Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 28e8656f8dfc · 2026-04-15T19:44:32.000Z
GHSA-9vq7-9h42-j88h GHSA-g24f-mgc3-jwwc GHSA-jj6c-8h6c-hppx GHSA-mvvv-v22x-xqwp GHSA-xp4f-g2cm-rhg7
diff --git a/advisories/github-reviewed/2026/04/GHSA-9vq7-9h42-j88h/GHSA-9vq7-9h42-j88h.json b/advisories/github-reviewed/2026/04/GHSA-9vq7-9h42-j88h/GHSA-9vq7-9h42-j88h.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9vq7-9h42-j88h",
-  "modified": "2026-04-14T12:31:29Z",
+  "modified": "2026-04-15T19:42:53Z",
   "published": "2026-04-14T12:31:28Z",
   "aliases": [
     "CVE-2025-13822"
   ],
+  "summary": "MCPHub has an authentication bypass",
   "details": "MCPHub in versions below 0.11.0 is vulnerable to authentication bypass. Some endpoints are not protected by authentication middleware, allowing an unauthenticated attacker to perform actions in the name of other users and using their privileges.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@samanhappy/mcphub"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.11.0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -24,7 +45,7 @@
       "url": "https://cert.pl/en/posts/2026/04/CVE-2025-13822"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/samanhappy/mcphub"
     }
   ],
@@ -33,8 +54,8 @@
       "CWE-639"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:42:53Z",
     "nvd_published_at": "2026-04-14T11:16:24Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-g24f-mgc3-jwwc/GHSA-g24f-mgc3-jwwc.json b/advisories/github-reviewed/2026/04/GHSA-g24f-mgc3-jwwc/GHSA-g24f-mgc3-jwwc.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g24f-mgc3-jwwc",
+  "modified": "2026-04-15T19:42:23Z",
+  "published": "2026-04-15T19:42:23Z",
+  "aliases": [],
+  "summary": "OpenRemote has XXE in Velbus Asset Import",
+  "details": "### Summary\nThe Velbus asset import path parses attacker-controlled XML without explicit XXE hardening. An authenticated user who can call the import endpoint may trigger XML external entity processing, which can lead to server-side file disclosure and SSRF. The target file must be less than 1023 characters.\n\n### Details\nVelbus import uses `DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(...)` on untrusted XML input, without explicit safeguards to disable DTD/external entities.\n\n```154:165:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java\n    @Override\n    public Future<Void> startAssetImport(byte[] fileData, Consumer<AssetTreeNode[]> assetConsumer) {\n\n        return executorService.submit(() -> {\n            Document xmlDoc;\n            try {\n                String xmlStr = new String(fileData, StandardCharsets.UTF_8);\n                LOG.info(\"Parsing VELBUS project file\");\n\n                xmlDoc = DocumentBuilderFactory\n                    .newInstance()\n                    .newDocumentBuilder()\n                    .parse(new InputSource(new StringReader(xmlStr)));\n```\n\nExpanded `Caption` content is propagated into created asset names:\n\n```193:198:agent/src/main/java/org/openremote/agent/protocol/velbus/AbstractVelbusProtocol.java\n                String name = module.getElementsByTagName(\"Caption\").item(0).getTextContent();\n                name = isNullOrEmpty(name) ? deviceType.toString() : name;\n\n                // TODO: Use device specific asset types\n                Asset<?> device = new ThingAsset(name);\n```\n\n### PoC\n1. Log in to a realm with a user that can call Velbus asset import.\n2. Create/select a Velbus TCP Agent in that same realm.\n3. Send `POST /api/{realm}/agent/assetImport/{agentId}` with a Velbus project XML payload and compare behavior against a baseline import file.\n3. Save the below code as a `xxe.xml` and upload to `Setup` under `https://localhost/manager/?realm=<YOUR_REALM>#/assets/false/<ASSET_ID>`. Chnage the `file:///etc/passwd` to another file if your `passwd` is longer than 1023 characters.\n```xml\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<!DOCTYPE velbus [\n  <!ENTITY xxe SYSTEM \"file:///etc/passwd\">\n]>\n<Project>\n  <Module type=\"VMB1RY\" address=\"01\" build=\"00\" serial=\"LAB\">\n    <Caption>&xxe;</Caption>\n  </Module>\n</Project>\n```\n\nAs long as the file content is under 1023 characters, the exploit will succeed.