Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit a0d52b48690d · 2026-04-16T21:35:19.000Z
GHSA-2mvx-f5qm-v2ch GHSA-cw73-5f7h-m4gv GHSA-hv5g-26jg-pc45 GHSA-j452-xhg8-qg39 GHSA-wg6q-6289-32hp GHSA-wg6q-6289-32hp
diff --git a/advisories/github-reviewed/2026/04/GHSA-2mvx-f5qm-v2ch/GHSA-2mvx-f5qm-v2ch.json b/advisories/github-reviewed/2026/04/GHSA-2mvx-f5qm-v2ch/GHSA-2mvx-f5qm-v2ch.json
@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2mvx-f5qm-v2ch",
+  "modified": "2026-04-16T21:34:40Z",
+  "published": "2026-04-16T21:34:40Z",
+  "aliases": [
+    "CVE-2026-40308"
+  ],
+  "summary": "Unauthenticated Information Disclosure (IDOR) via Multisite switch_to_blog in My Calendar",
+  "details": "### Summary\n\nAn unauthenticated Insecure Direct Object Reference (IDOR) and Denial of Service (DoS) vulnerability in the My Calendar plugin allows any unauthenticated user to extract calendar events (including private or hidden ones) from any sub-site on a WordPress Multisite network. On standard Single Site WordPress installations, this same endpoint crashes the PHP worker thread, creating an unauthenticated Denial of Service (DoS) vector.\n\n### Details\n\nThe vulnerability stems from the `mc_ajax_mcjs_action AJAX` function, which handles the `mcjs_action` endpoint. This endpoint is explicitly registered for unauthenticated users:\n```php\n<?php\n// In my-calendar-ajax.php\nadd_action( 'wp_ajax_nopriv_mcjs_action', 'mc_ajax_mcjs_action' );\n```\n\nWhen the behavior parameter is set to loadupcoming, the plugin accepts an args parameter from the $_REQUEST array. Instead of validating specific expected arguments, the plugin unsafely passes the entire string into PHP's parse_str() function:\n```php\n<?php\n$request = isset( $_REQUEST['args'] ) ? wp_unslash( sanitize_text_field( $_REQUEST['args'] ) ) : array();\n$request = str_replace( '|', '&', $request );\n$request = parse_str( $request, $args );\n// ...\n$response = my_calendar_upcoming_events( $args );\n```\n\nThis allows an attacker to inject arbitrary key-value pairs into the $args array. This array is then passed to the my_calendar_upcoming_events() function located in my-calendar-widgets.php.\n\nAt the beginning of this function, the plugin processes the attacker-controlled site argument:\n```php\n<?php\n// In my-calendar-widgets.php\nif ( $args['site'] ) {\n    $args['site'] = ( 'global' === $args['site'] ) ? BLOG_ID_CURRENT_SITE : $args['site'];\n    switch_to_blog( $args['site'] );\n}\n```\nThe plugin blindly passes the attacker's supplied site ID into WordPress core's `switch_to_blog()` function without checking if the requesting user has the appropriate network-level privileges (e.g., Super Admin).\n\nOn Multisite configurations, the database context switches to the targeted sub-site, queries its events, and returns the HTML-rendered events array in the JSON response, leading to Information Disclosure across tenant boundaries.\nOn Single Site configurations, the switch_to_blog() function does not exist in WordPress core. Calling it triggers an Uncaught PHP Error (Call to undefined function switch_to_blog()), resulting in a 500 Internal Server error (\"Critical Error\"). Repeated requests to this unauthenticated endpoint easily exhaust server resources.\n\n### PoC\n\n## 1. Multisite Information Disclosure - IDOR\n```\ncurl -s \"http://<target-domain>/wp-admin/admin-ajax.php?action=mcjs_action&behavior=loadupcoming&args=site=2\"\n```\n\n## 2.  Single Site Denial of Service (DoS)\nIf the WordPress instance is not a Multisite, passing any truthy value to the site parameter will instantly crash the request thread:\n```\ncurl -i -s \"http://<target-domain>/wp-admin/admin-ajax.php?action=mcjs_action&behavior=loadupcoming&args=site=1\"\n```\n\n### Impact\n\n**Vulnerability Type**: Insecure Direct Object Reference (IDOR) / Information Exposure / Denial of Service (DoS)\n**Who is impacted**: All sites running the \"My Calendar\" plugin.\n\nAnonymous internet users can silently map the network and extract private, unpublished, or intranet-specific events from unlaunched/internal sub-sites.\nStandard Single Site users are vulnerable to an easy-to-execute application-layer DoS, as it costs an attacker negligible resources to constantly crash PHP worker threads at an unauthenticated endpoint.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "joedolson/my-calendar"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.7.7"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/joedolson/my-calendar/security/advisories/GHSA-2mvx-f5qm-v2ch"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/joedolson/my-calendar"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:34:40Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/04/GHSA-cw73-5f7h-m4gv/GHSA-cw73-5f7h-m4gv.json b/advisories/github-reviewed/2026/04/GHSA-cw73-5f7h-m4gv/GHSA-cw73-5f7h-m4gv.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cw73-5f7h-m4gv",
