Publish Advisories

GHSA-9r5j-7r2x-rv4g
GHSA-m6hv-x64c-27mm
GHSA-rv5f-ccpm-xjj4

Author: advisory-database[bot]

…-9r5j-7r2x-rv4g/GHSA-9r5j-7r2x-rv4g.json …-9r5j-7r2x-rv4g/GHSA-9r5j-7r2x-rv4g.jsonadvisories/unreviewed/2026/03/GHSA-9r5j-7r2x-rv4g/GHSA-9r5j-7r2x-rv4g.json renamed to advisories/github-reviewed/2026/03/GHSA-9r5j-7r2x-rv4g/GHSA-9r5j-7r2x-rv4g.json advisories/unreviewed/2026/03/GHSA-9r5j-7r2x-rv4g/GHSA-9r5j-7r2x-rv4g.json renamed to advisories/github-reviewed/2026/03/GHSA-9r5j-7r2x-rv4g/GHSA-9r5j-7r2x-rv4g.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9r5j-7r2x-rv4g",
-  "modified": "2026-03-09T18:31:43Z",
+  "modified": "2026-03-10T01:21:24Z",
   "published": "2026-03-09T12:31:38Z",
   "aliases": [
     "CVE-2025-69219"
   ],
-  "details": "A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.\n\nYou should upgrade to version 6.0.0 of the provider to avoid even that risk.",
+  "summary": "Apache Airflow Providers Http has Unsafe Pickle Deserializatio leading to RCE via HttpOperator",
+  "details": "A user with access to the DB could craft a database entry that would result in executing code on Triggerer - which gives anyone who have access to DB the same permissions as Dag Author. Since direct DB access is not usual and recommended for Airflow, the likelihood of it making any damage is low.\n\nUsers should upgrade to version 6.0.0 of the provider to avoid even that risk.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-airflow-providers-http"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/apache/airflow/pull/61662"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/airflow/commit/97839f7b0a8ae66d6079bb7fad5a363068f61617"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/airflow"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/zjkfb2njklro68tqzym092r4w65m5dq0"
@@ -37,8 +66,8 @@
       "CWE-913"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-10T01:21:24Z",
     "nvd_published_at": "2026-03-09T11:16:05Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-m6hv-x64c-27mm/GHSA-m6hv-x64c-27mm.json

@@ -0,0 +1,68 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m6hv-x64c-27mm",
+  "modified": "2026-03-10T01:20:19Z",
+  "published": "2026-03-10T01:20:19Z",
+  "aliases": [
+    "CVE-2026-30974"
+  ],
+  "summary": "copyparty: volflag `nohtml` did not block javascript in svg files",
+  "details": "### Summary\nThe `nohtml` config option, intended to prevent execution of JavaScript in user-uploaded HTML files, did not apply to SVG images.\n\n### Details\nA user with write-permission could upload an SVG containing embedded JavaScript, which would execute in the context of whichever user opens it.\n\nThis in itself is not a vulnerability; it is intended behavior according to [the SVG spec](https://www.w3.org/TR/SVG11/script.html). The vulnerability is that the `nohtml` volflag, when enabled, did not prevent this.\n\n`nohtml`, intended for use on volumes which contains untrusted files, would correctly prevent execution of javascript in HTML files, but did not consider SVG images. This has been fixed in v1.20.11.\n\n### Impact\nThe malicious JavaScript could move or delete existing files on the server, or upload new files, using the account of the person who opens the SVG.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "copyparty"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.20.11"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.20.10"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/9001/copyparty/security/advisories/GHSA-m6hv-x64c-27mm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/9001/copyparty/commit/1c9f894e149b6be3cc7de81efc93a4ce4766e0e5"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/9001/copyparty"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/9001/copyparty/releases/tag/v1.20.11"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-10T01:20:19Z",
+    "nvd_published_at": null
+  }
+}

…-rv5f-ccpm-xjj4/GHSA-rv5f-ccpm-xjj4.json …-rv5f-ccpm-xjj4/GHSA-rv5f-ccpm-xjj4.jsonadvisories/unreviewed/2026/03/GHSA-rv5f-ccpm-xjj4/GHSA-rv5f-ccpm-xjj4.json renamed to advisories/github-reviewed/2026/03/GHSA-rv5f-ccpm-xjj4/GHSA-rv5f-ccpm-xjj4.json advisories/unreviewed/2026/03/GHSA-rv5f-ccpm-xjj4/GHSA-rv5f-ccpm-xjj4.json renamed to advisories/github-reviewed/2026/03/GHSA-rv5f-ccpm-xjj4/GHSA-rv5f-ccpm-xjj4.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rv5f-ccpm-xjj4",
-  "modified": "2026-03-09T18:31:43Z",
+  "modified": "2026-03-10T01:22:21Z",
   "published": "2026-03-09T12:31:38Z",
   "aliases": [
     "CVE-2026-25604"
   ],
+  "summary": "Apache Airflow AWS Auth Manager has Host Header Injection Leading to SAML Authentication Bypass",
   "details": "In AWS Auth manager, the origin of the SAML authentication has been used as provided by the client and not verified against the actual instance URL. \nThis allowed to gain access to different instances with potentially different access controls by reusing SAML response from other instances.\n\nYou should upgrade to 9.22.0 version of provider if you use AWS Auth Manager.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-airflow-providers-amazon"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.22.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,14 @@
       "type": "WEB",
       "url": "https://github.com/apache/airflow/pull/61368"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/airflow/commit/1a86aec01d827ba8caf41b645db56663a9a61850"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/airflow"
+    },
     {
       "type": "WEB",
       "url": "https://lists.apache.org/thread/spwwrsmwxod7fpttcd7n7zs46j839l77"
@@ -37,8 +66,8 @@
       "CWE-346"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-10T01:22:21Z",
     "nvd_published_at": "2026-03-09T11:16:06Z"
   }
 }