diff --git a/data/appsmith/BIT-appsmith-2026-49979.json b/data/appsmith/BIT-appsmith-2026-49979.json new file mode 100644 index 0000000000..9a1a3edc65 --- /dev/null +++ b/data/appsmith/BIT-appsmith-2026-49979.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-appsmith-2026-49979", + "summary": "Appsmith: SSRF via `POST /api/v1/admin/send-test-email` — JavaMail Bypasses WebClient IP Filter", + "details": "Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.99, the POST /api/v1/admin/send-test-email endpoint accepts attacker-controlled smtpHost and smtpPort values and establishes a raw JavaMail TCP connection without any IP validation. This completely bypasses WebClientUtils.IP_CHECK_FILTER, which only applies to Spring WebClient HTTP requests. Additionally, the raw MailException.getMessage() is returned verbatim in the API error response, enabling error-based internal port scanning and service banner enumeration. This vulnerability is fixed in 1.99.", + "aliases": [ + "CVE-2026-49979" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "appsmith", + "purl": "pkg:bitnami/appsmith" + }, + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.99.0" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:appsmith:appsmith:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/appsmithorg/appsmith/security/advisories/GHSA-vvxf-f8q9-86gh" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49979" + } + ], + "published": "2026-06-30T17:38:35.185Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-47205.json b/data/envoy/BIT-envoy-2026-47205.json new file mode 100644 index 0000000000..14ff6fdc00 --- /dev/null +++ b/data/envoy/BIT-envoy-2026-47205.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-47205", + "summary": "Envoy: ext_authz Use-After-Free during Stream Teardown with Per-Route Overrides", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.36.0 until 1.36.9, 1.37.5, and 1.38.3, a Use-After-Free (UAF) vulnerability leading to a sudden segmentation fault exists in Envoy's ext_authz HTTP filter when processing per-route authorization overrides concurrently with rapid downstream client disconnects. During standard request lifecycles, Envoy instantiates the ext_authz filter with a foundational authorization client object (client_). If a matched route dictates a dynamic per-route HTTP or gRPC authorization service override, the filter generates a localized client. In the vulnerable implementation, this transient client aggressively overwrote the default client_ unique pointer by executing client_ = std::move(per_route_client). When a client rapidly establishes and subsequently tears down a stream (such as rapidly refreshing a protected WebSocket endpoint), the downstream triggers the ConnectionManagerImpl::doDeferredStreamDestroy() -> ActiveStream::onResetStream() lifecycle. Envoy immediately sequences Filter::onDestroy() in an attempt to securely abort dispatched asynchronous authorization check transactions via client_->cancel(). By destructing the default client abruptly during initiateCall, a memory lifecycle misalignment occurs within the async client manager. The stream teardown fails to reliably track and cancel the dynamically bound asynchronous authorization tasks, orchestrating a sequence where a late asynchronous callback from the network evaluates against a heavily destroyed ActiveStream validation span, generating a UAF process crash. This vulnerability is fixed in 1.36.9, 1.37.5, and 1.38.3.", + "aliases": [ + "CVE-2026-47205" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.36.0" + }, + { + "fixed": "1.36.9" + }, + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.5" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-mvh9-767w-x47j" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47205" + } + ], + "published": "2026-06-30T17:41:19.987Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-47220.json b/data/envoy/BIT-envoy-2026-47220.json new file mode 100644 index 0000000000..d92fdfa074 --- /dev/null +++ b/data/envoy/BIT-envoy-2026-47220.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-47220", + "summary": "Envoy: Segmentation fault when using %REQUESTED_SERVER_NAME% in log format", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, when the %REQUESTED_SERVER_NAME(X:Y)% is used in log format and host related options is specified, like HOST_FIRST, SNI_FIRST, it's possible to crash Envoy when the specified host header is missing in the request headers. This vulnerability is fixed in 1.37.5 and 1.38.3.", + "aliases": [ + "CVE-2026-47220" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.5" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "High", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j9wh-4qfm-wf2v" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47220" + } + ], + "published": "2026-06-30T17:41:22.374Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-47775.json b/data/envoy/BIT-envoy-2026-47775.json new file mode 100644 index 0000000000..667cb4ce05 --- /dev/null +++ b/data/envoy/BIT-envoy-2026-47775.