\n<img width=\"1200\" height=\"662\" alt=\"image\" src=\"https://github.com/user-attachments/assets/213f063d-98b6-4717-b98c-f4255952026b\" />\n\nIf the file content reaches the limit, an error is thrown.\n<img width=\"1200\" height=\"630\" alt=\"image\" src=\"https://github.com/user-attachments/assets/ee177a6b-2cb2-48ae-94df-c994ecb41429\" />\n\n\n### Impact\n- **Type:** XML External Entity (XXE)\n- **Affected:** Deployments exposing Velbus import to authenticated users with import access\n- **Risk:** limited local file disclosure (as long as the file is under 1023 characters) from the Manager runtime, and SSRF.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:L"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "io.openremote:openremote-manager"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.22.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.21.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openremote/openremote/security/advisories/GHSA-g24f-mgc3-jwwc"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openremote/openremote"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-611"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:42:23Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-jj6c-8h6c-hppx/GHSA-jj6c-8h6c-hppx.json b/advisories/github-reviewed/2026/04/GHSA-jj6c-8h6c-hppx/GHSA-jj6c-8h6c-hppx.json
@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jj6c-8h6c-hppx",
+  "modified": "2026-04-15T19:43:09Z",
+  "published": "2026-04-15T19:43:09Z",
+  "aliases": [],
+  "summary": "pypdf has long runtimes for wrong size values in cross-reference and object streams",
+  "details": "### Impact\n\nAn attacker who uses this vulnerability can craft a PDF which leads to long runtimes. This requires cross-reference streams with wrong large `/Size` values or object streams with wrong large `/N` values.\n\n### Patches\n\nThis has been fixed in [pypdf==6.10.1](https://github.com/py-pdf/pypdf/releases/tag/6.10.1).\n\n### Workarounds\n\nIf you cannot upgrade yet, consider applying the changes from PR [#3733](https://github.com/py-pdf/pypdf/pull/3733).",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "pypdf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.10.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-jj6c-8h6c-hppx"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/pull/3733"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/py-pdf/pypdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/releases/tag/6.10.1"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-834"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:43:09Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-mvvv-v22x-xqwp/GHSA-mvvv-v22x-xqwp.json b/advisories/github-reviewed/2026/04/GHSA-mvvv-v22x-xqwp/GHSA-mvvv-v22x-xqwp.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mvvv-v22x-xqwp",
+  "modified": "2026-04-15T19:43:50Z",
+  "published": "2026-04-15T19:43:50Z",
+  "aliases": [
+    "CVE-2026-40346"
+  ],
+  "summary": "NocoBase has SSRF in Workflow HTTP Request and Custom Request Plugins",
+  "details": "## Summary\n\nNocoBase's workflow HTTP request plugin and custom request action plugin make server-side HTTP requests to user-provided URLs without any SSRF protection. An authenticated user can access internal network services, cloud metadata endpoints, and localhost.\n\n## Vulnerable Code\n\n### 1. Workflow HTTP Request Plugin\n\n**`packages/plugins/@nocobase/plugin-workflow-request/src/server/RequestInstruction.ts` lines 117-128:**\n```typescript\nreturn axios.request({\n  url: trim(url),  // User-controlled, no validation\n  method,\n  headers,\n  params,\n  timeout,\n  ...(method.toLowerCase() !== 'get' && data != null\n    ? { data: transformer ? await transformer(data) : data }\n    : {}),\n});\n```\n\nThe `url` at line 98 comes directly from user workflow configuration with only whitespace trimming.