Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit e73006ae8a16 · 2026-02-11T23:15:12.000Z
GHSA-37qj-frw5-hhjh GHSA-2c4m-g7rx-63q7 GHSA-33mh-2634-fwr2 GHSA-ff9r-ww9c-43x8 GHSA-gwmx-9gcj-332h GHSA-m4g2-2q66-vc9v
diff --git a/advisories/github-reviewed/2026/01/GHSA-37qj-frw5-hhjh/GHSA-37qj-frw5-hhjh.json b/advisories/github-reviewed/2026/01/GHSA-37qj-frw5-hhjh/GHSA-37qj-frw5-hhjh.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-37qj-frw5-hhjh",
-  "modified": "2026-02-11T18:38:19Z",
+  "modified": "2026-02-11T23:13:02Z",
   "published": "2026-01-30T20:10:14Z",
   "aliases": [
     "CVE-2026-25128"
@@ -62,6 +62,7 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-20",
       "CWE-248"
     ],
     "severity": "HIGH",
diff --git a/advisories/github-reviewed/2026/02/GHSA-2c4m-g7rx-63q7/GHSA-2c4m-g7rx-63q7.json b/advisories/github-reviewed/2026/02/GHSA-2c4m-g7rx-63q7/GHSA-2c4m-g7rx-63q7.json
@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2c4m-g7rx-63q7",
-  "modified": "2026-02-11T15:13:28Z",
+  "modified": "2026-02-11T23:12:52Z",
   "published": "2026-02-11T15:13:28Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-26021"
+  ],
   "summary": "set-in Affected by Prototype Pollution",
   "details": "### Summary\nA prototype pollution vulnerability exists in the the npm package set-in (>=2.0.1). Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using Array.prototype. This has been fixed in version 2.0.5.\n\n### Details\nThe vulnerability resides in line 28 of https://github.com/ahdinosaur/set-in/blob/master/index.js where includes() function is used to check whether user provided input contain forbidden strings.\n\n### PoC\n#### Steps to reproduce\n1. Install latest version of set-in using npm install or cloning from git\n2. Run the following code snippet:\n\n```javascript\nArray.prototype.includes = () => false; \nconst si = require('set-in');\nconst obj = {};\nconsole.log({}.polluted);\nsi(obj, [\n    'constructor',\n    'prototype',\n    'polluted'\n], 'yes');\nconsole.log('{ ' + obj.polluted + ', ' + 'yes' + ' }');  // prints yes -> indicating that the patch was bypassed and prototype pollution occurred\n```\n\n#### Expected behavior\nPrototype pollution should be prevented and {} should not gain new properties.\nThis should be printed on the console:\n```\nundefined\nundefined OR throw an Error\n```\n\n#### Actual behavior\nObject.prototype is polluted\nThis is printed on the console:\n```\nundefined \nyes\n```\n\n### Impact\nThis is a prototype pollution vulnerability, which can have severe security implications depending on how set-in is used by downstream applications. Any application that processes attacker-controlled input using this package may be affected.\nIt could potentially lead to the following problems:\n1. Authentication bypass\n2. Denial of service\n3. Remote code execution (if polluted property is passed to sinks like eval or child_process)",
   "severity": [
diff --git a/advisories/github-reviewed/2026/02/GHSA-33mh-2634-fwr2/GHSA-33mh-2634-fwr2.json b/advisories/github-reviewed/2026/02/GHSA-33mh-2634-fwr2/GHSA-33mh-2634-fwr2.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-33mh-2634-fwr2",
-  "modified": "2026-02-09T22:39:44Z",
+  "modified": "2026-02-11T23:13:21Z",
   "published": "2026-02-09T20:37:05Z",
   "aliases": [
     "CVE-2026-25765"
@@ -63,6 +63,10 @@
       "type": "WEB",
       "url": "https://github.com/lostisland/faraday/releases/tag/v2.14.1"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/faraday/CVE-2026-25765.yml"
+    },
     {
       "type": "WEB",
       "url": "https://www.rfc-editor.org/rfc/rfc3986#section-5.2.2"
diff --git a/advisories/github-reviewed/2026/02/GHSA-ff9r-ww9c-43x8/GHSA-ff9r-ww9c-43x8.json b/advisories/github-reviewed/2026/02/GHSA-ff9r-ww9c-43x8/GHSA-ff9r-ww9c-43x8.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-ff9r-ww9c-43x8",
-  "modified": "2026-02-11T18:17:59Z",
+  "modified": "2026-02-11T23:14:14Z",
   "published": "2026-02-11T18:17:58Z",
   "aliases": [
     "CVE-2026-25759"
@@ -40,6 +40,14 @@
       "type": "WEB",
       "url": "https://github.com/statamic/cms/security/advisories/GHSA-ff9r-ww9c-43x8"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25759"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/statamic/cms/commit/6ed4f65f3387686d6dbd816e9b4f18a8d9736ff6"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/statamic/cms"
@@ -56,6 +64,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-11T18:17:58Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-02-11T21:16:19Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-gwmx-9gcj-332h/GHSA-gwmx-9gcj-332h.json b/advisories/github-reviewed/2026/02/GHSA-gwmx-9gcj-332h/GHSA-gwmx-9gcj-332h.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-gwmx-9gcj-332h",
-  "modified": "2026-02-11T16:53:35Z",
+  "modified": "2026-02-11T23:14:08Z",
   "published": "2026-02-11T16:53:35Z",
   "aliases": [
     "CVE-2026-25633"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/statamic/cms/security/advisories/GHSA-gwmx-9gcj-332h"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25633"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/statamic/cms/pull/13883"
@@ -87,6 +91,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-11T16:53:35Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-02-11T21:16:18Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/02/GHSA-m4g2-2q66-vc9v/GHSA-m4g2-2q66-vc9v.json b/advisories/github-reviewed/2026/02/GHSA-m4g2-2q66-vc9v/GHSA-m4g2-2q66-vc9v.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m4g2-2q66-vc9v",
-  "modified": "2026-02-11T18:39:34Z",
+  "modified": "2026-02-11T23:14:19Z",
   "published": "2026-02-11T18:39:34Z",
   "aliases": [
     "CVE-2026-25935"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/security/advisories/GHSA-m4g2-2q66-vc9v"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25935"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/commit/dd0b82f00a8c9ded1c19a1e643a197c514be6d37"
@@ -51,15 +55,20 @@
     {
       "type": "WEB",
       "url": "https://github.com/go-vikunja/vikunja/releases/tag/v1.1.0"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vikunja.io/changelog/vikunja-v1.1.0-was-released"
     }
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-79"
+      "CWE-79",
+      "CWE-80"
     ],
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-02-11T18:39:34Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-02-11T21:16:20Z"
   }
 }
