Common Weakness Enumeration

CWE-1395

Allowed-with-Review

Dependency on Vulnerable Third-Party Component

Abstraction: Class · Status: Incomplete

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

110 vulnerabilities reference this CWE, most recent first.

GHSA-5J8P-438X-RGG5

Vulnerability from github – Published: 2025-12-09 17:24 – Updated: 2025-12-09 17:24
VLAI
Summary
SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475
Details

Summary

There is a critical vulnerability on xmlseclibs CVE-2025-66475, a dependency of php-saml

Update to the following versions of php-saml which forces the use of patched versions of xmlseclibs: - 2.21.1 - 3.8.1 - 4.3.1

Impact

Signature Wrapping Vulnerabilities allows an attacker to impersonate a user.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "onelogin/php-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.21.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "onelogin/php-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.0.0"
            },
            {
              "fixed": "3.8.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Packagist",
        "name": "onelogin/php-saml"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "4.0.0"
            },
            {
              "fixed": "4.3.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-12-09T17:24:09Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "**Summary**\n\nThere is a critical vulnerability on xmlseclibs [CVE-2025-66475](https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9), a dependency of php-saml\n\nUpdate to the following versions of php-saml which forces the use of patched versions of xmlseclibs:\n- [2.21.1](https://github.com/SAML-Toolkits/php-saml/releases/tag/2.21.1)\n- [3.8.1](https://github.com/SAML-Toolkits/php-saml/releases/tag/3.8.1)\n- [4.3.1](https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.1)\n\n\n**Impact**\n\nSignature Wrapping Vulnerabilities allows an attacker to impersonate a user.",
  "id": "GHSA-5j8p-438x-rgg5",
  "modified": "2025-12-09T17:24:09Z",
  "published": "2025-12-09T17:24:09Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/php-saml/security/advisories/GHSA-5j8p-438x-rgg5"
    },
    {
      "type": "WEB",
      "url": "https://github.com/robrichards/xmlseclibs/security/advisories/GHSA-c4cc-x928-vjw9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/SAML-Toolkits/php-saml"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/php-saml/releases/tag/2.21.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/php-saml/releases/tag/3.8.1"
    },
    {
      "type": "WEB",
      "url": "https://github.com/SAML-Toolkits/php-saml/releases/tag/4.3.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": " SAML PHP Toolkit Vulnerability on xmlseclibs CVE-2025-66475 "
}

GHSA-5MWF-688X-MR7X

Vulnerability from github – Published: 2025-02-19 22:17 – Updated: 2025-03-10 22:39
VLAI
Summary
Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171
Details

Duplicate Advisory

This advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.

Original Description

Summary

Nokogiri v1.18.3 upgrades its dependency libxml2 to v2.13.6.

libxml2 v2.13.6 addresses:

  • CVE-2025-24928
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847
  • CVE-2024-56171
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828

Impact

CVE-2025-24928

Stack-buffer overflow is possible when reporting DTD validation errors if the input contains a long (~3kb) QName prefix.

CVE-2024-56171

Use-after-free is possible during validation against untrusted XML Schemas (.xsd) and, potentially, validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-19T22:17:19Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "# Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-vvfq-8hwr-qm4m. This link is maintained to preserve external references.\n\n# Original Description\n\n## Summary\n\nNokogiri v1.18.3 upgrades its dependency libxml2 to\n[v2.13.6](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.6).\n\nlibxml2 v2.13.6 addresses:\n\n- CVE-2025-24928\n  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/847\n- CVE-2024-56171\n   - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/828\n\n## Impact\n\n### CVE-2025-24928\n\nStack-buffer overflow is possible when reporting DTD validation\nerrors if the input contains a long (~3kb) QName prefix.\n\n### CVE-2024-56171\n\nUse-after-free is possible during validation against untrusted\nXML Schemas (.xsd) and, potentially, validation of untrusted documents\nagainst trusted Schemas if they make use of `xsd:keyref` in combination\nwith recursively defined types that have additional identity constraints.",
  "id": "GHSA-5mwf-688x-mr7x",
  "modified": "2025-03-10T22:39:14Z",
  "published": "2025-02-19T22:17:19Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-vvfq-8hwr-qm4m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/nokogiri/GHSA-vvfq-8hwr-qm4m.yml"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Duplicate Advisory: Nokogiri updates packaged libxml2 to 2.13.6 to resolve CVE-2025-24928 and CVE-2024-56171",
  "withdrawn": "2025-03-10T22:39:14Z"
}

GHSA-5PMW-9J92-3C4C

Vulnerability from github – Published: 2025-02-24 18:27 – Updated: 2025-02-24 18:27
VLAI
Summary
OpenH264 Rust API Openh264 Decoding Functions Heap Overflow Vulnerability
Details

OpenH264 recently reported a heap overflow that was fixed in upstream 63db555 and integrated into our 0.6.6 release. For users relying on Cisco's pre-compiled DLL, we also published 0.8.0, which is compatible with their latest fixed DLL version 2.6.0.

