Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit ad09a5a0c164 · 2026-02-10T19:58:51.000Z
GHSA-f72r-2h5j-7639 GHSA-jg68-vhv3-9r8f GHSA-x6cr-mq53-cc76
diff --git a/advisories/github-reviewed/2026/01/GHSA-f72r-2h5j-7639/GHSA-f72r-2h5j-7639.json b/advisories/github-reviewed/2026/01/GHSA-f72r-2h5j-7639/GHSA-f72r-2h5j-7639.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f72r-2h5j-7639",
-  "modified": "2026-02-10T16:03:09Z",
+  "modified": "2026-02-10T19:56:53Z",
   "published": "2026-01-28T23:00:57Z",
   "aliases": [
     "CVE-2026-25992"
@@ -44,13 +44,21 @@
       "type": "WEB",
       "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-f72r-2h5j-7639"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25992"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/siyuan-note/siyuan/commit/1f02650b3892d2ea3896242dd2422c30bda55e11"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/siyuan-note/siyuan"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/siyuan-note/siyuan/releases/tag/v3.5.5"
     }
   ],
   "database_specific": {
@@ -62,6 +70,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-01-28T23:00:57Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-02-10T18:16:38Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-jg68-vhv3-9r8f/GHSA-jg68-vhv3-9r8f.json b/advisories/github-reviewed/2026/02/GHSA-jg68-vhv3-9r8f/GHSA-jg68-vhv3-9r8f.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jg68-vhv3-9r8f",
-  "modified": "2026-02-05T00:34:29Z",
+  "modified": "2026-02-10T19:58:15Z",
   "published": "2026-02-02T23:12:57Z",
   "aliases": [
     "CVE-2026-25523"
   ],
   "summary": "Magento's X-Original-Url header can expose admin url",
-  "details": "### Impact\n\nThe admin url can be discovered without prior knowledge of its location by exploiting the X-Original-Url header on some configurations.\n\n### Patches\n\nThe bug comes from the Zend library.\n\n### Workarounds\n\nUnset the X-Original-Url header in the web server configuration.\n\n### Resources\n\nhttps://hackerone.com/bugs?subject=openmage&report_id=3416312\n\nUpon deeper investigation, it was initially not found, but then it was realized that the search excluded the vendor/ directory. This is coming from the Zend_Controller module. Here is another tip from 2016 - it is surprising that this was not somehow patched already!\n\nhttps://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..)\n\n### Credit\n\nAnees Hyder (anees0x_dev) on HackerOne\nhttps://hackerone.com/anees0x_dev/hacktivity?type=user",
+  "details": "### Impact\n\nThe admin url can be discovered without prior knowledge of it's location by exploiting the X-Original-Url header on some configurations.\n\n### Patches\n\nThe bug comes from the Zend library and is patche by unsetting the header in the bootstrap process.\n\n### Workarounds\n\nUnset the `X-Original-Url` header in the web server configuration.\n\n### References\n\nThe activation of these headers is coming from the Zend_Controller module. It appears this has been known to some degree since 2016 -\nhttps://peterocallaghan.co.uk/2016/12/magento-poisoning-cache/ (dead link now..)\n\n### Credit\n\nAnees Hyder ( @anees0xdev ) via HackerOne\nhttps://hackerone.com/anees0x_dev/hacktivity",
   "severity": [
     {
       "type": "CVSS_V3",
diff --git a/advisories/github-reviewed/2026/02/GHSA-x6cr-mq53-cc76/GHSA-x6cr-mq53-cc76.json b/advisories/github-reviewed/2026/02/GHSA-x6cr-mq53-cc76/GHSA-x6cr-mq53-cc76.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x6cr-mq53-cc76",
-  "modified": "2026-02-10T14:33:15Z",
+  "modified": "2026-02-10T19:56:59Z",
   "published": "2026-02-10T14:33:15Z",
   "aliases": [
     "CVE-2026-25577"
@@ -43,6 +43,14 @@
       "type": "WEB",
       "url": "https://github.com/emmett-framework/core/security/advisories/GHSA-x6cr-mq53-cc76"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25577"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/emmett-framework/core/commit/9557ea23a27cbadf7774d8bca6bbe4b54fa8a3ec"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/emmett-framework/core/commit/c126757133e118119a280b58f3bb345b1c9a8a2a"
@@ -60,6 +68,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-10T14:33:15Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-02-10T18:16:37Z"
   }
 }
