Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit b01a5e8c0d67 · 2026-02-10T13:49:23.000Z
GHSA-xm59-rqc7-hhvf GHSA-jp3q-wwp3-pwv9 GHSA-wv3h-x6c4-r867
diff --git a/advisories/github-reviewed/2025/12/GHSA-xm59-rqc7-hhvf/GHSA-xm59-rqc7-hhvf.json b/advisories/github-reviewed/2025/12/GHSA-xm59-rqc7-hhvf/GHSA-xm59-rqc7-hhvf.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xm59-rqc7-hhvf",
-  "modified": "2026-02-09T21:34:01Z",
+  "modified": "2026-02-10T13:48:26Z",
   "published": "2025-12-18T22:03:08Z",
   "aliases": [
     "CVE-2025-53000"
@@ -36,6 +36,10 @@
     }
   ],
   "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-xm59-rqc7-hhvf"
+    },
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53000"
diff --git a/advisories/github-reviewed/2026/01/GHSA-jp3q-wwp3-pwv9/GHSA-jp3q-wwp3-pwv9.json b/advisories/github-reviewed/2026/01/GHSA-jp3q-wwp3-pwv9/GHSA-jp3q-wwp3-pwv9.json
@@ -1,11 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jp3q-wwp3-pwv9",
-  "modified": "2026-01-27T20:47:43Z",
+  "modified": "2026-02-10T13:47:10Z",
   "published": "2026-01-22T21:41:14Z",
   "aliases": [],
   "summary": "Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue",
-  "details": "**Summary**\nAn authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with `dangerouslySetInnerHTML` without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.\n\n**Affected Product**\n- Ecosystem: Packagist (Craft CMS plugin)\n- Package: solspace/craft-freeform\n- Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.\n\n**Details**\n- Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using `dangerouslySetInnerHTML` without sanitization.\n- Evidence: `dangerouslySetInnerHTML` on user-controlled properties in bundled CP JS at [packages/plugin/src/Resources/js/client/client.js](packages/plugin/src/Resources/js/client/client.js#L1).\n\n**PoCs**\n- Label-based XSS:\n  1. In Craft CP, create/edit a Freeform field and set its label to `<img src=x onerror=\"alert('xss-label')\">`.\n  2. Open the form builder view containing the field.\n  3. Alert executes (stored XSS).\n- Integration icon SVG:\n  1. Set an integration \"icon SVG\" to `<svg><script>alert('xss-icon')</script></svg>`.\n  2. Open the integrations CP view.\n  3. Script executes.\n\n**Impact**\nArbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.\n\n**Remediation**\n- Sanitize/HTML-encode all user-controlled strings before passing to `dangerouslySetInnerHTML`, or avoid it for labels/titles/icons.\n- Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.\n- Add regression tests with `<img onerror>` payloads to ensure no execution in builder/integration views.\n\n**Workarounds**\n- Restrict form-edit permissions to trusted admins only until patched.\n- Consider CSP that disallows inline scripts (defense-in-depth only).\n\n**Credits**\n- Discovered by https://www.linkedin.com/in/praveenkavinda/ | Prav33N-Sec.\n\n**Disclosure / CVE Request**\n- Request CVE for this confirmed stored XSS.",
+  "details": "**Summary**\nAn authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with `dangerouslySetInnerHTML` without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.\n\n**Affected Product**\n- Ecosystem: Packagist (Craft CMS plugin)\n- Package: solspace/craft-freeform\n- Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.\n\n**Details**\n- Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using `dangerouslySetInnerHTML` without sanitization.\n- Evidence: `dangerouslySetInnerHTML` on user-controlled properties in bundled CP JS at [packages/plugin/src/Resources/js/client/client.js](packages/plugin/src/Resources/js/client/client.js#L1).\n\n**PoCs**\n- Label-based XSS:\n  1. In Craft CP, create/edit a Freeform field and set its label to `<img src=x onerror=\"alert('xss-label')\">`.\n  2. Open the form builder view containing the field.\n  3. Alert executes (stored XSS).\n- Integration icon SVG:\n  1. Set an integration \"icon SVG\" to `<svg><script>alert('xss-icon')</script></svg>`.\n  2. Open the integrations CP view.\n  3. Script executes.\n\n**Impact**\nArbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.\n\n**Remediation**\n- Sanitize/HTML-encode all user-controlled strings before passing to `dangerouslySetInnerHTML`, or avoid it for labels/titles/icons.\n- Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.\n- Add regression tests with `<img onerror>` payloads to ensure no execution in builder/integration views.\n\n**Workarounds**\n- Restrict form-edit permissions to trusted admins only until patched.\n- Consider CSP that disallows inline scripts (defense-in-depth only).\n\n**Credits**\n- Discovered by https://www.linkedin.com/in/praveenkavinda/ | Prav33N-Sec.",
   "severity": [
     {
       "type": "CVSS_V4",
diff --git a/advisories/github-reviewed/2026/01/GHSA-wv3h-x6c4-r867/GHSA-wv3h-x6c4-r867.json b/advisories/github-reviewed/2026/01/GHSA-wv3h-x6c4-r867/GHSA-wv3h-x6c4-r867.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wv3h-x6c4-r867",
-  "modified": "2026-02-05T15:53:35Z",
+  "modified": "2026-02-10T13:47:26Z",
   "published": "2026-01-21T09:31:30Z",
   "aliases": [
     "CVE-2025-14559"
@@ -48,6 +48,14 @@
       "type": "WEB",
