Publish Advisories

GHSA-7rgv-gqhr-fxg3
GHSA-hcff-qv74-7hr4
GHSA-q658-hfpg-35qc
GHSA-v66j-6wwf-jc57

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-7rgv-gqhr-fxg3/GHSA-7rgv-gqhr-fxg3.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7rgv-gqhr-fxg3",
-  "modified": "2026-03-05T18:20:08Z",
+  "modified": "2026-03-05T20:42:15Z",
   "published": "2026-03-05T18:20:08Z",
   "aliases": [
     "CVE-2026-25048"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/mlc-ai/xgrammar/security/advisories/GHSA-7rgv-gqhr-fxg3"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25048"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/mlc-ai/xgrammar"
@@ -59,6 +63,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-05T18:20:08Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T16:16:15Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-hcff-qv74-7hr4/GHSA-hcff-qv74-7hr4.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hcff-qv74-7hr4",
+  "modified": "2026-03-05T20:43:28Z",
+  "published": "2026-03-05T20:43:28Z",
+  "aliases": [
+    "CVE-2026-29084"
+  ],
+  "summary": "Gokapi has CSRF in Login Endpoint",
+  "details": "### Summary\nThe login flow accepts credential-bearing requests without CSRF protection mechanisms tied to the browser session context. The handler parses form values directly and creates a session on successful credential validation.\n\n*Issue found by [aisafe.io](aisafe.io)*\n\n### Impact\nAn attacker can force a victim browser into a session associated with an existing user account where the attacker knows the credentials, causing user confusion, activity misattribution, and potential misuse of trusted user actions.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/forceu/gokapi"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-hcff-qv74-7hr4"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Forceu/Gokapi"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T20:43:28Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-q658-hfpg-35qc/GHSA-q658-hfpg-35qc.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q658-hfpg-35qc",
+  "modified": "2026-03-05T20:42:32Z",
+  "published": "2026-03-05T20:42:32Z",
+  "aliases": [
+    "CVE-2026-29061"
+  ],
+  "summary": "Gokapi has privilege escalation via incomplete API-key permission revocation on user rank demotion",
+  "details": "### Summary\nA privilege escalation vulnerability in the user rank demotion logic allows a demoted user's existing API keys to retain ApiPermManageFileRequests and ApiPermManageLogs permissions, enabling continued access to upload-request management  and log viewing endpoints after the user has been stripped of all privileges.\n\n### Impact\nAny user who previously held Admin rank and had API keys with ApiPermManageFileRequests or ApiPermManageLogs retains those capabilities after demotion. This allows offboarded or demoted users to:\n  - Create, list, and delete upload requests\n  - Read application logs and system status",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/forceu/gokapi"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.2.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/Forceu/Gokapi/security/advisories/GHSA-q658-hfpg-35qc"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Forceu/Gokapi"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-05T20:42:32Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/03/GHSA-v66j-6wwf-jc57/GHSA-v66j-6wwf-jc57.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v66j-6wwf-jc57",
-  "modified": "2026-03-05T18:18:01Z",
+  "modified": "2026-03-05T20:42:10Z",
   "published": "2026-03-05T18:18:01Z",
   "aliases": [
     "CVE-2025-64166"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/mercurius-js/mercurius/security/advisories/GHSA-v66j-6wwf-jc57"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64166"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/mercurius-js/mercurius/pull/1187"
@@ -63,6 +67,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-05T18:18:01Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T16:16:11Z"
   }
 }