-  "modified": "2026-04-16T15:31:32Z",
+  "modified": "2026-04-16T21:33:09Z",
   "published": "2026-04-15T18:31:57Z",
   "aliases": [
     "CVE-2026-30625"
   ],
+  "summary": "Upsonic: remote code execution vulnerability in its MCP server/task creation functionality",
   "details": "Upsonic 0.71.6 contains a remote code execution vulnerability in its MCP server/task creation functionality. The application allows users to define MCP tasks with arbitrary command and args values. Although an allowlist exists, certain allowed commands (npm, npx) accept argument flags that enable execution of arbitrary OS commands. Maliciously crafted MCP tasks may lead to remote code execution with the privileges of the Upsonic process. In version 0.72.0 Upsonic added a warning about using Stdio servers being able to execute commands directly on the machine.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "upsonic"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.72.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,6 +44,10 @@
       "type": "WEB",
       "url": "https://github.com/Upsonic/Upsonic/commit/855053fce0662227d9246268ff4a0844b481a305"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Upsonic/Upsonic"
+    },
     {
       "type": "WEB",
       "url": "https://www.ox.security/blog/mcp-supply-chain-advisory-rce-vulnerabilities-across-the-ai-ecosystem"
@@ -33,8 +58,8 @@
       "CWE-77"
     ],
     "severity": "CRITICAL",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:33:09Z",
     "nvd_published_at": "2026-04-15T16:16:36Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-hv5g-26jg-pc45/GHSA-hv5g-26jg-pc45.json b/advisories/github-reviewed/2026/04/GHSA-hv5g-26jg-pc45/GHSA-hv5g-26jg-pc45.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hv5g-26jg-pc45",
-  "modified": "2026-04-15T18:31:58Z",
+  "modified": "2026-04-16T21:33:30Z",
   "published": "2026-04-15T18:31:58Z",
   "aliases": [
     "CVE-2026-6290"
   ],
+  "summary": "Velociraptor vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token",
   "details": "Velociraptor versions prior to 0.76.3 contain a vulnerability in the query() plugin which allows access to all orgs with the user's current ACL token. This allows an authenticated GUI user with access in one org, to use the query() plugin, in a notebook cell, to run VQL queries on other orgs which they may not have access to. The user's permissions in the other org are\nthe same as the permissions they have in the org containing the notebook.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "www.velocidex.com/golang/velociraptor"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.76.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -22,15 +43,19 @@
     {
       "type": "WEB",
       "url": "https://docs.velociraptor.app/announcements/advisories/cve-2026-6290"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Velocidex/velociraptor"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-863"
     ],
     "severity": "HIGH",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:33:30Z",
     "nvd_published_at": "2026-04-15T18:17:25Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-j452-xhg8-qg39/GHSA-j452-xhg8-qg39.json b/advisories/github-reviewed/2026/04/GHSA-j452-xhg8-qg39/GHSA-j452-xhg8-qg39.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-j452-xhg8-qg39",
-  "modified": "2026-04-15T21:30:17Z",
+  "modified": "2026-04-16T21:33:53Z",
   "published": "2026-04-15T18:31:58Z",
   "aliases": [
     "CVE-2026-5758"
   ],
+  "summary": "Mafintosh's protocol-buffers-schema is vulnerable to prototype pollution",
   "details": "JavaScript is vulnerable to prototype pollution in Mafintosh's protocol-buffers-schema Version 3.6.0, where an attacker may alter the application logic, bypass security checks, cause a DoS or achieve remote code execution.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:L"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "protocol-buffers-schema"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.6.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -23,16 +44,22 @@
       "type": "WEB",
       "url": "https://github.com/mafintosh/protocol-buffers-schema/pull/70"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mafintosh/protocol-buffers-schema"
+    },
     {
       "type": "WEB",
       "url": "https://morielharush.github.io/2026/04/12/cve-2026-5758-protocol-buffers-schema-prototype-pollution"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-1321"
+    ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:33:53Z",
     "nvd_published_at": "2026-04-15T18:17:24Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/04/GHSA-wg6q-6289-32hp/GHSA-wg6q-6289-32hp.json b/advisories/github-reviewed/2026/04/GHSA-wg6q-6289-32hp/GHSA-wg6q-6289-32hp.json
diff --git a/advisories/unreviewed/2026/04/GHSA-wg6q-6289-32hp/GHSA-wg6q-6289-32hp.json b/advisories/unreviewed/2026/04/GHSA-wg6q-6289-32hp/GHSA-wg6q-6289-32hp.json
