Publish Advisories

GHSA-2689-5p89-6j3j
GHSA-hm2w-vr2p-hq7w
GHSA-r8rp-5f55-5j9x
GHSA-rm5f-3c25-p4cw

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-2689-5p89-6j3j/GHSA-2689-5p89-6j3j.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2689-5p89-6j3j",
+  "modified": "2026-04-16T01:30:48Z",
+  "published": "2026-04-16T01:30:48Z",
+  "aliases": [],
+  "summary": "UEFI Firmware Parser has a stack out-of-bounds write in tiano decompressor MakeTable",
+  "details": "`uefi-firmware` contains a stack out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `MakeTable()` does not validate that bit-length values read from the compressed bitstream are within the expected range (`0..16`). a crafted firmware blob can supply bit lengths greater than `16`, causing out-of-bounds writes to the stack-allocated `Count[17]` array and related decode tables.\n\nreachability is through the normal parsing path: `CompressedSection.process()` -> `efi_compressor.TianoDecompress()` -> `TianoDecompress()` -> `ReadPTLen()` -> `MakeTable()`.\n\nMinimum impact is a deterministic crash; depending on build/runtime details, the stack memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.\n\nReferences:\n\n- PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145>\n- fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e>\n- upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "uefi-firmware"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.12"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/theopolis/uefi-firmware-parser/security/advisories/GHSA-2689-5p89-6j3j"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/theopolis/uefi-firmware-parser/pull/145"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/theopolis/uefi-firmware-parser"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T01:30:48Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-hm2w-vr2p-hq7w/GHSA-hm2w-vr2p-hq7w.json

@@ -0,0 +1,63 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hm2w-vr2p-hq7w",
+  "modified": "2026-04-16T01:31:09Z",
+  "published": "2026-04-16T01:31:09Z",
+  "aliases": [],
+  "summary": "UEFI Firmware Parser has a heap out-of-bounds write in tiano decompressor ReadCLen",
+  "details": "`uefi-firmware` contains a heap out-of-bounds write vulnerability in the native tiano/EFI decompressor. in `uefi_firmware/compression/Tiano/Decompress.c`, `ReadCLen()` reads `Number = GetBits(Sd, CBIT)` with `CBIT = 9`, so `Number` can be as large as `511`, while the destination array `Sd->mCLen` has `NC = 510` elements. the loop writes while `Index < Number` without enforcing `Index < NC`. additionally, the `CharC == 2` run-length path performs `GetBits(Sd, 9) + 20`, allowing up to `531` zero writes through `Sd->mCLen[Index++] = 0`.\n\nReachability is through the normal parsing path: `CompressedSection.process()` -> `efi_compressor.TianoDecompress()` -> `TianoDecompress()` -> `DecodeC()` -> `ReadCLen()`.\n\nMinimum impact is a deterministic crash; depending on build/runtime details, the heap memory corruption may be exploitable for code execution in the context of the parsing process. this project shipped its own copy of the decompressor without the upstream EDK2 hardening for this bug class.\n\n- PR: <https://github.com/theopolis/uefi-firmware-parser/pull/145>\n- fix commit: <https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e>\n- upstream related fixes: CVE-2017-5731, CVE-2017-5732, CVE-2017-5733, CVE-2017-5734, CVE-2017-5735",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "uefi-firmware"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "1.12"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/theopolis/uefi-firmware-parser/security/advisories/GHSA-hm2w-vr2p-hq7w"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/theopolis/uefi-firmware-parser/pull/145"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/theopolis/uefi-firmware-parser/commit/bf3dfaa8a05675bae6ea0cbfa082ddcebfcde23e"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/theopolis/uefi-firmware-parser"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-787"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T01:31:09Z",
+    "nvd_published_at": null
+  }
+}

…-r8rp-5f55-5j9x/GHSA-r8rp-5f55-5j9x.json …-r8rp-5f55-5j9x/GHSA-r8rp-5f55-5j9x.jsonadvisories/unreviewed/2026/04/GHSA-r8rp-5f55-5j9x/GHSA-r8rp-5f55-5j9x.json renamed to advisories/github-reviewed/2026/04/GHSA-r8rp-5f55-5j9x/GHSA-r8rp-5f55-5j9x.json advisories/unreviewed/2026/04/GHSA-r8rp-5f55-5j9x/GHSA-r8rp-5f55-5j9x.json renamed to advisories/github-reviewed/2026/04/GHSA-r8rp-5f55-5j9x/GHSA-r8rp-5f55-5j9x.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r8rp-5f55-5j9x",
-  "modified": "2026-04-14T18:30:35Z",
+  "modified": "2026-04-16T01:31:46Z",
   "published": "2026-04-14T18:30:35Z",
   "aliases": [
     "CVE-2026-38529"
   ],
+  "summary": "Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php",
   "details": "A Broken Object-Level Authorization (BOLA) in the /Settings/UserController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily reset user passwords and perform a full account takeover via supplying a crafted HTTP request.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "krayin/laravel-crm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -24,7 +45,7 @@
       "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38529"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/krayin/laravel-crm"
     }
   ],
@@ -33,8 +54,8 @@
       "CWE-269"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T01:31:46Z",
     "nvd_published_at": "2026-04-14T16:16:43Z"
   }
 }

…-rm5f-3c25-p4cw/GHSA-rm5f-3c25-p4cw.json …-rm5f-3c25-p4cw/GHSA-rm5f-3c25-p4cw.jsonadvisories/unreviewed/2026/04/GHSA-rm5f-3c25-p4cw/GHSA-rm5f-3c25-p4cw.json renamed to advisories/github-reviewed/2026/04/GHSA-rm5f-3c25-p4cw/GHSA-rm5f-3c25-p4cw.json advisories/unreviewed/2026/04/GHSA-rm5f-3c25-p4cw/GHSA-rm5f-3c25-p4cw.json renamed to advisories/github-reviewed/2026/04/GHSA-rm5f-3c25-p4cw/GHSA-rm5f-3c25-p4cw.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rm5f-3c25-p4cw",
-  "modified": "2026-04-14T18:30:35Z",
+  "modified": "2026-04-16T01:31:36Z",
   "published": "2026-04-14T18:30:35Z",
   "aliases": [
     "CVE-2026-38530"
   ],
+  "summary": "Webkul Krayin CRM has Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php",
   "details": "A Broken Object-Level Authorization (BOLA) in the /Controllers/Lead/LeadController.php endpoint of Webkul Krayin CRM v2.2.x allows authenticated attackers to arbitrarily read, modify, and permanently delete any lead owned by other users via supplying a crafted GET request.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "krayin/laravel-crm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "2.2.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -24,7 +45,7 @@
       "url": "https://github.com/TREXNEGRO/Security-Advisories/tree/main/CVE-2026-38530"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/krayin/laravel-crm"
     }
   ],
@@ -33,8 +54,8 @@
       "CWE-639"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T01:31:36Z",
     "nvd_published_at": "2026-04-14T16:16:43Z"
   }
 }