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-47775", + "summary": "Envoy OAuth2 Filter: Padding Oracle via AES-256-CBC Cookie Decryption", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, the OAuth2 HTTP filter's encrypt()/decrypt() functions use AES-256-CBC without an authentication tag (no HMAC, no AEAD). The /callback endpoint returns HTTP 302 on successful decryption and HTTP 401 on padding failure, creating a padding oracle. An attacker who obtains the encrypted CodeVerifier cookie can recover the plaintext PKCE code_verifier in ~6,200 requests (~100 seconds), then exchange it with a stolen authorization code to obtain the victim's access token. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.", + "aliases": [ + "CVE-2026-47775" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.35.0" + }, + { + "fixed": "1.35.11" + }, + { + "introduced": "1.36.0" + }, + { + "fixed": "1.36.7" + }, + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.3" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.1" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-396h-jpq4-vc7p" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47775" + } + ], + "published": "2026-06-30T17:41:26.992Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-47778.json b/data/envoy/BIT-envoy-2026-47778.json new file mode 100644 index 0000000000..aadd8193e2 --- /dev/null +++ b/data/envoy/BIT-envoy-2026-47778.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-47778", + "summary": "Envoy: Embedded NUL in TLS DNS SAN Truncation in the Default TLS Certificate Validator. (Auth Bypass)", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a structural flaw was identified in DefaultCertValidator::verifySubjectAltName where the extracted DNS SAN string is cast to a C-style string using .c_str() before being passed to the Utility::dnsNameMatch() algorithm. If the attacker serves a certificate with a dNSName SAN containing an embedded NUL byte, the helper Utility::generalNameAsString captures the complete string including the NUL. However, when .c_str() evaluates it, implicit conversion to absl::string_view inside dnsNameMatch relies on strlen(), prematurely truncating the evaluation context. Envoy evaluates trucated string against the exact required config_san match and returns true, thereby successfully validating the string with the Nul byte for an upstream routing. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.", + "aliases": [ + "CVE-2026-47778" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.35.13" + }, + { + "introduced": "1.36.0" + }, + { + "fixed": "1.36.9" + }, + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.5" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f8x4-rw5x-f3r7" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-47778" + } + ], + "published": "2026-06-30T17:41:28.121Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-48042.json b/data/envoy/BIT-envoy-2026-48042.json new file mode 100644 index 0000000000..1f57673901 --- /dev/null +++ b/data/envoy/BIT-envoy-2026-48042.json @@ -0,0 +1,77 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-48042", + "summary": "Envoy: Stack overflow in destructor of highly nested JSON", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, destructor of JSON Object results in stack overflow when deeply O(100K) nested objects are present. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.", + "aliases": [ + "CVE-2026-48042" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.18.0" + }, + { + "fixed": "1.35.13" + }, + { + "introduced": "1.36.0" + }, + { + "fixed": "1.36.9" + }, + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.5" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "High", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/blob/099a9d71ebfd8aa9f823e1738b34138cb634a07b/source/common/json/json_loader.h#L21" + }, + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-f24p-rxw2-g6pv" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48042" + } + ], + "published": "2026-06-30T17:41:29.270Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-48044.json b/data/envoy/BIT-envoy-2026-48044.json new file mode 100644 index 0000000000..75d68c83f1 --- /dev/null +++ b/data/envoy/BIT-envoy-2026-48044.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-48044", + "summary": "Envoy Zstd Decompressor: Ratio Check at Wrong Loop Depth lead to memory explosion", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.23.0 until 1.35.11, 1.36.7, 1.37.3, and 1.38.1, a vulnerability has been identified in Envoy's zstd decompressor implementation (ZstdDecompressorImpl). When zstd decompression is enabled, processing a specially crafted, highly compressed zstd payload can lead to massive memory allocation. An attacker can exploit this to cause severe memory exhaustion, potentially resulting in an Out-Of-Memory (OOM) kill and Denial of Service (DoS) for the Envoy proxy. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.", + "aliases": [ + "CVE-2026-48044" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.23.0" + }, + { + "fixed": "1.35.13" + }, + { + "introduced": "1.36.0" + }, + { + "fixed": "1.36.9" + }, + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.5" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "High", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-m3p9-47wh-88wg" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48044" + } + ], + "published": "2026-06-30T17:41:30.370Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-48090.json b/data/envoy/BIT-envoy-2026-48090.json new file mode 100644 index 0000000000..b388ea15a9 --- /dev/null +++ b/data/envoy/BIT-envoy-2026-48090.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-48090", + "summary": "Envoy HTTP: OAuth2 filter late async token completion after stream teardown (UAF / crash risk)", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.37.0 until 1.37.5 and 1.38.3, the HTTP OAuth2 filter (envoy.filters.http.oauth2) can leave an in-flight async token exchange attached to a downstream stream that has already been torn down. A late AsyncClient completion can still invoke OAuth2Filter methods that use StreamDecoderFilterCallbacks after that object’s lifetime has ended, causing undefined behavior, worker crashes (availability loss), and use-after-free / invalid-vptr failures under AddressSanitizer. This is a memory-safety / lifetime issue in the data plane, not a trivial config bug. Remote code execution is not claimed here; the primary demonstrated impact is DoS via crash and UB; any further impact would be deployment- and allocator-dependent. This vulnerability is fixed in 1.37.5 and 1.38.3.", + "aliases": [ + "CVE-2026-48090" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.5" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-3cj2-c63f-q26f" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48090" + } + ], + "published": "2026-06-30T17:41:31.517Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-48497.json b/data/envoy/BIT-envoy-2026-48497.json new file mode 100644 index 0000000000..04fb0f5a0a --- /dev/null +++ b/data/envoy/BIT-envoy-2026-48497.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-48497", + "summary": "Envoy: Abnormal process termination in DNS UDP filter", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, in cases where UDP DNS filter is configured with local resolution containing a name with the length of 255 octets or remote resolution for a name of 255 octets long can complete successfully, a query with such name will result in abnormal process termination. The abnormal process termination is triggered by an invalid runtime precondition that the query name is strictly less than 255 octets, contradicting DNS specification rfc1035#section-2.3.4 that the name can be 255 or less octets. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.", + "aliases": [ + "CVE-2026-48497" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.35.13" + }, + { + "introduced": "1.36.0" + }, + { + "fixed": "1.36.9" + }, + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.5" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "High", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-j6g2-wf95-q66q" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48497" + } + ], + "published": "2026-06-30T17:41:32.653Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-48706.json b/data/envoy/BIT-envoy-2026-48706.json new file mode 100644 index 0000000000..2ecceb2574 --- /dev/null +++ b/data/envoy/BIT-envoy-2026-48706.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-48706", + "summary": "Envoy Heap Buffer Overflow in TcpStatsdSink", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. From 1.34.0 until 1.35.13, 1.36.9, 1.37.5, and 1.38.3, a vulnerability exists in Envoy's TCP StatsD sink (TcpStatsdSink), where the thread-local flusher buffer can be overflowed by exceptionally long statistic names (e.g., >16KiB). During formatting, TcpStatsdSink reserves a single contiguous memory slice of 16KiB (FLUSH_SLICE_SIZE_BYTES). If formatting a single metric exceeds the remaining capacity, the flusher initiates a buffer rotation but incorrectly continues to allocate another fixed 16KiB slice. If an attacker can trigger a statistic name longer than 16KiB—for example, by sending an HTTP or gRPC request with an extremely long request path (:path) that is recorded by the grpc_stats filter configured with stats_for_all_methods: true—the flusher will attempt to copy the metric name using memcpy operations beyond the allocated heap buffer boundaries. This leads to a heap write overflow, which can cause immediate denial-of-service (process crash) or potential remote code execution (RCE). This vulnerability is fixed in 1.35.13, 1.36.9, 1.37.5, and 1.38.3.", + "aliases": [ + "CVE-2026-48706" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.34.0" + }, + { + "fixed": "1.35.13" + }, + { + "introduced": "1.36.0" + }, + { + "fixed": "1.36.9" + }, + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.5" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "High", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-7q3f-gwg7-j8g4" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48706" + } + ], + "published": "2026-06-30T17:41:33.840Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/envoy/BIT-envoy-2026-48743.json b/data/envoy/BIT-envoy-2026-48743.json new file mode 100644 index 0000000000..2355201c32 --- /dev/null +++ b/data/envoy/BIT-envoy-2026-48743.json @@ -0,0 +1,73 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-envoy-2026-48743", + "summary": "Envoy: HTTP/3 to HTTP/1 request smuggling via headers-only request with nonzero Content-Length", + "details": "Envoy is an open source edge and service proxy designed for cloud-native applications. Prior to 1.35.11, 1.36.7, 1.37.3, and 1.38.1, Envoy can translate a downstream HTTP/3 request that is complete at the transport layer (HEADERS with FIN / headers-only close) but still carries a nonzero Content-Length into a complete upstream HTTP/1 request with unresolved body debt. In an HTTP/1 upstream deployment where the origin replies before reading the declared body and keeps the connection reusable, the beginning of the next Envoy-generated upstream request can be consumed as the first request's body. The remaining bytes are then parsed by the origin as a new HTTP/1 request. This was reproduced as a route-bypass/desync: direct /pwn was denied by Envoy, but the second downstream H3 stream received the response for backend-parsed GET /pwn HTTP/1.1. This vulnerability is fixed in 1.35.11, 1.36.7, 1.37.3, and 1.38.1.", + "aliases": [ + "CVE-2026-48743" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "envoy", + "purl": "pkg:bitnami/envoy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:L/I:H/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.35.0" + }, + { + "fixed": "1.35.13" + }, + { + "introduced": "1.36.0" + }, + { + "fixed": "1.36.9" + }, + { + "introduced": "1.37.0" + }, + { + "fixed": "1.37.5" + }, + { + "introduced": "1.38.0" + }, + { + "fixed": "1.38.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "High", + "cpes": [ + "cpe:2.3:a:envoyproxy:envoy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/envoyproxy/envoy/security/advisories/GHSA-8phg-2h2q-jgxf" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-48743" + } + ], + "published": "2026-06-30T17:41:35.051Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/ghost/BIT-ghost-2026-53943.json b/data/ghost/BIT-ghost-2026-53943.json new file mode 100644 index 0000000000..1998327ad4 --- /dev/null +++ b/data/ghost/BIT-ghost-2026-53943.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-ghost-2026-53943", + "summary": "Ghost: Cache-poisoning XSS in Ghost frontend via x-ghost-preview header", + "details": "Ghost is a Node.js content management system. From until 6.37.0, when Ghost is behind a shared caching layer that results in cached content being shared between different visitors, an unauthenticated user could send an x-ghost-preview header that altered the rendered frontend response. In affected cache configurations, that response could be stored and served to subsequent visitors requesting the same page, allowing cache poisoning of request-specific preview output. When running Ghost's frontend and admin panel on the same domain this could be used to take over staff user accounts. When running these on different domains staff accounts have no exposure. This vulnerability is fixed in 6.37.0.", + "aliases": [ + "CVE-2026-53943" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "ghost", + "purl": "pkg:bitnami/ghost" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "4.0.0" + }, + { + "fixed": "6.37.0" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Critical", + "cpes": [ + "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-62q6-4hv4-vjrw" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53943" + } + ], + "published": "2026-06-30T17:41:18.591Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/ghost/BIT-ghost-2026-53944.json b/data/ghost/BIT-ghost-2026-53944.json new file mode 100644 index 0000000000..42be4a6b8d --- /dev/null +++ b/data/ghost/BIT-ghost-2026-53944.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-ghost-2026-53944", + "summary": "Ghost: Private IP filtering bypass to make server-side requests to internal services", + "details": "Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, when making an external request, it is possible to bypass the IP filter that ensures the request isn't going to an internal service using an IPv6 literal which maps to a private IPv4 address. This vulnerability is fixed in 6.21.1.", + "aliases": [ + "CVE-2026-53944" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "ghost", + "purl": "pkg:bitnami/ghost" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "6.0.9" + }, + { + "fixed": "6.21.1" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-wvp2-4qqp-4h3r" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53944" + } + ], + "published": "2026-06-30T17:41:19.770Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/ghost/BIT-ghost-2026-53945.json b/data/ghost/BIT-ghost-2026-53945.json new file mode 100644 index 0000000000..bad22e9abb --- /dev/null +++ b/data/ghost/BIT-ghost-2026-53945.