In other words: - if you rely on our source feature only, >=0.6.6 should be safe, - if you rely on libloading, you must upgrade to 0.8.0 and use their latest DLL >=2.6.0.

Users handling untrusted video files should update immediately.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "openh264-sys2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.8.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-122",
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-24T18:27:25Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "OpenH264 recently reported a [heap overflow](https://github.com/cisco/openh264/security/advisories/GHSA-m99q-5j7x-7m9x) that was fixed in upstream [63db555](https://github.com/cisco/openh264/commit/63db555e30986e3a5f07871368dc90ae78c27449) and [integrated into](https://github.com/ralfbiedert/openh264-rs/commit/3a822fff0b4c9a984622ca2b179fe8898ac54b14) our 0.6.6 release. For users relying on Cisco\u0027s pre-compiled DLL, we also published 0.8.0, which is compatible with their latest fixed DLL version  2.6.0. \n\nIn other words:\n- if you rely on our `source` feature only, \u003e=0.6.6 should be safe,\n- if you rely on `libloading`, you must upgrade to 0.8.0 _and_ use their latest DLL \u003e=2.6.0. \n\nUsers handling untrusted video files should update immediately.",
  "id": "GHSA-5pmw-9j92-3c4c",
  "modified": "2025-02-24T18:27:25Z",
  "published": "2025-02-24T18:27:25Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27091"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisco/openh264/pull/3818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/ralfbiedert/openh264-rs/commit/3a822fff0b4c9a984622ca2b179fe8898ac54b14"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/ralfbiedert/openh264-rs"
    },
    {
      "type": "WEB",
      "url": "https://rustsec.org/advisories/RUSTSEC-2025-0008.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "OpenH264 Rust API Openh264 Decoding Functions Heap Overflow Vulnerability"
}

GHSA-5W6V-399V-W3CC

Vulnerability from github – Published: 2025-04-21 21:55 – Updated: 2025-04-21 21:55
VLAI
Summary
Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415
Details

Summary

Nokogiri v1.18.8 upgrades its dependency libxml2 to v2.13.8.

libxml2 v2.13.8 addresses:

  • CVE-2025-32414
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889
  • CVE-2025-32415
  • described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890

Impact

CVE-2025-32414: No impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.

There is no impact from this CVE for Nokogiri users.

CVE-2025-32415: Low impact

In libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.

In the upstream issue, further context is provided by the maintainer:

The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted documents against trusted Schemas if they make use of xsd:keyref in combination with recursively defined types that have additional identity constraints.

MITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "RubyGems",
        "name": "nokogiri"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "1.18.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-04-21T21:55:56Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "## Summary\n\nNokogiri v1.18.8 upgrades its dependency libxml2 to [v2.13.8](https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8).\n\nlibxml2 v2.13.8 addresses:\n\n- CVE-2025-32414\n  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/889\n- CVE-2025-32415\n  - described at https://gitlab.gnome.org/GNOME/libxml2/-/issues/890\n\n## Impact\n\n### CVE-2025-32414: No impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2, out-of-bounds memory access can occur in the Python API (Python bindings) because of an incorrect return value. This occurs in xmlPythonFileRead and xmlPythonFileReadRaw because of a difference between bytes and characters.\n\n**There is no impact** from this CVE for Nokogiri users.\n\n\n### CVE-2025-32415: Low impact\n\nIn libxml2 before 2.13.8 and 2.14.x before 2.14.2, xmlSchemaIDCFillNodeTables in xmlschemas.c has a heap-based buffer under-read. To exploit this, a crafted XML document must be validated against an XML schema with certain identity constraints, or a crafted XML schema must be used.\n\nIn the upstream issue, further context is provided by the maintainer:\n\n\u003e The bug affects validation against untrusted XML Schemas (.xsd) and validation of untrusted\n\u003e documents against trusted Schemas if they make use of xsd:keyref in combination with recursively\n\u003e defined types that have additional identity constraints.\n\nMITRE has published a severity score of 2.9 LOW (CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L) for this CVE.",
  "id": "GHSA-5w6v-399v-w3cc",
  "modified": "2025-04-21T21:55:56Z",
  "published": "2025-04-21T21:55:56Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/sparklemotion/nokogiri/security/advisories/GHSA-5w6v-399v-w3cc"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/sparklemotion/nokogiri"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/889"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/-/issues/890"
    },
    {
      "type": "WEB",
      "url": "https://gitlab.gnome.org/GNOME/libxml2/-/releases/v2.13.8"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Nokogiri updates packaged libxml2 to v2.13.8 to resolve CVE-2025-32414 and CVE-2025-32415"
}

GHSA-63CX-G855-HVV4

Vulnerability from github – Published: 2025-08-25 21:01 – Updated: 2025-08-25 21:01
VLAI
Summary
mitmproxy binaries embed a vulnerable python-hyper/h2 dependency
Details

mitmproxy 12.1.1 and below embed python-hyper/h2 ≤ v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks when mitmproxy is in a configuration where it translates HTTP/2 to HTTP/1. For example, this affects reverse proxies to http:// backends. It does not affect mitmproxy's regular mode.

