Publish Advisories

GHSA-56px-hm34-xqj5
GHSA-8q2w-wr49-whqj
GHSA-fp5j-j7j4-mcxc
GHSA-fvwq-45qv-xvhv
GHSA-g7j6-fmwx-7vp8
GHSA-mmf8-487q-p45m
GHSA-q3vj-96h2-gwvg
GHSA-qpr4-jrj4-6f27

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-56px-hm34-xqj5/GHSA-56px-hm34-xqj5.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-56px-hm34-xqj5",
-  "modified": "2026-03-11T14:49:37Z",
+  "modified": "2026-03-11T20:43:29Z",
   "published": "2026-03-11T14:49:37Z",
   "aliases": [
     "CVE-2026-28229"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/argoproj/argo-workflows/security/advisories/GHSA-56px-hm34-xqj5"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28229"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/argoproj/argo-workflows/commit/34afaf9c0c36f1ba8645d483ea4752cfc4a391e8"
@@ -78,11 +82,12 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-200"
+      "CWE-200",
+      "CWE-863"
     ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T14:49:37Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T16:16:40Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-8q2w-wr49-whqj/GHSA-8q2w-wr49-whqj.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8q2w-wr49-whqj",
-  "modified": "2026-03-11T14:49:44Z",
+  "modified": "2026-03-11T20:43:35Z",
   "published": "2026-03-11T14:49:44Z",
   "aliases": [
     "CVE-2026-29777"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/traefik/traefik/security/advisories/GHSA-8q2w-wr49-whqj"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29777"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/traefik/traefik"
@@ -59,6 +63,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T14:49:44Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T16:16:40Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-fp5j-j7j4-mcxc/GHSA-fp5j-j7j4-mcxc.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fp5j-j7j4-mcxc",
-  "modified": "2026-03-11T14:56:45Z",
+  "modified": "2026-03-11T20:44:40Z",
   "published": "2026-03-11T14:56:45Z",
   "aliases": [
     "CVE-2026-31857"
@@ -65,6 +65,10 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fp5j-j7j4-mcxc"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31857"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/commit/8d4903647dcfd31b8d40ed027e27082013347a80"
@@ -81,6 +85,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T14:56:45Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T18:16:24Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-fvwq-45qv-xvhv/GHSA-fvwq-45qv-xvhv.json

@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fvwq-45qv-xvhv",
-  "modified": "2026-03-11T00:26:13Z",
+  "modified": "2026-03-11T20:44:34Z",
   "published": "2026-03-11T00:26:13Z",
   "aliases": [
     "CVE-2026-31859"
   ],
   "summary": "CraftCMS vulnerable to reflective XSS via incomplete return URL sanitization",
   "details": "### Summary\n\nThe fix for CVE-2025-35939 in `craftcms/cms` introduced a `strip_tags()` call in `src/web/User.php` to sanitize return URLs before they are stored in the session. However, `strip_tags()` only removes HTML tags (angle brackets) -- it does not inspect or filter URL schemes. Payloads like `javascript:alert(document.cookie)` contain no HTML tags and pass through `strip_tags()` completely unmodified, enabling reflected XSS when the return URL is rendered in an `href` attribute.\n\n### Details\nThe patched code in is:\n\n```php\npublic function setReturnUrl($url): void\n{\n    parent::setReturnUrl(strip_tags($url));\n}\n```\n\n`strip_tags()` removes HTML tags (e.g., `<script>`, `<img>`) from a string, but it is **not** a URL sanitizer. When the sanitized return URL is subsequently rendered in an `href` attribute context (e.g., `<a href=\"{{ returnUrl }}\">`), the following dangerous payloads survive `strip_tags()` completely unmodified:\n\n1. **`javascript:` protocol URLs** -- `javascript:alert(document.cookie)` contains no HTML tags, so `strip_tags()` returns it verbatim. When placed in an `href`, clicking the link executes the JavaScript.\n\n2. **`data:` URIs** -- `data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==` uses Base64 encoding and contains no tags at all, bypassing `strip_tags()` entirely.\n\n3. **Protocol-relative URLs** -- `//evil.com/steal` contains no tags and is passed through unchanged. When rendered as an `href`, the browser resolves it relative to the current page’s protocol, redirecting the user to an attacker-controlled domain.\n\nThe core issue is that `strip_tags()` operates on HTML syntax (angle brackets) while the threat model here requires URL scheme validation. These are fundamentally different security concerns.\n\n### Impact\n\n**Reflected XSS via crafted return URL.** An attacker constructs a malicious link such as `https://target.example.com/craft/?returnUrl=javascript:alert(document.cookie)` and sends it to a victim. The attack flow is:\n\n1. Victim clicks the link, visiting the Craft CMS site.\n2. The application calls `setReturnUrl()` with the attacker-controlled value.\n3. `strip_tags()` processes the URL but finds no HTML tags -- it passes through unchanged.\n4. The URL is stored in the session and later rendered in an `href` attribute (e.g., a \"Return\" or \"Continue\" link).\n5. When the victim clicks that link, `javascript:alert(document.cookie)` executes in the context of the Craft CMS origin.\n\nThis enables:\n- **Session hijacking** via cookie theft (`document.cookie`)\n- **Data exfiltration** via `fetch()` to an attacker-controlled server\n- **Phishing** by redirecting to a lookalike domain (protocol-relative URL)\n- **CSRF** by performing actions on behalf of the authenticated user",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -60,6 +65,10 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-fvwq-45qv-xvhv"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31859"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/commit/cc9921c14897ee2b592a431c2356af8a04ce4cfe"
@@ -74,9 +83,9 @@
       "CWE-116",
       "CWE-79"
     ],
-    "severity": "LOW",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T00:26:13Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T18:16:24Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-g7j6-fmwx-7vp8/GHSA-g7j6-fmwx-7vp8.json

