Publish Advisories

GHSA-f2fc-vc88-6w7q
GHSA-fpvf-fvp5-996r
GHSA-fvcw-9w9r-pxc7
GHSA-mhg6-2q2v-9h2c

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-f2fc-vc88-6w7q/GHSA-f2fc-vc88-6w7q.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-f2fc-vc88-6w7q",
+  "modified": "2026-03-11T00:25:43Z",
+  "published": "2026-03-11T00:25:43Z",
+  "aliases": [
+    "CVE-2026-31862"
+  ],
+  "summary": "@siteboon/claude-code-ui is Vulnerable to Command Injection via Multiple Parameters",
+  "details": "### Summary\nMultiple Git-related API endpoints use execAsync() with string interpolation of user-controlled parameters (file, branch, message, commit), allowing authenticated attackers to execute arbitrary OS commands.\n\n### Details\nThe claudecodeui application provides Git integration through various API endpoints. These endpoints accept user-controlled parameters such as file paths, branch names, commit messages, and commit hashes, which are directly interpolated into shell command strings passed to execAsync().\n\nThe application attempts to escape double quotes in some parameters, but this protection is trivially bypassable using other shell metacharacters such as:\n\nCommand substitution: $(command) or \\`command\\`\nCommand chaining: ;, &&, ||\nNewlines and other control characters\n\n### Affected Endpoints\n`GET /api/git/diff - file parameter`\n`GET /api/git/status - file parameter`\n`POST /api/git/commit - files array and message parameter`\n`POST /api/git/checkout - branch parameter`\n`POST /api/git/create-branch - branch parameter`\n`GET /api/git/commits - commit hash parameter`\n`GET /api/git/commit-diff - commit parameter`\n\n### Vulnerable Code\n\nFile: server/routes/git.js\n```\n// Line 205 - git status with file parameter\nconst { stdout: statusOutput } = await execAsync(\n  `git status --porcelain \"${file}\"`,  // INJECTION via file\n  { cwd: projectPath }\n);\n```\n```\n// Lines 375-379 - git commit with files array and message\nfor (const file of files) {\n  await execAsync(`git add \"${file}\"`, { cwd: projectPath });  // INJECTION via files[]\n}\nconst { stdout } = await execAsync(\n  `git commit -m \"${message.replace(/\"/g, '\\\\\"')}\"`,  // INJECTION via message (bypass with $())\n  { cwd: projectPath }\n);\n```\n```\n// Lines 541-543 - git show with commit parameter (no quotes!)\nconst { stdout } = await execAsync(\n  `git show ${commit}`,  // INJECTION via commit\n  { cwd: projectPath }\n);\n```\n\n### Impact\n- Remote Code Execution as the Node.js process user\n- Full server compromise\n- Data exfiltration\n- Supply chain attacks - modify committed code to inject malware\n\n---\n\n### Fix\n\n**Commit:** siteboon/claudecodeui@55567f4\n\n#### Root cause remediation\n\nAll vulnerable `execAsync()` calls have been replaced with the existing `spawnAsync()` helper (which uses `child_process.spawn` with `shell: false`). Arguments are passed as an array directly to the OS — shell metacharacters in user input are inert.\n\n**Endpoints patched in `server/routes/git.js`:**\n\n- `GET /api/git/diff` — `file` (4 calls)\n- `GET /api/git/file-with-diff` — `file` (3 calls)\n- `POST /api/git/commit` — `files[]`, `message`\n- `POST /api/git/checkout` — `branch`\n- `POST /api/git/create-branch` — `branch`\n- `GET /api/git/commits` — `commit.hash`\n- `GET /api/git/commit-diff` — `commit`\n- `POST /api/git/generate-commit-message` — `file`\n- `POST /api/git/discard` — `file` (3 calls)\n- `POST /api/git/delete-untracked` — `file`\n- `POST /api/git/publish` — `branch`\n\nA strict allowlist regex (`/^[0-9a-f]{4,64}$/i`) was also added to validate the `commit` parameter in `/api/git/commit-diff` before it reaches the git process.\n\n#### Before / After\n\n```js\n// BEFORE — shell interprets the string, injection possible\nconst { stdout } = await execAsync(`git show ${commit}`, { cwd: projectPath });\n\n// AFTER — no shell, args passed directly to the process\nconst { stdout } = await spawnAsync('git', ['show', commit], { cwd: projectPath });\n```",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@siteboon/claudecodeui"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.24.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.23.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/siteboon/claudecodeui/security/advisories/GHSA-f2fc-vc88-6w7q"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/siteboon/claudecodeui"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siteboon/claudecodeui/releases/tag/v1.24.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:25:43Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-fpvf-fvp5-996r/GHSA-fpvf-fvp5-996r.json

