github
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-228v-wc5r-j8m7/GHSA-228v-wc5r-j8m7.json‎
Lines changed: 62 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-228v-wc5r-j8m7/GHSA-228v-wc5r-j8m7.json‎
Lines changed: 62 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-5339-hvwr-7582/GHSA-5339-hvwr-7582.json‎
Lines changed: 64 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-5339-hvwr-7582/GHSA-5339-hvwr-7582.json‎
Lines changed: 64 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-8jrh-7jg8-fvmv/GHSA-8jrh-7jg8-fvmv.json‎
Lines changed: 150 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-8jrh-7jg8-fvmv/GHSA-8jrh-7jg8-fvmv.json‎
Lines changed: 150 additions & 0 deletions
diff --git a/‎advisories/github-reviewed/2026/03/GHSA-g5xx-pwrp-g3fv/GHSA-g5xx-pwrp-g3fv.json‎
Lines changed: 63 additions & 0 deletions b/‎advisories/github-reviewed/2026/03/GHSA-g5xx-pwrp-g3fv/GHSA-g5xx-pwrp-g3fv.json‎
Lines changed: 63 additions & 0 deletions
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-228v-wc5r-j8m7",
+  "modified": "2026-03-12T14:20:17Z",
+  "published": "2026-03-12T14:20:16Z",
+  "aliases": [
+    "CVE-2026-32102"
+  ],
+  "summary": "OliveTin Vulnerable to Unauthorized Action Output Disclosure via EventStream",
+  "details": "### Summary\n\n  OliveTin’s live EventStream broadcasts execution events and action output to authenticated dashboard subscribers without enforcing per-action authorization. A low-privileged authenticated user can receive output from actions they are\n  not allowed to view, resulting in broken access control and sensitive information disclosure. I validated this on OliveTin 3000.10.2.\n\n\n\n\n### Details\nThe issue is in the live event streaming path.\n\n  EventStream() only checks whether the caller may access the dashboard, then registers the user as a stream subscriber:\n\n  - service/internal/api/api.go:776\n\n  After subscription, execution events are broadcast to all connected clients without checking whether each recipient is authorized to view logs for the action:\n\n  - service/internal/api/api.go:846 OnExecutionStarted\n  - service/internal/api/api.go:869 OnExecutionFinished\n  - service/internal/api/api.go:1047 OnOutputChunk\n\n  The event payload includes action output through:\n\n  - service/internal/api/api.go:295 internalLogEntryToPb\n  - service/internal/api/api.go:302 Output\n\n  By contrast, the normal log APIs do apply per-action authorization checks:\n\n  - service/internal/api/api.go:518 GetLogs\n  - service/internal/api/api.go:585 GetActionLogs\n  - service/internal/api/api.go:544 isLogEntryAllowed\n\n  Root cause:\n\n  - the subscription path enforces only coarse dashboard access\n  - execution callbacks broadcast to every connected client\n  - no per-recipient ACL check is applied before sending action metadata or output\n\n  I validated the issue using:\n\n  - an admin user with full ACLs\n  - an alice user with no ACLs\n  - a protected action that outputs TOPSECRET=alpha-bravo-charlie\n\n  Despite having no relevant ACLs, alice still receives the ExecutionFinished event for the privileged action, including the protected output.\n\n\n\n### PoC\nTested version:\n```\n  - 3000.10.2\n```\n  1. Fetch and check out 3000.10.2 in a clean worktree:\n```bash\n  git -C OliveTin fetch origin tag 3000.10.2\n  git -C OliveTin worktree add /home/kali/CVE/OliveTin-3000.10.2 3000.10.2\n```\n  2. Copy the PoC test into the clean tree:\n```bash\n  cp OliveTin/service/internal/api/event_stream_leak_test.go \\\n    OliveTin-3000.10.2/service/internal/api/\n```\n  3. Run the targeted PoC test:\n```bash\n  cd OliveTin-3000.10.2/service\n  go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v\n```\n  4. Optional: save validation output:\n```bash\n  go test ./internal/api -run TestEventStreamLeaksUnauthorizedExecutionOutput -count=1 -timeout 30s -v \\\n    2>&1 | tee /tmp/olivetin_eventstream_3000.10.2.log\n```\n  Observed validation output:\n```bash\n  === RUN   TestEventStreamLeaksUnauthorizedExecutionOutput\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action requested\" actionTitle=secret-action tags=\"[]\"\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action parse args - Before\" actionTitle=secret-action cmd=\"echo 'TOPSECRET=alpha-bravo-charlie'\"\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action parse args - After\" actionTitle=secret-action cmd=\"echo 'TOPSECRET=alpha-bravo-charlie'\"\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action started\" actionTitle=secret-action timeout=1\n  time=\"2026-03-01T04:44:59-05:00\" level=info msg=\"Action finished\" actionTitle=secret-action exit=0 outputLength=30 timedOut=false\n  --- PASS: TestEventStreamLeaksUnauthorizedExecutionOutput (0.00s)\n  PASS\n  ok      github.com/OliveTin/OliveTin/internal/api       0.025s\n```\n  What this proves:\n\n  - admin can execute the protected action\n  - alice has no ACLs\n  - alice still receives the streamed completion event for the protected action\n  - protected action output is exposed through the event stream\n\n\n### Impact\n  This is an authenticated broken access control / information disclosure vulnerability.