Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 7c97662cdeb6 · 2026-03-11T21:38:39.000Z
GHSA-7q3q-5px6-4c5p GHSA-7vvp-j573-5584 GHSA-9jfh-9xrq-4vwm GHSA-c4p7-rwrg-pf6p GHSA-g32c-4pvp-769g GHSA-gqc5-xv7m-gcjq GHSA-v53h-f6m7-xcgm GHSA-w54v-hf9p-8856 GHSA-xj69-m9qq-8m94
diff --git a/advisories/github-reviewed/2026/03/GHSA-7q3q-5px6-4c5p/GHSA-7q3q-5px6-4c5p.json b/advisories/github-reviewed/2026/03/GHSA-7q3q-5px6-4c5p/GHSA-7q3q-5px6-4c5p.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7q3q-5px6-4c5p",
-  "modified": "2026-03-11T00:37:44Z",
+  "modified": "2026-03-11T21:37:49Z",
   "published": "2026-03-11T00:37:44Z",
   "aliases": [
     "CVE-2026-31959"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/anchore/quill/security/advisories/GHSA-7q3q-5px6-4c5p"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31959"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/anchore/quill/commit/e41d66a517c2dc20ad8e9fbccffbdc6ba5ef0020"
@@ -65,6 +69,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T00:37:44Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T20:16:16Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-7vvp-j573-5584/GHSA-7vvp-j573-5584.json b/advisories/github-reviewed/2026/03/GHSA-7vvp-j573-5584/GHSA-7vvp-j573-5584.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7vvp-j573-5584",
-  "modified": "2026-03-11T19:23:43Z",
+  "modified": "2026-03-11T21:37:27Z",
   "published": "2026-03-11T19:23:43Z",
   "aliases": [
     "CVE-2026-31887"
@@ -97,6 +97,10 @@
       "type": "WEB",
       "url": "https://github.com/shopware/shopware/security/advisories/GHSA-7vvp-j573-5584"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31887"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/shopware/shopware"
@@ -109,6 +113,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T19:23:43Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T19:16:04Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-9jfh-9xrq-4vwm/GHSA-9jfh-9xrq-4vwm.json b/advisories/github-reviewed/2026/03/GHSA-9jfh-9xrq-4vwm/GHSA-9jfh-9xrq-4vwm.json
@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9jfh-9xrq-4vwm",
-  "modified": "2026-03-11T19:53:53Z",
+  "modified": "2026-03-11T21:38:09Z",
   "published": "2026-03-11T19:53:53Z",
   "aliases": [
     "CVE-2026-32094"
   ],
   "summary": "Shescape escape() leaves bracket glob expansion active on Bash, BusyBox, and Dash",
   "details": "### Summary\n\n`Shescape#escape()` does not escape square-bracket glob syntax for Bash, BusyBox `sh`, and Dash. Applications that interpolate the return value directly into a shell command string can cause an attacker-controlled value like `secret[12]` to expand into multiple filesystem matches instead of a single literal argument, turning one argument into multiple trusted-pathname matches.\n\n### Details\n\nThe unquoted Unix escape helpers never add `[` or `]` to their “special characters” regexes:\n\n- `src/internal/unix/bash.js:14-30`\n- `src/internal/unix/busybox.js:14-30`\n- `src/internal/unix/dash.js:12-19`\n\nThey escape `*`/`?` but not brackets, so `new Shescape({ shell: \"/usr/bin/bash\" }).escape(\"secret[12]\")` still produces `secret[12]`. The fixtures (`test/fixtures/unix.js:2236-2265`, `3496-3525`, `5762-5792`) are currently written to expect literal brackets for these shells, confirming the behavior. The documentation recommends `Shescape#escape()` as the fallback for `exec` when quoting isn’t possible (`docs/recipes.md:154-183`).\n\n### Proof of Concept\n\nUse the published npm tarball without modifications:\n\n```shell\ntmp=$(mktemp -d)\ncd \"$tmp\"\nnpm pack shescape@2.1.9 >/dev/null\nmkdir pkg\ntar -xzf shescape-2.1.9.tgz -C pkg\ncd pkg/package\nnpm install --omit=dev\n\nnode --input-type=module - <<'NODE'\nimport { mkdtempSync, writeFileSync } from \"node:fs\";\nimport { tmpdir } from \"node:os\";\nimport path from \"node:path\";\nimport { execSync } from \"node:child_process\";\nimport { Shescape } from \"./src/index.js\";\n\nconst dir = mkdtempSync(path.join(tmpdir(), \"shescape-ghsa-poc-\"));\nwriteFileSync(path.join(dir, \"secret1\"), \"\");\nwriteFileSync(path.join(dir, \"secret2\"), \"\");\n\nfor (const shell of [\"/usr/bin/bash\", \"/usr/bin/dash\"]) {\n  const shescape = new Shescape({ shell });\n  const escaped = shescape.escape(\"secret[12]\");\n  console.log(${shell} escaped=${escaped});\n  const out = execSync(printf '<%s>\\\\n' ${escaped}, { cwd: dir, shell }).toString();\n  process.stdout.write(out);\n}\nNODE\n```\n\nOutput:\n\n```text\n/usr/bin/bash escaped=secret[12]\n<secret1>\n<secret2>\n/usr/bin/dash escaped=secret[12]\n<secret1>\n<secret2>\n```\n\nExpected: the shell receives `secret\\[12\\]`, so only one literal argument runs.\n\n### Impact\n\nArgument injection: a single untrusted argument expands into multiple pathname matches from the trusted filesystem. This can change command behavior, target unintended files, or leak filenames. Any application calling `Shescape#escape()` with Bash/BusyBox/Dash shells and interpolating the result into a shell command string is affected.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -35,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/ericcornelissen/shescape/security/advisories/GHSA-9jfh-9xrq-4vwm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32094"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/ericcornelissen/shescape/pull/2410"