@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g7j6-fmwx-7vp8",
-  "modified": "2026-03-11T00:27:23Z",
+  "modified": "2026-03-11T20:45:01Z",
   "published": "2026-03-11T00:27:23Z",
   "aliases": [
     "CVE-2026-31858"
   ],
   "summary": "CraftCMS's `ElementSearchController` Affected by Blind SQL Injection",
   "details": "The `ElementSearchController::actionSearch()` endpoint is missing the `unset()` protection that\nwas added to ElementIndexesController in [GHSA-2453-mppf-46cj](https://github.com/craftcms/cms/security/advisories/GHSA-2453-mppf-46cj).\n\nThe exact same SQL injection vulnerability (including `criteria[orderBy]`, the original advisory vector) works on this controller because the fix was never applied to it.\n\nAny authenticated control panel user (no admin required) can inject arbitrary SQL via `criteria[where]`,\n`criteria[orderBy]`, or other query properties, and extract the full database contents via boolean-based blind injection.\n\nUsers should update to the patched 5.9.9 release to mitigate the issue.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -42,6 +47,10 @@
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/security/advisories/GHSA-g7j6-fmwx-7vp8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31858"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/craftcms/cms/commit/e1a3dd669ae31491b86ad996e88a1d30d33d9a42"
@@ -58,6 +67,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T00:27:23Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T18:16:24Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-mmf8-487q-p45m/GHSA-mmf8-487q-p45m.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mmf8-487q-p45m",
-  "modified": "2026-03-11T14:55:49Z",
+  "modified": "2026-03-11T20:43:41Z",
   "published": "2026-03-11T14:55:49Z",
   "aliases": [
     "CVE-2026-31839"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/striae-org/striae/security/advisories/GHSA-mmf8-487q-p45m"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31839"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/striae-org/striae"
@@ -52,11 +56,12 @@
   "database_specific": {
     "cwe_ids": [
       "CWE-327",
-      "CWE-353"
+      "CWE-353",
+      "CWE-354"
     ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T14:55:49Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T17:16:58Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-q3vj-96h2-gwvg/GHSA-q3vj-96h2-gwvg.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q3vj-96h2-gwvg",
-  "modified": "2026-03-11T00:26:37Z",
+  "modified": "2026-03-11T20:44:45Z",
   "published": "2026-03-11T00:26:37Z",
   "aliases": [
     "CVE-2026-31856"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-q3vj-96h2-gwvg"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31856"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/parse-community/parse-server"
@@ -79,6 +83,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T00:26:37Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T18:16:24Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-qpr4-jrj4-6f27/GHSA-qpr4-jrj4-6f27.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qpr4-jrj4-6f27",
-  "modified": "2026-03-10T18:25:27Z",
+  "modified": "2026-03-11T20:44:07Z",
   "published": "2026-03-10T18:25:27Z",
   "aliases": [
     "CVE-2026-31840"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-qpr4-jrj4-6f27"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31840"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/parse-community/parse-server"
@@ -79,6 +83,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-10T18:25:27Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T17:16:58Z"
   }
 }