Publish Advisories

GHSA-497x-rrr9-68jp
GHSA-gj7p-595x-qwf5
GHSA-m9hq-h476-h2g8

Author: advisory-database[bot]

…-497x-rrr9-68jp/GHSA-497x-rrr9-68jp.json …-497x-rrr9-68jp/GHSA-497x-rrr9-68jp.jsonadvisories/unreviewed/2026/04/GHSA-497x-rrr9-68jp/GHSA-497x-rrr9-68jp.json renamed to advisories/github-reviewed/2026/04/GHSA-497x-rrr9-68jp/GHSA-497x-rrr9-68jp.json advisories/unreviewed/2026/04/GHSA-497x-rrr9-68jp/GHSA-497x-rrr9-68jp.json renamed to advisories/github-reviewed/2026/04/GHSA-497x-rrr9-68jp/GHSA-497x-rrr9-68jp.json

@@ -1,34 +1,61 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-497x-rrr9-68jp",
-  "modified": "2026-04-15T21:30:18Z",
+  "modified": "2026-04-16T21:42:00Z",
   "published": "2026-04-15T21:30:18Z",
   "aliases": [
     "CVE-2026-21726"
   ],
+  "summary": "Grafana Loki Path Traversal - CVE-2021-36156 Bypass",
   "details": "The CVE-2021-36156 fix validates the namespace parameter for path traversal sequences after a single URL decode, by double encoding, an attacker can read files at the Ruler API endpoint /loki/api/v1/rules/{namespace}\n\nThanks to Prasanth Sundararajan for reporting this vulnerability.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/grafana/loki/v3"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.6.4"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21726"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/grafana/loki"
+    },
     {
       "type": "WEB",
       "url": "https://grafana.com/security/security-advisories/cve-2026-21726"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-601"
+    ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:42:00Z",
     "nvd_published_at": "2026-04-15T20:16:34Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-gj7p-595x-qwf5/GHSA-gj7p-595x-qwf5.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gj7p-595x-qwf5",
-  "modified": "2026-04-15T19:19:43Z",
+  "modified": "2026-04-16T21:41:52Z",
   "published": "2026-04-15T19:19:43Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-40939"
+  ],
   "summary": "Data Sharing Framework is Missing Session Timeout for OIDC Sessions",
   "details": "### Affected Components\nDSF FHIR Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/fhir/oidc.html).\nDSF BPE Server with enabled [OIDC authentication](https://dsf.dev/operations/v2.1.0/bpe/oidc.html).\n\n### Summary\nOIDC-authenticated sessions had no configured maximum inactivity timeout. Sessions persisted indefinitely after login, even after the OIDC access token expired.\n\n### Impact\nIf a user logs in via OIDC and leaves their browser without explicitly logging out, the session remains valid indefinitely. Another person using the same browser can access the DSF UI with the previous user's permissions. This is a realistic threat in hospital environments with shared workstations.\n\nOnly affects OIDC browser sessions, not relevant for mTLS machine-to-machine communication.\n\n### Fix (commits f4ecb00, 7d25fea)\n- Added configurable session timeout via `dev.dsf.server.auth.oidc.session.timeout` (default: `PT30M`).\n- Enabled `logoutWhenIdTokenIsExpired(true)` in OpenID configuration to tie session lifetime to token lifetime.\n- Websocket sessions are now closed with `VIOLATED_POLICY` when credentials expire, prevents stale websocket connections from continuing to receive events after session timeout.",
   "severity": [

…-m9hq-h476-h2g8/GHSA-m9hq-h476-h2g8.json …-m9hq-h476-h2g8/GHSA-m9hq-h476-h2g8.jsonadvisories/unreviewed/2026/04/GHSA-m9hq-h476-h2g8/GHSA-m9hq-h476-h2g8.json renamed to advisories/github-reviewed/2026/04/GHSA-m9hq-h476-h2g8/GHSA-m9hq-h476-h2g8.json advisories/unreviewed/2026/04/GHSA-m9hq-h476-h2g8/GHSA-m9hq-h476-h2g8.json renamed to advisories/github-reviewed/2026/04/GHSA-m9hq-h476-h2g8/GHSA-m9hq-h476-h2g8.json

@@ -1,34 +1,80 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m9hq-h476-h2g8",
-  "modified": "2026-04-15T21:30:18Z",
+  "modified": "2026-04-16T21:41:13Z",
   "published": "2026-04-15T21:30:18Z",
   "aliases": [
     "CVE-2025-41118"
   ],
+  "summary": "Exposure of Storage Secret in Pyroscope",
   "details": "Pyroscope is an open-source continuous profiling database. The database supports various storage backends, including Tencent Cloud Object Storage (COS).\n\nIf the database is configured to use Tencent COS as the storage backend, an attacker could extract the secret_key configuration value from the Pyroscope API.\n\nTo exploit this vulnerability, an attacker needs direct access to the Pyroscope API. We highly recommend limiting the public internet exposure of all our databases, such that they are only accessible by trusted users or internal systems.\n\nThis vulnerability is fixed in versions:\n\n1.15.x: 1.15.2 and above.\n1.16.x: 1.16.1 and above.\n1.17.x: 1.17.0 and above (i.e. all versions).\n\nThanks to Théo Cusnir for reporting this vulnerability to us via our bug bounty program.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/grafana/pyroscope"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.15.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/grafana/pyroscope"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.16.0"
+            },
+            {
+              "fixed": "1.16.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41118"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/grafana/pyroscope"
+    },
     {
       "type": "WEB",
       "url": "https://grafana.com/security/security-advisories/cve-2025-41118"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-200"
+    ],
     "severity": "CRITICAL",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:41:13Z",
     "nvd_published_at": "2026-04-15T20:16:32Z"
   }
 }