Publish Advisories

GHSA-5fvg-qwcp-r325
GHSA-6w86-wgwq-rgq8
GHSA-7gmj-h9xc-mcxc
GHSA-c87w-642h-m97h

Author: advisory-database[bot]

…-5fvg-qwcp-r325/GHSA-5fvg-qwcp-r325.json …-5fvg-qwcp-r325/GHSA-5fvg-qwcp-r325.jsonadvisories/unreviewed/2026/03/GHSA-5fvg-qwcp-r325/GHSA-5fvg-qwcp-r325.json renamed to advisories/github-reviewed/2026/03/GHSA-5fvg-qwcp-r325/GHSA-5fvg-qwcp-r325.json advisories/unreviewed/2026/03/GHSA-5fvg-qwcp-r325/GHSA-5fvg-qwcp-r325.json renamed to advisories/github-reviewed/2026/03/GHSA-5fvg-qwcp-r325/GHSA-5fvg-qwcp-r325.json

@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5fvg-qwcp-r325",
-  "modified": "2026-03-03T15:31:40Z",
+  "modified": "2026-03-04T20:17:28Z",
   "published": "2026-03-03T12:31:27Z",
   "aliases": [
     "CVE-2025-59060"
   ],
+  "summary": "Apache Ranger Vulnerable to Improper Validation of Certificate with Host Mismatch",
   "details": "Hostname verification bypass issue in Apache Ranger NiFiRegistryClient/NiFiClient is reported in Apache Ranger versions <= 2.7.0.\n\nUsers are recommended to upgrade to version 2.8.0, which fixes this issue.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.ranger:ranger-nifi-registry-plugin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.8.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59060"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/ranger"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/c4plx81z3xs86vgl3fd95y3q7hhtff05"
@@ -33,8 +58,8 @@
       "CWE-297"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T20:17:28Z",
     "nvd_published_at": "2026-03-03T11:16:14Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-6w86-wgwq-rgq8/GHSA-6w86-wgwq-rgq8.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6w86-wgwq-rgq8",
+  "modified": "2026-03-04T20:16:26Z",
+  "published": "2026-03-04T20:16:26Z",
+  "aliases": [],
+  "summary": "neqo-qpack has iInteger overflow in qpack dynamic table indexing",
+  "details": "### Summary\n\nAn unsanitized qpack index can lead to an integer overflow, panicing in debug mode, accessing the wrong or no dynamic table entry in release mode.\n\nWhat does this mean for Firefox? Firefox runs Neqo in release mode. A malicious remote can cause its own QUIC connection to fail to use qpack, i.e. compression, or enter an inconsistent state. The remote can not crash Firefox, nor affect other QUIC connections. \n\n### Details\n\nSee fuzz report in https://github.com/mozilla/neqo/issues/3406.\n\n### PoC\nSee test in pull request.\n\n### Impact\nAll Firefox users. Though vulnerability likely scoped to same connection, i.e. low impact.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "neqo-qpack"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.22.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mozilla/neqo/security/advisories/GHSA-6w86-wgwq-rgq8"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/mozilla/neqo/issues/3406"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mozilla/neqo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-190"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T20:16:26Z",
+    "nvd_published_at": null
+  }
+}

…-7gmj-h9xc-mcxc/GHSA-7gmj-h9xc-mcxc.json …-7gmj-h9xc-mcxc/GHSA-7gmj-h9xc-mcxc.jsonadvisories/unreviewed/2026/03/GHSA-7gmj-h9xc-mcxc/GHSA-7gmj-h9xc-mcxc.json renamed to advisories/github-reviewed/2026/03/GHSA-7gmj-h9xc-mcxc/GHSA-7gmj-h9xc-mcxc.json advisories/unreviewed/2026/03/GHSA-7gmj-h9xc-mcxc/GHSA-7gmj-h9xc-mcxc.json renamed to advisories/github-reviewed/2026/03/GHSA-7gmj-h9xc-mcxc/GHSA-7gmj-h9xc-mcxc.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7gmj-h9xc-mcxc",
-  "modified": "2026-03-03T06:31:14Z",
+  "modified": "2026-03-04T20:15:58Z",
   "published": "2026-03-03T06:31:14Z",
   "aliases": [
     "CVE-2026-3455"
   ],
+  "summary": "mailparser vulnerable to Cross-site Scripting",
   "details": "Versions of the package mailparser before 3.9.3 are vulnerable to Cross-site Scripting (XSS) via the textToHtml() function due to the improper sanitisation of URLs in the email content. An attacker can execute arbitrary scripts in victim browsers by adding extra quote  \" to the URL with embedded malicious JavaScript code.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:L/SI:L/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "mailparser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.9.3"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -35,6 +56,10 @@
       "type": "WEB",
       "url": "https://gist.github.com/hayageek/7fcb225e3b1ea9a341d560403fbb585a"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nodemailer/mailparser"
+    },
     {
       "type": "WEB",
       "url": "https://security.snyk.io/vuln/SNYK-JS-MAILPARSER-15204032"
@@ -44,9 +69,9 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T20:15:58Z",
     "nvd_published_at": "2026-03-03T05:17:25Z"
   }
 }

…-c87w-642h-m97h/GHSA-c87w-642h-m97h.json …-c87w-642h-m97h/GHSA-c87w-642h-m97h.jsonadvisories/unreviewed/2026/03/GHSA-c87w-642h-m97h/GHSA-c87w-642h-m97h.json renamed to advisories/github-reviewed/2026/03/GHSA-c87w-642h-m97h/GHSA-c87w-642h-m97h.json advisories/unreviewed/2026/03/GHSA-c87w-642h-m97h/GHSA-c87w-642h-m97h.json renamed to advisories/github-reviewed/2026/03/GHSA-c87w-642h-m97h/GHSA-c87w-642h-m97h.json

@@ -1,24 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c87w-642h-m97h",
-  "modified": "2026-03-03T15:31:40Z",
+  "modified": "2026-03-04T20:17:02Z",
   "published": "2026-03-03T12:31:27Z",
   "aliases": [
     "CVE-2025-59059"
   ],
-  "details": "Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0.\nUsers are recommended to upgrade to version 2.8.0, which fixes this issue.",
+  "summary": "Apache Ranger has a Code Injection vulnerability",
+  "details": "Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions <= 2.7.0.\n\nUsers are recommended to upgrade to version 2.8.0, which fixes this issue.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.apache.ranger:ranger-plugins-common"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.8.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59059"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/ranger"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/z47q86rho80390lf2qcmoc2josvs0gtv"
@@ -33,8 +58,8 @@
       "CWE-94"
     ],
     "severity": "CRITICAL",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T20:17:02Z",
     "nvd_published_at": "2026-03-03T11:16:14Z"
   }
 }