       "type": "WEB",
-      "url": "https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd"
+      "url": "https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c"
     },
     {
       "type": "WEB",
-      "url": "https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847"
+      "url": "https://git.kernel.org/stable/c/d7673ac466eca37ec3e6b7cc9ccdb06de3304e9b"
     },
     {
       "type": "WEB",
-      "url": "https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd"
+      "url": "https://git.kernel.org/stable/c/bea1d373098b22d7142da48750ce5526096425bc"
     },
     {
       "type": "WEB",
-      "url": "https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf"
+      "url": "https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/a5338e365c4559d7b4d7356116b0eb95b12e08d5"
     },
     {
       "type": "WEB",
       "url": "https://git.kernel.org/stable/c/a24219172456f035d886857e265ca24c85b167c8"
     },
     {
       "type": "WEB",
-      "url": "https://git.kernel.org/stable/c/a645ca21de09e3137cbb224fa6c23cca873a1d01"
+      "url": "https://git.kernel.org/stable/c/97c18f074ff1c12d016a0753072a3afdfa0b9611"
     },
     {
       "type": "WEB",
-      "url": "https://git.kernel.org/stable/c/ee40e5db052d7c6f406fdb95ad639c894c74674c"
+      "url": "https://git.kernel.org/stable/c/7c37920c96b85ef4255a7acc795e99e63dd38d59"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/5c1cd7d405e94dc6cb320cc0cc092b74895b6ddf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/53154cd40ccf285f1d1c24367824082061d155bd"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/3cddde484471c602bea04e6f384819d336a1ff84"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/36039348bca77828bf06eae41b8f76e38cd15847"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/1e8a80290f964bdbad225221c8a1594c7e01c8fd"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/1047ca2d816994f31e1475e63e0c0b7825599747"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/05703271c3cdcc0f2a8cf6ebdc45892b8ca83520"
     }
   ],
   "database_specific": {
 
@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-68r3-334c-qmr3",
-  "modified": "2026-01-19T15:30:36Z",
+  "modified": "2026-04-03T18:31:03Z",
   "published": "2026-01-13T18:31:05Z",
   "aliases": [
     "CVE-2025-71068"
   ],
   "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nsvcrdma: bound check rq_pages index in inline path\n\nsvc_rdma_copy_inline_range indexed rqstp->rq_pages[rc_curpage] without\nverifying rc_curpage stays within the allocated page array. Add guards\nbefore the first use and after advancing to a new page.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -37,7 +42,7 @@
   ],
   "database_specific": {
     "cwe_ids": [],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-13T16:16:06Z"
 
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cjvf-cwjj-wrgm",
-  "modified": "2026-03-25T12:30:23Z",
+  "modified": "2026-04-03T18:31:04Z",
   "published": "2026-03-25T12:30:23Z",
   "aliases": [
     "CVE-2026-23333"
@@ -14,6 +14,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23333"
     },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/648946966a08e4cb1a71619e3d1b12bd7642de7b"
+    },
     {
       "type": "WEB",
       "url": "https://git.kernel.org/stable/c/6db2be971e3d70c9e3f85d39eff7103c2ee2f579"
 
@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jh6p-v59c-g7f9",
-  "modified": "2026-03-31T03:31:26Z",
+  "modified": "2026-04-03T18:31:04Z",
   "published": "2026-03-31T03:31:26Z",
   "aliases": [
     "CVE-2026-5115"
   ],
   "details": "The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs directly on the touch screen of a multi-function device.\n\nIt was internally discovered that the communication channel between the embedded application and the server was insecure, which could leak data including sensitive information that may be used to mount an  attack on the device. Such an attack could potentially be used to steal data or to perform a phishing attack on the end user.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
 
@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m6wx-rxrp-cc9p",
-  "modified": "2026-03-31T03:31:26Z",
+  "modified": "2026-04-03T18:31:04Z",
   "published": "2026-03-31T03:31:26Z",
   "aliases": [
     "CVE-2026-4794"
   ],
   "details": "Multiple cross-site scripting (XSS) vulnerabilities in PaperCut NG/MF before 25.0.10 allow authenticated administrator users to inject arbitrary web script or HTML code via different UI fields. This could be used to compromise other admininistrator's sessions or perform unauthorized actions via the administrator's authenticated context (e.g. requires an active login session).",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
 
@@ -0,0 +1,45 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-255w-8g7g-qmg6",
+  "modified": "2026-04-03T18:31:21Z",
+  "published": "2026-04-03T18:31:21Z",
+  "aliases": [
+    "CVE-2026-23440"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nnet/mlx5e: Fix race condition during IPSec ESN update\n\nIn IPSec full offload mode, the device reports an ESN (Extended\nSequence Number) wrap event to the driver. The driver validates this\nevent by querying the IPSec ASO and checking that the esn_event_arm\nfield is 0x0, which indicates an event has occurred. After handling\nthe event, the driver must re-arm the context by setting esn_event_arm\nback to 0x1.\n\nA race condition exists in this handling path. After validating the\nevent, the driver calls mlx5_accel_esp_modify_xfrm() to update the\nkernel's xfrm state. This function temporarily releases and\nre-acquires the xfrm state lock.\n\nSo, need to acknowledge the event first by setting esn_event_arm to\n0x1. This prevents the driver from reprocessing the same ESN update if\nthe hardware sends events for other reason. Since the next ESN update\nonly occurs after nearly 2^31 packets are received, there's no risk of\nmissing an update, as it will happen long after this handling has\nfinished.\n\nProcessing the event twice causes the ESN high-order bits (esn_msb) to\nbe incremented incorrectly. The driver then programs the hardware with\nthis invalid ESN state, which leads to anti-replay failures and a\ncomplete halt of IPSec traffic.\n\nFix this by re-arming the ESN event immediately after it is validated,\nbefore calling mlx5_accel_esp_modify_xfrm(). This ensures that any\nspurious, duplicate events are correctly ignored, closing the race\nwindow.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23440"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/2051c709dce92da3550040aa7949cd5a9c89b14e"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/3dffc083292e6872787bd7e34b957627622f9af4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/8d625c15471fb8780125eaef682983a96af77bdc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/96c9c25b74686ac2de15921c9ad30c5ef13af8cd"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/beb6e2e5976a128b0cccf10d158124422210c5ef"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T16:16:26Z"
+  }
+}