\n\n### 2. Custom Request Action Plugin\n\n**`packages/plugins/@nocobase/plugin-action-custom-request/src/server/actions/send.ts` lines 172-198:**\n```typescript\nconst axiosRequestConfig = {\n  baseURL: ctx.origin,\n  ...options,\n  url: getParsedValue(url, variables),  // User-controlled via template\n  headers: { ... },\n  params: getParsedValue(arrayToObject(params), variables),\n  data: getParsedValue(toJSON(data), variables),\n};\nconst res = await axios(axiosRequestConfig);  // No IP validation\n```\n\n## Missing Protections\n\n- No `request-filtering-agent` or SSRF library (confirmed via grep across entire codebase)\n- No private IP range filtering\n- No cloud metadata endpoint blocking\n- No URL scheme validation\n- No DNS rebinding protection\n\n## Attack Scenario\n\n1. Authenticated user creates a workflow with HTTP Request node\n2. Sets URL to `http://169.254.169.254/latest/meta-data/iam/security-credentials/`\n3. Triggers the workflow\n4. Server fetches AWS metadata and returns IAM credentials in workflow execution logs\n\nAlternatively via Custom Request action:\n1. Create custom request with URL `http://127.0.0.1:5432` or `http://10.0.0.1:8080/admin`\n2. Execute the action\n3. Server makes request to internal service\n\n## Impact\n\n- **Cloud metadata theft**: AWS/GCP/Azure credentials via metadata endpoints\n- **Internal network access**: Scan and interact with services on private IP ranges\n- **Database access**: Connect to localhost databases (PostgreSQL, Redis, etc.)\n- **Authentication required**: Yes (authenticated user), but any workspace member can create workflows",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@nocobase/plugin-workflow-request"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.0.37"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/nocobase/nocobase/security/advisories/GHSA-mvvv-v22x-xqwp"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/nocobase/nocobase"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:43:50Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-xp4f-g2cm-rhg7/GHSA-xp4f-g2cm-rhg7.json b/advisories/github-reviewed/2026/04/GHSA-xp4f-g2cm-rhg7/GHSA-xp4f-g2cm-rhg7.json
@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xp4f-g2cm-rhg7",
+  "modified": "2026-04-15T19:43:33Z",
+  "published": "2026-04-15T19:43:33Z",
+  "aliases": [],
+  "summary": "PocketMine-MP has LogDoS by many junk properties in client data JWT in LoginPacket",
+  "details": "### Impact\n\nAttackers can fill the body of the clientData JWT in LoginPacket with lots of junk properties, causing the server to flood warning messages, as well as wasting CPU time.\n\nThis happens because the JsonMapper instance used to process the JWT body is configured to warn on unexpected properties instead of rejecting them outright. While this behaviour increases flexibility for random changes introduced by Microsoft, it also creates vulnerabilities if not handled carefully.\n\nThis vulnerability affects PocketMine-MP servers exposed to a public network where unknown actors may have access.\n\n### Patches\n\nThis issue was fixed in c1d4a813fb8c21bfd8b9affd040da864b794df71 by restricting the number of unknown properties to 10, and rejecting the packet if this limit is exceeded. This continues to tolerate random additions to the JWT between versions, while preventing the logger from being abused by clients to slow down the server.\n\n### Workarounds\nPlugins can handle `DataPacketReceiveEvent` to capture `LoginPacket`, and pre-process the clientData JWT to ensure it doesn't have any unusual properties in it. This can be achieved using `JsonMapper` (see the original affected code below) and setting the `bExceptionOnUndefinedProperty` flag to `true`. A `JsonMapper_Exception` will be thrown if the JWT is problematic.\n\nHowever, it's important to caveat that this approach may cause login failures if any unexpected properties appear out of the blue in future versions (which has happened in the past).\n\n### References\nAffected code:\n\nhttps://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303\nhttps://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "pocketmine/pocketmine-mp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.42.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/pmmp/PocketMine-MP/security/advisories/GHSA-xp4f-g2cm-rhg7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pmmp/PocketMine-MP/commit/c1d4a813fb8c21bfd8b9affd040da864b794df71"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/pmmp/PocketMine-MP"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L289-L303"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/pmmp/PocketMine-MP/blob/5.41.1/src/network/mcpe/handler/LoginPacketHandler.php#L334-L350"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-779"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-15T19:43:33Z",
+    "nvd_published_at": null
+  }
+}