@@ -0,0 +1,76 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fpvf-fvp5-996r",
+  "modified": "2026-03-11T00:24:53Z",
+  "published": "2026-03-11T00:24:53Z",
+  "aliases": [
+    "CVE-2026-31832"
+  ],
+  "summary": "Umbraco Backoffice API Allows Unauthorized Modification of Domain Data",
+  "details": "### Description\nA broken object-level authorization vulnerability exists in a backoffice API endpoint that allows authenticated users to assign domain-related data to content nodes without proper authorization checks.\n\nThe issue is caused by insufficient authorization enforcement on the affected API endpoint, whereby via an API call, domains can be set on content nodes that the editor does not have permission to access (either via user group privileges or start nodes).\n\n### Impact\nAn attacker can modify domain configurations for content nodes they are not permitted to edit. This may result in malicious or unintended routing behaviour, service disruption, and potential disclosure of configuration-related information.\n\n### Patches\nThe issue is patched in 16.5.1 and 17.2.2.\n\n### Workarounds\nThere is no workaround other than upgrading.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "Umbraco.Cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "14.0.0"
+            },
+            {
+              "fixed": "16.5.1"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "Umbraco.Cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "17.0.0"
+            },
+            {
+              "fixed": "17.2.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/umbraco/Umbraco-CMS/security/advisories/GHSA-fpvf-fvp5-996r"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/umbraco/Umbraco-CMS"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:24:53Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-fvcw-9w9r-pxc7/GHSA-fvcw-9w9r-pxc7.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fvcw-9w9r-pxc7",
+  "modified": "2026-03-11T00:24:05Z",
+  "published": "2026-03-11T00:24:05Z",
+  "aliases": [
+    "CVE-2026-31829"
+  ],
+  "summary": "Flowise affected by Server-Side Request Forgery (SSRF) in HTTP Node Leading to Internal Network Access",
+  "details": "**Description:**\nFlowise exposes an HTTP Node in AgentFlow and Chatflow that performs server-side HTTP requests using user-controlled URLs. By default, there are no restrictions on target hosts, including private/internal IP ranges (RFC 1918), localhost, or cloud metadata endpoints.\nThis enables Server-Side Request Forgery (SSRF), allowing any user interacting with a publicly exposed chatflow to force the Flowise server to make requests to internal network resources that are inaccessible from the public internet.\n\n**Impact includes:**\n- Access to internal admin panels (e.g., internal company dashboards, Jenkins, Kubernetes API, etc.).\n- Retrieval of cloud provider metadata (e.g., AWS IMDSv1 at [http://169.254.169.254], GCP, Azure).\n- Port scanning and enumeration of internal services.\n- Potential lateral movement or privilege escalation in compromised environments.\n\nThis vulnerability is particularly severe because:\n- Flowise instances are often deployed publicly without authentication (FLOWISE_USERNAME/PASSWORD not set by default).\n- The HTTP Node is easily accessible in simple flows with minimal configuration.\n\n**Proof of Concept (PoC):**\nA minimal flow consisting of three nodes demonstrates successful internal network access:\nFlow Structure:\n<img width=\"1131\" height=\"323\" alt=\"image\" src=\"https://github.com/user-attachments/assets/f6ddc74f-3ae9-4376-995a-693fb272627a\" />\nHTTP Node Configuration:\nThe HTTP Node is configured to perform a GET request to an internal address on localhost:\nURL: http://127.0.0.1:8000 (or any internal service)\n<img width=\"568\" height=\"759\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a5735e1f-f735-4d01-9d72-a772963254c8\" />\n\nSuccessful Response from Internal Service:\nWhen the flow is triggered via chat input, the Flowise server successfully retrieves and returns content from the internal mock server running on port 8000 within the same container/network:\n<img width=\"377\" height=\"627\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ff3fcfc6-4957-4aae-9c9d-13b4fca1d0ef\" />\n\n\n**Impact**\nThis is a Server-Side Request Forgery (SSRF) vulnerability with both read and write capabilities.