Publish Advisories

GHSA-3x4c-7xq6-9pq8
GHSA-c6hr-w26q-c636
GHSA-vj3g-5px3-gr46

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-3x4c-7xq6-9pq8/GHSA-3x4c-7xq6-9pq8.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3x4c-7xq6-9pq8",
-  "modified": "2026-03-17T16:17:06Z",
+  "modified": "2026-03-19T18:33:24Z",
   "published": "2026-03-17T16:17:06Z",
   "aliases": [
     "CVE-2026-27980"
   ],
   "summary": "Next.js: Unbounded next/image disk cache growth can exhaust storage",
-  "details": "## Summary\nThe default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.\n\n## Impact\nAn attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service.\n\n## Patches\nFixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Periodically clean `.next/cache/images`.\n- Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)",
+  "details": "## Summary\nThe default Next.js image optimization disk cache (`/_next/image`) did not have a configurable upper bound, allowing unbounded cache growth.\n\n## Impact\nAn attacker could generate many unique image-optimization variants and exhaust disk space, causing denial of service. Note that this does not impact platforms that have their own image optimization capabilities, such as Vercel.\n\n## Patches\nFixed by adding an LRU-backed disk cache with `images.maximumDiskCacheSize`, including eviction of least-recently-used entries when the limit is exceeded. Setting `maximumDiskCacheSize: 0` disables disk caching. \n\n## Workarounds\nIf upgrade is not immediately possible:\n- Periodically clean `.next/cache/images`.\n- Reduce variant cardinality (e.g., tighten values for `images.localPatterns`, `images.remotePatterns`, and `images.qualities`)",
   "severity": [
     {
       "type": "CVSS_V4",
@@ -25,21 +25,44 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "10.0.0"
+              "introduced": "16.0.0-beta.0"
             },
             {
               "fixed": "16.1.7"
             }
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "next"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "10.0.0"
+            },
+            {
+              "fixed": "15.5.14"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [
     {
       "type": "WEB",
       "url": "https://github.com/vercel/next.js/security/advisories/GHSA-3x4c-7xq6-9pq8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27980"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/vercel/next.js/commit/39eb8e0ac498b48855a0430fbf4c22276a73b4bd"
@@ -60,6 +83,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-17T16:17:06Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-18T01:16:04Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-c6hr-w26q-c636/GHSA-c6hr-w26q-c636.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-c6hr-w26q-c636",
-  "modified": "2026-03-18T01:30:54Z",
+  "modified": "2026-03-19T18:33:51Z",
   "published": "2026-03-02T22:17:30Z",
   "aliases": [
     "CVE-2026-22178"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-c6hr-w26q-c636"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22178"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/74268489137510b6f6349919d1e197b17290d92c"
@@ -51,6 +55,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-redos-and-regex-injection-via-unescaped-feishu-mention-metadata"
     }
   ],
   "database_specific": {
@@ -60,6 +68,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T22:17:30Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-18T02:16:22Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-vj3g-5px3-gr46/GHSA-vj3g-5px3-gr46.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vj3g-5px3-gr46",
-  "modified": "2026-03-18T01:25:43Z",
+  "modified": "2026-03-19T18:34:17Z",
   "published": "2026-03-03T18:42:28Z",
   "aliases": [
     "CVE-2026-22171"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-vj3g-5px3-gr46"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22171"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/c821099157a9767d4df208c6b12f214946507871"
@@ -55,6 +59,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-path-traversal-in-feishu-media-temporary-file-naming"
     }
   ],
   "database_specific": {
@@ -64,6 +72,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T18:42:28Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-18T02:16:21Z"
   }
 }