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-ghost-2026-53945", + "summary": "Ghost: Server-side request forgery via DNS rebinding in external request handling", + "details": "Ghost is a Node.js content management system. From 6.0.9 until 6.21.1, Ghost’s private-IP check for outbound HTTP requests could be bypassed via DNS rebinding, allowing an attacker to coerce the Ghost server into reaching hosts on internal networks through features that issue external fetches. This vulnerability is fixed in 6.21.1.", + "aliases": [ + "CVE-2026-53945" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "ghost", + "purl": "pkg:bitnami/ghost" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "6.0.9" + }, + { + "fixed": "6.21.1" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-ch52-px8q-f22j" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53945" + } + ], + "published": "2026-06-30T17:41:20.954Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/ghost/BIT-ghost-2026-53946.json b/data/ghost/BIT-ghost-2026-53946.json new file mode 100644 index 0000000000..684cedfa3d --- /dev/null +++ b/data/ghost/BIT-ghost-2026-53946.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-ghost-2026-53946", + "summary": "Ghost: Mobiledoc image-size fetch SSRF", + "details": "Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, when re-rendering posts, Ghost would refetch missing image dimensions by issuing an outbound HTTP request to the URL stored on an image card — without restricting that URL to trusted image hosts. An authenticated staff user able to create or edit posts could therefore point an image card at an attacker-chosen host and cause the Ghost server to request it on their behalf, including hosts on internal networks or cloud instance metadata endpoints that would not normally be reachable from the public internet. This vulnerability is fixed in 6.21.1.", + "aliases": [ + "CVE-2026-53946" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "ghost", + "purl": "pkg:bitnami/ghost" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "6.19.4" + }, + { + "fixed": "6.21.1" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-g366-23fw-ggp6" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53946" + } + ], + "published": "2026-06-30T17:41:22.073Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/ghost/BIT-ghost-2026-53947.json b/data/ghost/BIT-ghost-2026-53947.json new file mode 100644 index 0000000000..cf44e52ed3 --- /dev/null +++ b/data/ghost/BIT-ghost-2026-53947.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-ghost-2026-53947", + "summary": "Ghost: Member existence leak via magic link sign-in response", + "details": "Ghost is a Node.js content management system. From 5.18.0 until 6.21.1, a discrepancy in responses from the members signin endpoints made it possible for an unauthenticated attacker to determine whether a given email address belongs to a registered member of a Ghost site. This vulnerability is fixed in 6.21.1.", + "aliases": [ + "CVE-2026-53947" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "ghost", + "purl": "pkg:bitnami/ghost" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "5.18.0" + }, + { + "fixed": "6.21.1" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-chgm-3698-jm42" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53947" + } + ], + "published": "2026-06-30T17:41:23.195Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/ghost/BIT-ghost-2026-53948.json b/data/ghost/BIT-ghost-2026-53948.json new file mode 100644 index 0000000000..13df0d71ac --- /dev/null +++ b/data/ghost/BIT-ghost-2026-53948.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-ghost-2026-53948", + "summary": "Ghost: File Upload Content-Type Spoofing", + "details": "Ghost is a Node.js content management system. From 6.19.4 until 6.21.1, insufficient validation of the client-supplied Content-Type on Ghost's Admin API file upload endpoint allowed uploaded files to be served from the site with an attacker-chosen content type on S3/GCS storage backends. On installations that serve uploaded files from the same origin as the site, this could have been used to facilitate stored cross-site scripting against site visitors or staff. This vulnerability is fixed in 6.21.1.", + "aliases": [ + "CVE-2026-53948" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "ghost", + "purl": "pkg:bitnami/ghost" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "6.19.4" + }, + { + "fixed": "6.21.1" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-944x-pm95-3jpr" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53948" + } + ], + "published": "2026-06-30T17:41:24.356Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/ghost/BIT-ghost-2026-53949.json b/data/ghost/BIT-ghost-2026-53949.json new file mode 100644 index 0000000000..e22470e778 --- /dev/null +++ b/data/ghost/BIT-ghost-2026-53949.