\nThe HTTP Request node supports all standard HTTP methods (GET, POST, PUT, PATCH, DELETE), allowing attackers to not only retrieve sensitive information but also modify, create, or delete data on internal services if those services expose mutable endpoints:\n- Read access: Retrieval of sensitive internal data, cloud provider metadata (e.g., AWS IAM credentials at http://169.254.169.254/latest/meta-data/iam/security-credentials/), secrets, configuration files, or database contents.\n- Write access: Modification or deletion of internal resources via POST/PUT/PATCH/DELETE methods (e.g., creating malicious users/configurations, overwriting files, deleting data, triggering destructive actions on internal admin panels, CI/CD systems like Jenkins, Kubernetes APIs, or cloud management interfaces).\nAmplification: Retrieved cloud credentials can be used for further privilege escalation or lateral movement outside the n8n instance.\n\n\nSuggested Long-term Fix (for Flowise):\n- Add optional security controls to HTTP Node:\n- Toggle: \"Block private IP ranges and localhost\" (enabled by default).\n- Field: \"Allowed domains\" (whitelist).\n- Display prominent warning when URL field uses template variables (e.g., {{ }}).\n- Update documentation with explicit SSRF risks and best practices.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "flowise"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/FlowiseAI/Flowise/security/advisories/GHSA-fvcw-9w9r-pxc7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/FlowiseAI/Flowise"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:24:05Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-mhg6-2q2v-9h2c/GHSA-mhg6-2q2v-9h2c.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mhg6-2q2v-9h2c",
+  "modified": "2026-03-11T00:24:42Z",
+  "published": "2026-03-11T00:24:42Z",
+  "aliases": [
+    "CVE-2026-31830"
+  ],
+  "summary": "sigstore-ruby verifier returns success for DSSE bundles with mismatched in-toto subject digest",
+  "details": "### Summary\n\n`Sigstore::Verifier#verify` does not propagate the `VerificationFailure` returned by `verify_in_toto` when the artifact digest does not match the digest in the in-toto attestation subject. As a result, verification of DSSE bundles containing in-toto statements returns `VerificationSuccess` regardless of whether the artifact matches the attested subject.\n\n### Details\n\nIn `lib/sigstore/verifier.rb`, the verify method calls `verify_in_toto` (line 176) without capturing or checking its return value:\n\n`verify_in_toto(input, in_toto)`\n\nWhen `verify_in_toto` detects a digest mismatch, it returns a `VerificationFailure` object. Because the caller discards this return value, execution unconditionally falls through to return `VerificationSuccess`. This is the only verification sub-check in the method (out of 12) whose failure is not propagated.\n\nThe message_signature code path is not affected.\n\n### Impact\n\nAn attacker who possesses a valid signed DSSE bundle containing an in-toto attestation for artifact A can present it as a valid attestation for a different artifact B. All other verification checks (DSSE envelope signature, certificate chain, Rekor inclusion, SCTs, policy) pass because they are independent of the artifact content. Only the in-toto subject digest check detects the mismatch, and its result is discarded.\n\nThis allows an attacker to bypass artifact-to-attestation binding for any consumer that relies on `Sigstore::Verifier#verify` to validate DSSE/in-toto bundles.\n\n### Workarounds\n\nNone. Consumers cannot work around this without patching the library.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "sigstore"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.2.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/sigstore/sigstore-ruby/security/advisories/GHSA-mhg6-2q2v-9h2c"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/sigstore/sigstore-ruby"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-252"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-11T00:24:42Z",
+    "nvd_published_at": null
+  }
+}