\n\n  A low-privileged authenticated user can subscribe to EventStream and receive:\n\n  - action execution metadata\n  - execution tracking IDs\n  - initiating username\n  - live output chunks\n  - final command output\n\n  Who is impacted:\n\n  - multi-user OliveTin deployments\n  - environments where privileged actions produce secrets, tokens, internal system details, or other sensitive operational output\n  - deployments where lower-privileged authenticated users can access the dashboard and subscribe to live events\n\n  This bypasses intended per-action log/view restrictions for protected actions.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/OliveTin/OliveTin"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3000.10.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-228v-wc5r-j8m7"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32102"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/OliveTin/OliveTin"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284",
+      "CWE-863"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-12T14:20:16Z",
+    "nvd_published_at": "2026-03-11T21:16:16Z"
+  }
+}
@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5339-hvwr-7582",
+  "modified": "2026-03-12T14:19:25Z",
+  "published": "2026-03-12T14:19:25Z",
+  "aliases": [
+    "CVE-2026-31873"
+  ],
+  "summary": "Unhead Vulnerable to Bypass of URI Scheme Sanitization in makeTagSafe via Case-Sensitivity",
+  "details": "The `link.href` check in `makeTagSafe` (safe.ts, line 68-71) uses `String.includes()`, which is case-sensitive:\n\n```typescript\nif (key === 'href') {\n  if (val.includes('javascript:') || val.includes('data:')) {\n    return\n  }\n  next[key] = val\n}\n```\n\nBrowsers treat URI schemes case-insensitively. `DATA:text/css,...` is the same as `data:text/css,...` to the browser, but `'DATA:...'.includes('data:')` returns `false`.\n\n### PoC\n\n```javascript\nuseHeadSafe({\n  link: [{\n    rel: 'stylesheet',\n    href: 'DATA:text/css,body{display:none}'\n  }]\n})\n```\n\nSSR output:\n\n```html\n<link rel=\"stylesheet\" href=\"DATA:text/css,body{display:none}\">\n```\n\nThe browser loads this as a CSS stylesheet. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks.\n\nAny case variation works: `DATA:`, `Data:`, `dAtA:`, `JAVASCRIPT:`, etc.\n\n## Suggested fix\n\n```typescript\nif (key === 'href') {\n  const lower = val.toLowerCase()\n  if (lower.includes('javascript:') || lower.includes('data:')) {\n    return\n  }\n  next[key] = val\n}\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "unhead"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.11"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.1.10"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/unjs/unhead/security/advisories/GHSA-5339-hvwr-7582"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/unjs/unhead"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/unjs/unhead/releases/tag/v2.1.11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-12T14:19:25Z",
+    "nvd_published_at": null
+  }
+}
@@ -0,0 +1,150 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8jrh-7jg8-fvmv",
+  "modified": "2026-03-12T14:19:41Z",
+  "published": "2026-03-10T18:31:22Z",
+  "aliases": [
+    "CVE-2026-2741"
+  ],
+  "summary": "Vaadin: Specially crafted ZIP archives can escape the intended extraction directory",
+  "details": "Specially crafted ZIP archives can escape the intended extraction directory during Node.js download and extraction in Vaadin 14.2.0 through 14.14.0, 23.0.0 through 23.6.6, 24.0.0 through 24.9.8, and 25.0.0 through 25.0.2. \n\nVaadin’s build process can automatically download and extract Node.js if it is not installed locally. If an attacker can intercept or control this download via DNS hijacking, a MITM attack, a compromised mirror, or a supply chain attack, they can serve a malicious archive containing path traversal sequences that write files outside the intended extraction directory.\n\n\nUsers of affected versions should use a globally preinstalled Node.js version compatible with their Vaadin version, or upgrade as follows: 14.2.0-14.14.0 to 14.14.1, 23.0.0-23.6.6 to 23.6.7, 24.0.0-24.9.8 to 24.9.9, and 25.0.0-25.0.2 to 25.0.3 or newer.\n\nPlease note that Vaadin versions 10-13 and 15-22 are no longer supported and you should update either to the latest 14, 23, 24, 25 version.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.vaadin:flow-project"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "14.2.0"
+            },
+            {
+              "fixed": "14.14.1"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 14.14.0"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.vaadin:flow-project"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "23.0.0"
+            },
+            {