@@ -59,6 +68,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T19:53:53Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T20:16:17Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-c4p7-rwrg-pf6p/GHSA-c4p7-rwrg-pf6p.json b/advisories/github-reviewed/2026/03/GHSA-c4p7-rwrg-pf6p/GHSA-c4p7-rwrg-pf6p.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c4p7-rwrg-pf6p",
-  "modified": "2026-03-11T19:24:06Z",
+  "modified": "2026-03-11T21:37:37Z",
   "published": "2026-03-11T19:24:06Z",
   "aliases": [
     "CVE-2026-31889"
@@ -97,6 +97,10 @@
       "type": "WEB",
       "url": "https://github.com/shopware/shopware/security/advisories/GHSA-c4p7-rwrg-pf6p"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31889"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/shopware/shopware"
@@ -109,6 +113,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T19:24:06Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T20:16:15Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-g32c-4pvp-769g/GHSA-g32c-4pvp-769g.json b/advisories/github-reviewed/2026/03/GHSA-g32c-4pvp-769g/GHSA-g32c-4pvp-769g.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g32c-4pvp-769g",
-  "modified": "2026-03-11T00:38:08Z",
+  "modified": "2026-03-11T21:37:59Z",
   "published": "2026-03-11T00:38:08Z",
   "aliases": [
     "CVE-2026-31960"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/anchore/quill/security/advisories/GHSA-g32c-4pvp-769g"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31960"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/anchore/quill/commit/9cdb0823ea1d2c45dcc11557f8c5cd7291c75d29"
@@ -64,6 +68,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T00:38:08Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T20:16:16Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-gqc5-xv7m-gcjq/GHSA-gqc5-xv7m-gcjq.json b/advisories/github-reviewed/2026/03/GHSA-gqc5-xv7m-gcjq/GHSA-gqc5-xv7m-gcjq.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gqc5-xv7m-gcjq",
-  "modified": "2026-03-11T19:23:49Z",
+  "modified": "2026-03-11T21:37:32Z",
   "published": "2026-03-11T19:23:49Z",
   "aliases": [
     "CVE-2026-31888"
@@ -97,6 +97,10 @@
       "type": "WEB",
       "url": "https://github.com/shopware/shopware/security/advisories/GHSA-gqc5-xv7m-gcjq"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31888"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/shopware/shopware"
@@ -109,6 +113,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T19:23:49Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T19:16:05Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-v53h-f6m7-xcgm/GHSA-v53h-f6m7-xcgm.json b/advisories/github-reviewed/2026/03/GHSA-v53h-f6m7-xcgm/GHSA-v53h-f6m7-xcgm.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-v53h-f6m7-xcgm",
-  "modified": "2026-03-10T18:40:35Z",
+  "modified": "2026-03-11T21:37:22Z",
   "published": "2026-03-07T02:32:27Z",
   "aliases": [
     "CVE-2026-31900"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/psf/black/security/advisories/GHSA-v53h-f6m7-xcgm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31900"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/psf/black/commit/0a2560b981364dde4c8cf8ce9d164c40669a8611"
@@ -56,6 +60,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-07T02:32:27Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T20:16:15Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-w54v-hf9p-8856/GHSA-w54v-hf9p-8856.json b/advisories/github-reviewed/2026/03/GHSA-w54v-hf9p-8856/GHSA-w54v-hf9p-8856.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w54v-hf9p-8856",
-  "modified": "2026-03-11T00:36:13Z",
+  "modified": "2026-03-11T21:37:44Z",
   "published": "2026-03-11T00:36:13Z",
   "aliases": [
     "CVE-2026-31901"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-w54v-hf9p-8856"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31901"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/parse-community/parse-server"
@@ -79,6 +83,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T00:36:13Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T20:16:16Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-xj69-m9qq-8m94/GHSA-xj69-m9qq-8m94.json b/advisories/github-reviewed/2026/03/GHSA-xj69-m9qq-8m94/GHSA-xj69-m9qq-8m94.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xj69-m9qq-8m94",
-  "modified": "2026-03-11T00:38:00Z",
+  "modified": "2026-03-11T21:37:54Z",
   "published": "2026-03-11T00:38:00Z",
   "aliases": [
     "CVE-2026-31961"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/anchore/quill/security/advisories/GHSA-xj69-m9qq-8m94"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31961"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/anchore/quill/commit/80cf3fe082678af0ec4f9f8dd93f39189d2dc1fe"
@@ -64,6 +68,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-11T00:38:00Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-11T20:16:17Z"
   }
 }