       "url": "https://github.com/keycloak/keycloak/commit/d67349f3aa9fed5c61750619d0f9de6356aeaeff"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:2365"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:2366"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/security/cve/CVE-2025-14559"

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-xm59-rqc7-hhvf",`
`4`		`- "modified": "2026-02-09T21:34:01Z",`
	`4`	`+ "modified": "2026-02-10T13:48:26Z",`
`5`	`5`	`"published": "2025-12-18T22:03:08Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-53000"`
`@@ -36,6 +36,10 @@`
`36`	`36`	`}`
`37`	`37`	`],`
`38`	`38`	`"references": [`
	`39`	`+ {`
	`40`	`+ "type": "WEB",`
	`41`	`+ "url": "https://github.com/jupyter/nbconvert/security/advisories/GHSA-xm59-rqc7-hhvf"`
	`42`	`+ },`
`39`	`43`	`{`
`40`	`44`	`"type": "ADVISORY",`
`41`	`45`	`"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53000"`
Original file line number	Diff line number	Diff line change
`@@ -1,11 +1,11 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-jp3q-wwp3-pwv9",`
`4`		`- "modified": "2026-01-27T20:47:43Z",`
	`4`	`+ "modified": "2026-02-10T13:47:10Z",`
`5`	`5`	`"published": "2026-01-22T21:41:14Z",`
`6`	`6`	`"aliases": [],`
`7`	`7`	`"summary": "Freeform Craft Plugin CP UI (builder/integrations) has Stored Cross-Site Scripting (XSS) issue",`
`8`		- "details": "Summary\nAn authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with `dangerouslySetInnerHTML` without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.\n\nAffected Product\n- Ecosystem: Packagist (Craft CMS plugin)\n- Package: solspace/craft-freeform\n- Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.\n\nDetails\n- Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using `dangerouslySetInnerHTML` without sanitization.\n- Evidence: `dangerouslySetInnerHTML` on user-controlled properties in bundled CP JS at [packages/plugin/src/Resources/js/client/client.js](packages/plugin/src/Resources/js/client/client.js#L1).\n\nPoCs\n- Label-based XSS:\n 1. In Craft CP, create/edit a Freeform field and set its label to `<img src=x onerror=\"alert('xss-label')\">`.\n 2. Open the form builder view containing the field.\n 3. Alert executes (stored XSS).\n- Integration icon SVG:\n 1. Set an integration \"icon SVG\" to `<svg><script>alert('xss-icon')</script></svg>`.\n 2. Open the integrations CP view.\n 3. Script executes.\n\nImpact\nArbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.\n\nRemediation\n- Sanitize/HTML-encode all user-controlled strings before passing to `dangerouslySetInnerHTML`, or avoid it for labels/titles/icons.\n- Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.\n- Add regression tests with `<img onerror>` payloads to ensure no execution in builder/integration views.\n\nWorkarounds\n- Restrict form-edit permissions to trusted admins only until patched.\n- Consider CSP that disallows inline scripts (defense-in-depth only).\n\nCredits\n- Discovered by https://www.linkedin.com/in/praveenkavinda/ \| Prav33N-Sec.\n\nDisclosure / CVE Request\n- Request CVE for this confirmed stored XSS.",
	`8`	+ "details": "Summary\nAn authenticated, low-privilege user (able to create/edit forms) can inject arbitrary HTML/JS into the Craft Control Panel (CP) builder and integrations views. User-controlled form labels and integration metadata are rendered with `dangerouslySetInnerHTML` without sanitization, leading to stored XSS that executes when any admin views the builder/integration screens.\n\nAffected Product\n- Ecosystem: Packagist (Craft CMS plugin)\n- Package: solspace/craft-freeform\n- Version: <= 5.14.6 (latest observed). Likely all 5.x until patched.\n\nDetails\n- Root cause: Multiple user-controlled strings (field labels, section labels, integration icons, short names, WYSIWYG previews) are injected into React components using `dangerouslySetInnerHTML` without sanitization.\n- Evidence: `dangerouslySetInnerHTML` on user-controlled properties in bundled CP JS at [packages/plugin/src/Resources/js/client/client.js](packages/plugin/src/Resources/js/client/client.js#L1).\n\nPoCs\n- Label-based XSS:\n 1. In Craft CP, create/edit a Freeform field and set its label to `<img src=x onerror=\"alert('xss-label')\">`.\n 2. Open the form builder view containing the field.\n 3. Alert executes (stored XSS).\n- Integration icon SVG:\n 1. Set an integration \"icon SVG\" to `<svg><script>alert('xss-icon')</script></svg>`.\n 2. Open the integrations CP view.\n 3. Script executes.\n\nImpact\nArbitrary JS in admin CP; session/CSRF token theft; potential full admin takeover via DOM-driven actions.\n\nRemediation\n- Sanitize/HTML-encode all user-controlled strings before passing to `dangerouslySetInnerHTML`, or avoid it for labels/titles/icons.\n- Server-side: strip/escape disallowed tags on save for fields, integration metadata, WYSIWYG content.\n- Add regression tests with `<img onerror>` payloads to ensure no execution in builder/integration views.\n\nWorkarounds\n- Restrict form-edit permissions to trusted admins only until patched.\n- Consider CSP that disallows inline scripts (defense-in-depth only).\n\nCredits\n- Discovered by https://www.linkedin.com/in/praveenkavinda/ \| Prav33N-Sec.",
`9`	`9`	`"severity": [`
`10`	`10`	`{`
`11`	`11`	`"type": "CVSS_V4",`