+              "fixed": "23.6.7"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 23.6.6"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.vaadin:flow-project"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "24.0.0"
+            },
+            {
+              "fixed": "24.9.9"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 24.9.8"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "com.vaadin:flow-project"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "25.0.0"
+            },
+            {
+              "fixed": "25.0.3"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "< 25.0.2"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2741"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vaadin/flow/pull/23125"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vaadin/flow/pull/23130"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vaadin/flow/pull/23131"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vaadin/flow/pull/23133"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vaadin/flow/pull/23135"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/vaadin/flow"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vaadin.com/security/cve-2026-2741"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-12T14:19:41Z",
+    "nvd_published_at": "2026-03-10T18:18:48Z"
+  }
+}
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g5xx-pwrp-g3fv",
+  "modified": "2026-03-12T14:19:15Z",
+  "published": "2026-03-12T14:19:15Z",
+  "aliases": [
+    "CVE-2026-31860"
+  ],
+  "summary": "Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check",
+  "details": "## Summary\n\n`useHeadSafe()` can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered `<head>` tags. This is the composable that Nuxt docs recommend for safely handling user-generated content.\n\n## Details\n\n**XSS via `data-*` attribute name injection**\n\nThe `acceptDataAttrs` function (safe.ts, line 16-20) allows any property key starting with `data-` through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing.\n\n```typescript\nfunction acceptDataAttrs(value: Record<string, string>) {\n  return Object.fromEntries(\n    Object.entries(value || {}).filter(([key]) => key === 'id' || key.startsWith('data-')),\n  )\n}\n```\n\nThis result gets merged into every tag's props at line 114:\n\n```typescript\ntag.props = { ...acceptDataAttrs(prev), ...next }\n```\n\nThen `propsToString` (propsToString.ts, line 26) interpolates property keys directly into the HTML string with no sanitization:\n\n```typescript\nattrs += value === true ? ` ${key}` : ` ${key}=\"${encodeAttribute(value)}\"`\n```\n\nA space in the key breaks out of the attribute name. Everything after the space becomes separate HTML attributes.\n\n### PoC\n\nThe most practical vector uses a `link` tag. `<link rel=\"stylesheet\">` fires `onload` once the stylesheet loads, giving reliable script execution:\n\n```javascript\nuseHeadSafe({\n  link: [{\n    rel: 'stylesheet',\n    href: '/valid-stylesheet.css',\n    'data-x onload=alert(document.domain) y': 'z'\n  }]\n})\n```\n\nSSR output:\n\n```html\n<link data-x onload=alert(document.domain) y=\"z\" rel=\"stylesheet\" href=\"/valid-stylesheet.css\">\n```\n\nThe browser parses `onload=alert(document.domain)` as its own attribute. Once the stylesheet loads, the handler fires.\n\nThe same injection works on any tag type since `acceptDataAttrs` is applied to all of them at line 114. Here's the same thing on a `meta` tag (the injected attributes render, though `onclick` doesn't fire on non-interactive `<meta>` elements):\n\n```javascript\nuseHeadSafe({\n  meta: [{\n    name: 'description',\n    content: 'legitimate content',\n    'data-x onclick=alert(document.domain) y': 'z'\n  }]\n})\n```\n\n### Realistic scenario\n\nA Nuxt app accepts SEO metadata from a CMS or user profile. The developer uses `useHeadSafe()` as the docs recommend. An attacker puts a `data-*` key with spaces and an event handler into their input. The payload renders into the HTML on every page load.\n\n## Suggested fix\n\nFor vulnerability 1, validate that attribute names only contain characters legal in HTML attributes:\n\n```typescript\nconst SAFE_ATTR_RE = /^[a-zA-Z][a-zA-Z0-9\\-]*$/\n\nfunction acceptDataAttrs(value: Record<string, string>) {\n  return Object.fromEntries(\n    Object.entries(value || {}).filter(\n      ([key]) => (key === 'id' || key.startsWith('data-')) && SAFE_ATTR_RE.test(key)\n    ),\n  )\n}\n```",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "unhead"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.11"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.1.10"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/unjs/unhead/commit/9ecc4f9568b0e23938f36d4b23fcfa4a18a89045"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/unjs/unhead"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/unjs/unhead/releases/tag/v2.1.11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-12T14:19:15Z",
+    "nvd_published_at": null
+  }
+}