Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 106c975d613e · 2026-04-06T23:46:44.000Z
GHSA-5qhv-x9j4-c3vm GHSA-6r34-94wq-jhrc GHSA-7gvf-3w72-p2pg GHSA-g8mv-vp7j-qp64 GHSA-jg56-wf8x-qrv5 GHSA-p9ff-h696-f583
diff --git a/advisories/github-reviewed/2026/04/GHSA-5qhv-x9j4-c3vm/GHSA-5qhv-x9j4-c3vm.json b/advisories/github-reviewed/2026/04/GHSA-5qhv-x9j4-c3vm/GHSA-5qhv-x9j4-c3vm.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5qhv-x9j4-c3vm",
-  "modified": "2026-04-04T05:37:10Z",
+  "modified": "2026-04-06T23:43:53Z",
   "published": "2026-04-04T05:37:10Z",
   "aliases": [
     "CVE-2026-35394"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/mobile-next/mobile-mcp/security/advisories/GHSA-5qhv-x9j4-c3vm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35394"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/mobile-next/mobile-mcp/pull/299"
@@ -60,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-04T05:37:10Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T21:16:21Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-6r34-94wq-jhrc/GHSA-6r34-94wq-jhrc.json b/advisories/github-reviewed/2026/04/GHSA-6r34-94wq-jhrc/GHSA-6r34-94wq-jhrc.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6r34-94wq-jhrc",
-  "modified": "2026-04-06T17:53:59Z",
+  "modified": "2026-04-06T23:43:57Z",
   "published": "2026-04-06T17:53:59Z",
   "aliases": [
     "CVE-2026-35201"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/davidfstr/rdiscount/security/advisories/GHSA-6r34-94wq-jhrc"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35201"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/davidfstr/rdiscount/commit/b1a16445e92e0d12c07594dedcdc56f80b317761"
@@ -60,6 +64,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-06T17:53:59Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T20:16:27Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-7gvf-3w72-p2pg/GHSA-7gvf-3w72-p2pg.json b/advisories/github-reviewed/2026/04/GHSA-7gvf-3w72-p2pg/GHSA-7gvf-3w72-p2pg.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7gvf-3w72-p2pg",
-  "modified": "2026-04-04T06:41:08Z",
+  "modified": "2026-04-06T23:44:01Z",
   "published": "2026-04-04T06:41:08Z",
   "aliases": [
     "CVE-2026-35459"
@@ -44,6 +44,14 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33992"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35459"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pyload/pyload/commit/33c55da084320430edfd941b60e3da0eb1be9443"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/pyload/pyload"
@@ -56,6 +64,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-04T06:41:08Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T20:16:28Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-g8mv-vp7j-qp64/GHSA-g8mv-vp7j-qp64.json b/advisories/github-reviewed/2026/04/GHSA-g8mv-vp7j-qp64/GHSA-g8mv-vp7j-qp64.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g8mv-vp7j-qp64",
-  "modified": "2026-04-03T04:07:55Z",
+  "modified": "2026-04-06T23:43:45Z",
   "published": "2026-04-03T04:07:55Z",
   "aliases": [
     "CVE-2026-35392"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-g8mv-vp7j-qp64"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35392"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/patrickhener/goshs"
@@ -52,6 +56,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-03T04:07:55Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T21:16:21Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-jg56-wf8x-qrv5/GHSA-jg56-wf8x-qrv5.json b/advisories/github-reviewed/2026/04/GHSA-jg56-wf8x-qrv5/GHSA-jg56-wf8x-qrv5.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jg56-wf8x-qrv5",
-  "modified": "2026-04-03T04:08:20Z",
+  "modified": "2026-04-06T23:43:49Z",
   "published": "2026-04-03T04:08:20Z",
   "aliases": [
     "CVE-2026-35393"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/patrickhener/goshs/security/advisories/GHSA-jg56-wf8x-qrv5"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35393"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/patrickhener/goshs"
@@ -52,6 +56,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-04-03T04:08:20Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-04-06T21:16:21Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-p9ff-h696-f583/GHSA-p9ff-h696-f583.json b/advisories/github-reviewed/2026/04/GHSA-p9ff-h696-f583/GHSA-p9ff-h696-f583.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p9ff-h696-f583",
-  "modified": "2026-04-06T18:03:24Z",
+  "modified": "2026-04-06T23:44:10Z",
   "published": "2026-04-06T18:03:24Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-39363"
+  ],
   "summary": "Vite Vulnerable to Arbitrary File Read via Vite Dev Server WebSocket",
   "details": "### Summary\n\n[`server.fs`](https://vite.dev/config/server-options#server-fs-strict) check was not enforced to the `fetchModule` method that is exposed in Vite dev server's WebSocket. \n\n### Impact\n\nOnly apps that match the following conditions are affected:\n\n- explicitly exposes the Vite dev server to the network (using `--host` or [`server.host` config option](https://vitejs.dev/config/server-options.html#server-host))\n- WebSocket is not disabled by `server.ws: false`\n\nArbitrary files on the server (development machine, CI environment, container, etc.) can be exposed.\n\n### Details\n\nIf it is possible to connect to the Vite dev server’s WebSocket **without an `Origin` header**, an attacker can invoke `fetchModule` via the custom WebSocket event `vite:invoke` and combine `file://...` with `?raw` (or `?inline`) to retrieve the contents of arbitrary files on the server as a JavaScript string (e.g., `export default \"...\"`).\n\nThe access control enforced in the HTTP request path (such as `server.fs.allow`) is not applied to this WebSocket-based execution path.\n\n### PoC\n\n1. Start the dev server on the target \n   Example (used during validation with this repository):\n   ```bash\n   pnpm -C playground/alias exec vite --host 0.0.0.0 --port 5173\n   ```\n\n2. Confirm that access is blocked via the HTTP path (example: arbitrary file)\n   ```bash\n   curl -i 'http://localhost:5173/@fs/etc/passwd?raw'\n   ```\n   Result: `403 Restricted` (outside the allow list)\n   <img width=\"3898\" height=\"1014\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f6593377-549c-45d7-b562-5c19833438af\" />\n\n3. Confirm that the same file can be retrieved via the WebSocket path\n   By connecting to the HMR WebSocket without an `Origin` header and sending a `vite:invoke` request that calls `fetchModule` with a `file://...` URL and `?raw`, the file contents are returned as a JavaScript module.\n  <img width=\"1049\" height=\"296\" alt=\"image\" src=\"https://github.com/user-attachments/assets/af969f7b-d34e-4af4-8adb-5e2b83b31972\" />\n  <img width=\"1382\" height=\"955\" alt=\"image\" src=\"https://github.com/user-attachments/assets/6a230d2e-197a-4c9c-b373-d0129756d5d7\" />",
   "severity": [
