Publish Advisories

GHSA-558g-h753-6m33
GHSA-5fhx-9jwj-867m
GHSA-g857-hhfv-j68w
GHSA-jgcf-rf45-2f8v
GHSA-mpf5-3vph-q75r
GHSA-mqph-7h49-hqfm
GHSA-vj45-x3pj-f4w4

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-558g-h753-6m33/GHSA-558g-h753-6m33.json

@@ -0,0 +1,67 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-558g-h753-6m33",
+  "modified": "2026-04-16T20:41:38Z",
+  "published": "2026-04-16T20:41:38Z",
+  "aliases": [
+    "CVE-2026-33435"
+  ],
+  "summary": "Weblate: Remote code execution during backup restoration",
+  "details": "### Impact\nThe project backup didn't filter Git and Mercurial configuration files and this could lead to remote code execution under certain circumstances.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/18549\n\n### Workarounds\nThe project backup is only accessible to users who can create projects. Restricting access to this limits scope of the vulnerability.\n\n### References\nThis issue was reported by [ggamno](https://hackerone.com/ggamno) via HackerOne.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "weblate"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.17"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-558g-h753-6m33"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33435"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WeblateOrg/weblate/pull/18549"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WeblateOrg/weblate"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-23",
+      "CWE-434",
+      "CWE-94"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T20:41:38Z",
+    "nvd_published_at": "2026-04-15T19:16:35Z"
+  }
+}

advisories/github-reviewed/2026/04/GHSA-5fhx-9jwj-867m/GHSA-5fhx-9jwj-867m.json

@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5fhx-9jwj-867m",
+  "modified": "2026-04-16T20:41:59Z",
+  "published": "2026-04-16T20:41:59Z",
+  "aliases": [
+    "CVE-2026-33440"
+  ],
+  "summary": "Weblate: Authenticated SSRF via redirect bypass of ALLOWED_ASSET_DOMAINS in screenshot URL uploads",
+  "details": "### Impact\nThe ALLOWED_ASSET_DOMAINS setting applied only to the first issued requests and didn't restrict possible redirects.\n\n### Patches\n* https://github.com/WeblateOrg/weblate/pull/18550\n\n### References\nThis issue was reported by @spbavarva via GitHub.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "weblate"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.17"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WeblateOrg/weblate/security/advisories/GHSA-5fhx-9jwj-867m"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33440"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WeblateOrg/weblate/pull/18550"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WeblateOrg/weblate/commit/8be80625a864c8db5854503872a65e8a0b7399a6"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WeblateOrg/weblate"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T20:41:59Z",
+    "nvd_published_at": "2026-04-15T19:16:35Z"
+  }
+}

advisories/github-reviewed/2026/04/GHSA-g857-hhfv-j68w/GHSA-g857-hhfv-j68w.json

@@ -0,0 +1,111 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-g857-hhfv-j68w",
+  "modified": "2026-04-16T20:40:54Z",
+  "published": "2026-04-16T20:40:54Z",
+  "aliases": [
+    "CVE-2026-27820"
+  ],
+  "summary": "Buffer Overflow in Zlib::GzipReader ungetc via large input leads to memory corruption",
+  "details": "### Details\n\nA buffer overflow vulnerability exists in `Zlib::GzipReader`.\n\nThe `zstream_buffer_ungets` function prepends caller-provided bytes ahead of previously produced output but fails to guarantee the backing Ruby string has enough capacity before the memmove shifts the existing data. This can lead to memory corruption when the buffer length exceeds capacity.\n\n### Recommended action\n\nWe recommend to update the `zlib` gem to version 3.2.3 or later. In order to ensure compatibility with bundled version in older Ruby series, you may update as follows instead:\n\n* For Ruby 3.2 users: Update to zlib 3.0.1\n* For Ruby 3.3 users: Update to zlib 3.1.2\n\nYou can use gem update zlib to update it. If you are using bundler, please add `gem \"zlib\", \">= 3.2.3\"` to your Gemfile.\n\n### Affected versions\n\nzlib gem 3.2.2 or lower\n\n### Credits\n\n[calysteon](https://hackerone.com/calysteon)\n\n### References\n\n* https://hackerone.com/reports/3467067",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "zlib"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.2.0"
+            },
+            {
+              "fixed": "3.2.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "zlib"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.1.0"
+            },
+            {
+              "fixed": "3.1.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "zlib"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.0.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/ruby/zlib/security/advisories/GHSA-g857-hhfv-j68w"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27820"
+    },
+    {
+      "type": "WEB",
+      "url": "https://hackerone.com/reports/3467067"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/ruby/zlib"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/zlib/CVE-2026-27820.yml"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ruby-lang.org/en/news/2026/03/05/buffer-overflow-zlib-cve-2026-27820"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T20:40:54Z",
+    "nvd_published_at": "2026-04-16T18:16:44Z"
+  }
+}

advisories/github-reviewed/2026/04/GHSA-jgcf-rf45-2f8v/GHSA-jgcf-rf45-2f8v.json

@@ -0,0 +1,85 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jgcf-rf45-2f8v",
+  "modified": "2026-04-16T20:40:37Z",
+  "published": "2026-04-16T20:40:37Z",
+  "aliases": [
+    "CVE-2026-24749"
+  ],
+  "summary": "Silverstripe Assets Module has a DBFile::getURL() permission bypass",
+  "details": "### Impact\n\nImages rendered in templates or otherwise accessed via `DBFile::getURL()` or `DBFile::getSourceURL()` incorrectly add an access grant to the current session, which bypasses file permissions.\n\nThis usually happens when creating an image variant, for example using a manipulation method like `ScaleWidth()` or `Convert()`.\n\nNote that if you use `DBFile` directly in the `$db` configuration for a `DataObject` class that doesn't subclass `File`, and if you were setting the visibility of those files to \"protected\", those files will now need an explicit access grant to be accessed. If you do not want to explicitly provide access grants for these files (i.e. you want these files to be accessible by default), you should use the \"public\" visibility.\n\n### Reported by\n\nRestruct web & apps",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "silverstripe/assets"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.4.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "silverstripe/assets"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0"
+            },
+            {
+              "fixed": "3.1.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/silverstripe/silverstripe-assets/security/advisories/GHSA-jgcf-rf45-2f8v"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24749"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/silverstripe/silverstripe-assets"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.silverstripe.org/download/security-releases/cve-2026-24749"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266",
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T20:40:37Z",
+    "nvd_published_at": "2026-04-16T18:16:44Z"
+  }
+}