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-ghost-2026-53949", + "summary": "Ghost Content API filter bypass reveals private fields", + "details": "Ghost is a Node.js content management system. From 5.46.1 until 6.21.2, the validation applied to filters on the public API endpoints could be partially bypassed, making it possible to reveal private fields via a brute force attack. If SQLite was used as the database password hashes were fully accessible. If MySQL was used as the database the password hashes' case (uppercase / lowercase) would have been lost, which would likely have rendered a further brute force attack on the discovered hashes fruitless. This vulnerability is fixed in 6.21.2.", + "aliases": [ + "CVE-2026-53949" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "ghost", + "purl": "pkg:bitnami/ghost" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "5.46.1" + }, + { + "fixed": "6.21.2" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-jx35-x7fj-vgpr" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53949" + } + ], + "published": "2026-06-30T17:41:25.491Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/ghost/BIT-ghost-2026-53950.json b/data/ghost/BIT-ghost-2026-53950.json new file mode 100644 index 0000000000..6b7e2a9477 --- /dev/null +++ b/data/ghost/BIT-ghost-2026-53950.json @@ -0,0 +1,55 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-ghost-2026-53950", + "summary": "@tryghost/activitypub: XSS in Ghost's ActivityPub client", + "details": "@tryghost/activitypub is Ghost’s social/federation client app. Prior to 3.1.0, the ActivityPub client in Ghost was vulnerable to JavaScript injection on posts shared by a maliciously customised ActivityPub server. This vulnerability is fixed in 3.1.0.", + "aliases": [ + "CVE-2026-53950" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "ghost", + "purl": "pkg:bitnami/ghost" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.1.0" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "High", + "cpes": [ + "cpe:2.3:a:ghost:ghost:*:*:*:*:*:node.js:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-xpp7-93x6-v29m" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-53950" + } + ], + "published": "2026-06-30T17:41:26.639Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/haproxy/BIT-haproxy-2026-33555.json b/data/haproxy/BIT-haproxy-2026-33555.json new file mode 100644 index 0000000000..4e9f665622 --- /dev/null +++ b/data/haproxy/BIT-haproxy-2026-33555.json @@ -0,0 +1,70 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-haproxy-2026-33555", + "details": "An issue was discovered in HAProxy before 3.3.6. The HTTP/3 parser does not check that the received body length matches a previously announced content-length when the stream is closed via a frame with an empty payload. This can cause desynchronization issues with the backend server and could be used for request smuggling. The earliest affected version is 2.6.", + "aliases": [ + "CVE-2026-33555" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "haproxy", + "purl": "pkg:bitnami/haproxy" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:N/I:L/A:N" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "2.6.0" + }, + { + "fixed": "3.3.6" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Medium", + "cpes": [ + "cpe:2.3:a:haproxy:haproxy:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/haproxy/haproxy/commit/05a295441c621089ffa4318daf0dbca2dd756a84" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33555" + }, + { + "type": "WEB", + "url": "https://r3verii.github.io/cve/2026/04/14/haproxy-h3-standalone-fin-smuggling.html" + }, + { + "type": "WEB", + "url": "https://www.haproxy.com/documentation/haproxy-aloha/changelog/" + }, + { + "type": "WEB", + "url": "https://www.haproxy.org" + }, + { + "type": "WEB", + "url": "https://www.mail-archive.com/haproxy@formilux.org/msg46752.html" + } + ], + "published": "2026-06-30T17:41:30.270Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/java-min/BIT-java-min-2025-10911.json b/data/java-min/BIT-java-min-2025-10911.json index 147d2c19cf..5066dbbb55 100644 --- a/data/java-min/BIT-java-min-2025-10911.json +++ b/data/java-min/BIT-java-min-2025-10911.json @@ -106,8 +106,16 @@ { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2026:29976" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:30847" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:33313" } ], "published": "2026-05-06T14:45:16.318Z", - "modified": "2026-06-29T06:04:07.500Z" + "modified": "2026-06-30T18:03:49.219Z" } \ No newline at end of file diff --git a/data/java/BIT-java-2025-10911.json b/data/java/BIT-java-2025-10911.json index f1e844bc9b..4260f1f882 100644 --- a/data/java/BIT-java-2025-10911.json +++ b/data/java/BIT-java-2025-10911.json @@ -106,8 +106,16 @@ { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2026:29976" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:30847" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:33313" } ], "published": "2026-05-06T14:45:14.224Z", - "modified": "2026-06-29T06:04:07.500Z" + "modified": "2026-06-30T18:03:49.219Z" } \ No newline at end of file diff --git a/data/jre/BIT-jre-2025-10911.json b/data/jre/BIT-jre-2025-10911.json index 435ea1d513..898d7e408c 100644 --- a/data/jre/BIT-jre-2025-10911.json +++ b/data/jre/BIT-jre-2025-10911.json @@ -106,8 +106,16 @@ { "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2026:29976" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:30847" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:33313" } ], "published": "2026-05-08T05:46:52.544Z", - "modified": "2026-06-29T06:04:07.500Z" + "modified": "2026-06-30T18:03:49.219Z" } \ No newline at end of file diff --git a/data/rclone/BIT-rclone-2026-49980.json b/data/rclone/BIT-rclone-2026-49980.json new file mode 100644 index 0000000000..50f7fde2cb --- /dev/null +++ b/data/rclone/BIT-rclone-2026-49980.json @@ -0,0 +1,67 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-rclone-2026-49980", + "summary": "Rclone: Unauthenticated command execution in `rclone rcd --rc-serve` via inline remote instantiation, bypassing CVE-2026-41179 fix", + "details": "Rclone is a command-line program to sync files and directories to and from different cloud storage providers. From 1.46.0 until 1.74.3, rclone rcd --rc-serve accepts unauthenticated GET and HEAD requests to paths of the form: /[remote:path]/object. The remote value is parsed from the URL and passed to normal backend initialization. Inline remote configuration can set backend options that execute local commands during initialization. As a result, a single unauthenticated GET or HEAD request can execute a command as the rclone process user. This vulnerability is fixed in 1.74.3.", + "aliases": [ + "CVE-2026-49980" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "rclone", + "purl": "pkg:bitnami/rclone" + }, + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "1.46.0" + }, + { + "fixed": "1.74.3" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "Critical", + "cpes": [ + "cpe:2.3:a:rclone:rclone:*:*:*:*:*:go:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2026-49980" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2492478" + }, + { + "type": "WEB", + "url": "https://github.com/rclone/rclone/security/advisories/GHSA-qw24-gh76-8rvv" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-49980" + }, + { + "type": "WEB", + "url": "https://security.access.redhat.com/data/csaf/v2/vex/2026/cve-2026-49980.json" + } + ], + "published": "2026-06-30T17:50:28.116Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file diff --git a/data/seaweedfs/BIT-seaweedfs-2026-54917.json b/data/seaweedfs/BIT-seaweedfs-2026-54917.json new file mode 100644 index 0000000000..06339095ea --- /dev/null +++ b/data/seaweedfs/BIT-seaweedfs-2026-54917.json @@ -0,0 +1,59 @@ +{ + "schema_version": "1.6.2", + "id": "BIT-seaweedfs-2026-54917", + "summary": "SeaweedFS: Path traversal in the S3 and Iceberg REST gateways allows cross-bucket access", + "details": "SeaweedFS is a distributed storage system for object storage (S3), file systems, and Iceberg tables. Prior to 4.30, the S3 API gateway and the Iceberg REST catalog gateway construct their routers with mux.NewRouter().SkipClean(true). With path cleaning disabled, a .. segment inside the URL survives routing, so a request such as `GET /bucket-A/../evil-bucket/key`, is matched as bucket=bucket-A, object=../evil-bucket/key. The captured object key is then joined into a filer path with util.JoinPath (S3) / path.Join (Iceberg), which collapse the .. server-side, so the actual read or write lands in evil-bucket. This vulnerability is fixed in 4.30.", + "aliases": [ + "CVE-2026-54917" + ], + "affected": [ + { + "package": { + "ecosystem": "Bitnami", + "name": "seaweedfs", + "purl": "pkg:bitnami/seaweedfs" + }, + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "4.30.0" + } + ] + } + ] + } + ], + "database_specific": { + "severity": "High", + "cpes": [ + "cpe:2.3:a:seaweedfs:seaweedfs:*:*:*:*:*:*:*:*" + ] + }, + "references": [ + { + "type": "WEB", + "url": "https://github.com/seaweedfs/seaweedfs/pull/9687" + }, + { + "type": "WEB", + "url": "https://github.com/seaweedfs/seaweedfs/security/advisories/GHSA-w62w-66v9-vvgv" + }, + { + "type": "WEB", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-54917" + } + ], + "published": "2026-06-30T17:50:53.486Z", + "modified": "2026-06-30T18:03:49.219Z" +} \ No newline at end of file