Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit c84d0ba71b5c · 2026-03-19T18:39:10.000Z
GHSA-6g7g-w4f8-9c9x GHSA-cgcg-q9jh-5pr2 GHSA-hqmj-h5c6-369m
diff --git a/advisories/github-reviewed/2026/03/GHSA-6g7g-w4f8-9c9x/GHSA-6g7g-w4f8-9c9x.json b/advisories/github-reviewed/2026/03/GHSA-6g7g-w4f8-9c9x/GHSA-6g7g-w4f8-9c9x.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6g7g-w4f8-9c9x",
-  "modified": "2026-03-18T13:00:19Z",
+  "modified": "2026-03-19T18:38:45Z",
   "published": "2026-03-18T13:00:19Z",
   "aliases": [],
   "summary": "Denial of service in github.com/buger/jsonparser",
@@ -26,11 +26,14 @@
               "introduced": "0"
             },
             {
-              "last_affected": "1.1.1"
+              "fixed": "1.1.2"
             }
           ]
         }
-      ]
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 1.1.1"
+      }
     }
   ],
   "references": [
@@ -42,13 +45,25 @@
       "type": "WEB",
       "url": "https://github.com/golang/vulndb/issues/4514"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/buger/jsonparser/pull/276"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/buger/jsonparser/commit/a69e7e01cd4ad67bdfd3ac2c080b9212af16f4b0"
+    },
     {
       "type": "WEB",
       "url": "https://cyber.securityinfinity.com/buger-jsonparser-negative-slice-panic-dos-2026"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/buger/jsonparser"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/buger/jsonparser/releases/tag/v1.1.2"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2026/03/GHSA-cgcg-q9jh-5pr2/GHSA-cgcg-q9jh-5pr2.json b/advisories/github-reviewed/2026/03/GHSA-cgcg-q9jh-5pr2/GHSA-cgcg-q9jh-5pr2.json
@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cgcg-q9jh-5pr2",
+  "modified": "2026-03-19T18:37:42Z",
+  "published": "2026-03-19T18:37:42Z",
+  "aliases": [
+    "CVE-2026-33326"
+  ],
+  "summary": "@keystone-6/core: `isFilterable` bypass via `cursor` parameter in findMany (CVE-2025-46720 incomplete fix)",
+  "details": "# Summary  \n`{field}.isFilterable` access control can be bypassed in `findMany` queries by passing a `cursor`.  This can be used to confirm the existence of records by protected field values.\n\nThe fix for [CVE-2025-46720](https://github.com/keystonejs/keystone/security/advisories/GHSA-hg9m-67mm-7pg3) (field-level `isFilterable` bypass for update and delete mutations) added checks to the `where` parameter in `update` and `delete` mutations however the `cursor` parameter in `findMany` was not patched and accepts the same `UniqueWhere` input type.\n\n# Impact  \nThis affects any project relying on `isFilterable` behaviour (at the list or field level) to prevent external users from using the filtering of fields as a discovery mechanism. `isFilterable` access control using a function can be bypassed by using the `cursor` input.\n\nThis has no impact on projects using `isFilterable: false` or `defaultIsFilterable: false` for sensitive fields, or if you have otherwise omitted filtering by these fields from your GraphQL schema. (See workarounds)\n\n# Patches  \nThis issue has been patched in `@keystone-6/core` version 6.5.2.\n\n# Workarounds  \nTo mitigate this issue in older versions where patching is not a viable pathway.\n\n- Set `{field}.isFilterable: false` statically for relevant fields to prevent filtering by them earlier in the access control pipeline (that is, don't use functions)\n- Set `{field}.graphql.omit.read: true` for relevant fields, which implicitly removes filtering by these fields your GraphQL schema",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@keystone-6/core"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.5.2"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.5.1"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/keystonejs/keystone/security/advisories/GHSA-cgcg-q9jh-5pr2"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keystonejs/keystone"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-863"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-19T18:37:42Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-hqmj-h5c6-369m/GHSA-hqmj-h5c6-369m.json b/advisories/github-reviewed/2026/03/GHSA-hqmj-h5c6-369m/GHSA-hqmj-h5c6-369m.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hqmj-h5c6-369m",
-  "modified": "2026-03-16T16:23:28Z",
+  "modified": "2026-03-19T18:36:38Z",
   "published": "2026-03-16T16:23:28Z",
   "aliases": [
     "CVE-2026-28500"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/onnx/onnx/security/advisories/GHSA-hqmj-h5c6-369m"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28500"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/ZeroXJacks/CVEs/blob/main/2026/CVE-2026-28500.md"
@@ -58,6 +62,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-16T16:23:28Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-18T02:16:24Z"
   }
 }
