Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit acfcbcdafb29 · 2026-02-13T20:06:46.000Z
GHSA-38c4-r59v-3vqw GHSA-cvhv-6xm6-c3v4 GHSA-g433-pq76-6cmf GHSA-cvhv-6xm6-c3v4
diff --git a/advisories/github-reviewed/2026/02/GHSA-38c4-r59v-3vqw/GHSA-38c4-r59v-3vqw.json b/advisories/github-reviewed/2026/02/GHSA-38c4-r59v-3vqw/GHSA-38c4-r59v-3vqw.json
@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-38c4-r59v-3vqw",
-  "modified": "2026-02-12T06:30:13Z",
+  "modified": "2026-02-13T20:04:39Z",
   "published": "2026-02-12T06:30:13Z",
   "aliases": [
     "CVE-2026-2327"
   ],
+  "summary": "markdown-it is has a Regular Expression Denial of Service (ReDoS)",
   "details": "Versions of the package markdown-it from 13.0.0 and before 14.1.1 are vulnerable to Regular Expression Denial of Service (ReDoS) due to the use of the regex /\\*+$/ in the linkify function. An attacker can supply a long sequence of * characters followed by a non-matching character, which triggers excessive backtracking and may lead to a denial-of-service condition.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "markdown-it"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "13.0.0"
+            },
+            {
+              "fixed": "14.1.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -31,9 +52,13 @@
       "type": "WEB",
       "url": "https://gist.github.com/ltduc147/c9abecae1b291ede4f692f2ab988c917"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/markdown-it/markdown-it"
+    },
     {
       "type": "WEB",
-      "url": "https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs%23L33"
+      "url": "https://github.com/markdown-it/markdown-it/blob/14.1.0/lib/rules_inline/linkify.mjs#L33"
     },
     {
       "type": "WEB",
@@ -45,8 +70,8 @@
       "CWE-1333"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:04:39Z",
     "nvd_published_at": "2026-02-12T06:16:02Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-cvhv-6xm6-c3v4/GHSA-cvhv-6xm6-c3v4.json b/advisories/github-reviewed/2026/02/GHSA-cvhv-6xm6-c3v4/GHSA-cvhv-6xm6-c3v4.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cvhv-6xm6-c3v4",
+  "modified": "2026-02-13T20:04:56Z",
+  "published": "2026-02-13T03:31:23Z",
+  "aliases": [
+    "CVE-2026-1721"
+  ],
+  "summary": "Cloudflare Agents is Vulnerable to Reflected Cross-Site Scripting in the AI Playground's OAuth callback handler",
+  "details": "Summary\n\nA Reflected Cross-Site Scripting (XSS) vulnerability was discovered in the AI Playground's OAuth callback handler. The `error_description` query parameter was directly interpolated into an HTML script tag without proper escaping, allowing attackers to execute arbitrary JavaScript in the context of the victim's session.\n\nRoot cause\n\nThe OAuth callback handler in `site/ai-playground/src/server.ts` directly interpolated the `authError` value, sourced from the `error_description` query parameter,  into an inline `<script>` tag.\n\nImpact\n\nAn attacker could craft a malicious link that, when clicked by a victim, would:\n\n  *  Steal user chat message history - Access all LLM interactions stored in the user's session.\n\n\n  *  Access connected MCP Servers - Interact with any MCP servers connected to the victim's session (public or authenticated/private), potentially allowing the attacker to perform actions on the victim's behalf\n\n\nMitigation:\n\n  *  PR:  https://github.com/cloudflare/agents/pull/841 https://github.com/cloudflare/agents/pull/841 \n  *  Agents-sdk users should upgrade to agents@0.3.10\n  *  Developers using configureOAuthCallback with custom error handling in their own applications should ensure all user-controlled input is escaped before interpolation.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "agents"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.3.10"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1721"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cloudflare/agents/pull/841"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cloudflare/agents/commit/3f490d045844e4884db741afbb66ca1fe65d4093"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/cloudflare/agents"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:04:55Z",
+    "nvd_published_at": "2026-02-13T03:15:52Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/02/GHSA-g433-pq76-6cmf/GHSA-g433-pq76-6cmf.json b/advisories/github-reviewed/2026/02/GHSA-g433-pq76-6cmf/GHSA-g433-pq76-6cmf.json
@@ -0,0 +1,103 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g433-pq76-6cmf",
+  "modified": "2026-02-13T20:05:10Z",
+  "published": "2026-02-13T20:05:10Z",
+  "aliases": [],
+  "summary": "Bug fixes in hpke-rs, hpke-rs-rust-crypto",
+  "details": "We publish a GitHub security advisory for any releases whose CHANGELOG includes bug-fixes, and encourage our users to upgrade. The latest releases of the hpke-rs and hpke-rs-rust-crypto crates contain the following bug-fixes:\n\n## hpke-rs\n- [#127](https://github.com/cryspen/hpke-rs/pull/127): Fix `KemAlgorithm::TryFrom<u16>` mapping where `0x004D` incorrectly resolved to `XWingDraft06` instead of `XWingDraft06Obsolete`.\n- [#123](https://github.com/cryspen/hpke-rs/pull/123): Fix potential overflow in context counter and switch to use u64.\n- [#128](https://github.com/cryspen/hpke-rs/pull/128): Return errors when trying to use open/seal with export only ciphersuite and when using kdf export with an output that's too long (instead of truncating it)\n\nThe issue fixed in #123 was first reported by Nadim Kobeissi.\nThe issues fixed in #127 and #128 were first reported by Scott Arciszewski.\n\n## hpke-rs-rust-crypto\n- [#124](https://github.com/cryspen/hpke-rs/pull/124): Error out on x25519 0 keys\n\nThe issue fixed in #124 was first reported by Nadim Kobeissi.",
+  "severity": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "hpke-rs"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.6.0"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "crates.io",
+        "name": "hpke-rs-rust-crypto"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "0.6.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/cryspen/hpke-rs/security/advisories/GHSA-g433-pq76-6cmf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cryspen/hpke-rs/pull/123"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cryspen/hpke-rs/pull/124"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cryspen/hpke-rs/pull/127"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cryspen/hpke-rs/pull/128"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cryspen/hpke-rs/commit/1c247b5c9aeca602ad2971c9bd49817fe2c308e6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cryspen/hpke-rs/commit/25248bd624cc0325c98a05c169a0c9aa0aced632"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cryspen/hpke-rs/commit/3a8254938f43bdc4e0c9c4f987f8071f19779066"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cryspen/hpke-rs/commit/b54c8bb83906331bdf4f606cafa30cd7fd20b531"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/cryspen/hpke-rs"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-190",
+      "CWE-20",
+      "CWE-697"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-13T20:05:10Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/unreviewed/2026/02/GHSA-cvhv-6xm6-c3v4/GHSA-cvhv-6xm6-c3v4.json b/advisories/unreviewed/2026/02/GHSA-cvhv-6xm6-c3v4/GHSA-cvhv-6xm6-c3v4.json