All users are encouraged to upgrade to mitmproxy 12.1.2, which includes a fixed version of h2.

More details about the vulnerability itself can be found at https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 12.1.1"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "mitmproxy"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "12.1.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-444"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-08-25T21:01:00Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "mitmproxy 12.1.1 and below embed python-hyper/h2 \u2264 v4.2.0, which has a gap in its HTTP/2 header validation. This enables request smuggling attacks when mitmproxy is in a configuration where it translates HTTP/2 to HTTP/1. For example, this affects reverse proxies to `http://` backends. It does not affect mitmproxy\u0027s regular mode.\n\nAll users are encouraged to upgrade to mitmproxy 12.1.2, which includes a fixed version of h2.\n\nMore details about the vulnerability itself can be found at https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h.",
  "id": "GHSA-63cx-g855-hvv4",
  "modified": "2025-08-25T21:01:01Z",
  "published": "2025-08-25T21:01:00Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-63cx-g855-hvv4"
    },
    {
      "type": "WEB",
      "url": "https://github.com/python-hyper/h2/security/advisories/GHSA-847f-9342-265h"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/mitmproxy/mitmproxy"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "mitmproxy binaries embed a vulnerable python-hyper/h2 dependency"
}

GHSA-64GP-R758-8PFM

Vulnerability from github – Published: 2024-12-23 20:15 – Updated: 2024-12-23 20:15
VLAI
Summary
Cross Site Scripting (XSS) vulnerability while uploading content to a new deployment
Details

A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker (or insider) may execute a malicious payload which could trigger an undesired behavior against the server.

Impact

Cross-site scripting (XSS) vulnerability in the management console.

Patches

Fixed in HAL 3.7.7.Final

Workarounds

No workaround available

References

See also: https://issues.redhat.com/browse/WFLY-19969

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jboss.hal:hal-console"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.7.7.Final"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-12-23T20:15:16Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "A vulnerability was found in the WildFly management console. A user may perform cross-site scripting in the deployment system. An attacker (or insider) may execute a malicious payload which could trigger an undesired behavior against the server.\n\n### Impact\nCross-site scripting (XSS) vulnerability in the management console.\n\n### Patches\nFixed in [HAL 3.7.7.Final](https://github.com/hal/console/releases/tag/v3.7.7) \n\n### Workarounds\nNo workaround available\n\n### References\nSee also: https://issues.redhat.com/browse/WFLY-19969\n",
  "id": "GHSA-64gp-r758-8pfm",
  "modified": "2024-12-23T20:15:16Z",
  "published": "2024-12-23T20:15:16Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/hal/console/security/advisories/GHSA-64gp-r758-8pfm"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/hal/console"
    },
    {
      "type": "WEB",
      "url": "https://github.com/hal/console/releases/tag/v3.7.7"
    },
    {
      "type": "WEB",
      "url": "https://issues.redhat.com/browse/WFLY-19969"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Cross Site Scripting (XSS) vulnerability while uploading content to a new deployment"
}

GHSA-658G-P7JG-WX5G

Vulnerability from github – Published: 2026-04-02 18:34 – Updated: 2026-04-06 23:41
VLAI
Summary
Axios npm Supply Chain Incident Impacting @usebruno/cli
Details

Impact

This is a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).

Users of @usebruno/cli who ran npm install between 00:21 UTC and ~03:30 UTC on March 31, 2026 may have been impacted.

Potential impact includes:

  • Execution of a malicious postinstall script
  • Remote Access Trojan (RAT) installation
  • Exfiltration of credentials and sensitive data

Not impacted:

  • Bruno desktop app users
  • Users who installed outside the attack window

Patches

The compromised axios versions (1.14.1, 0.30.4) have been removed from npm, and new installations will now resolve to safe versions.

Additionally, Bruno has taken further hardening steps:

Recommendation

If users installed @usebruno/cli during the affected window: 1. Reinstall dependencies 2. Rotate all credentials and secrets:

For additional guidance on securing your system, refer to this article: https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 3.2.0"
      },
      "package": {
        "ecosystem": "npm",
        "name": "@usebruno/cli"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.2.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-34841"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-494",
      "CWE-506"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-02T18:34:04Z",
    "nvd_published_at": "2026-04-06T17:17:10Z",
    "severity": "CRITICAL"
  },
  "details": "### **Impact**\n\nThis is a **supply chain attack** involving compromised versions of the `axios` npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan (RAT).\n\nUsers of **@usebruno/cli** who ran `npm install` between **00:21 UTC and ~03:30 UTC on March 31, 2026** may have been impacted.\n\nPotential impact includes:\n\n* Execution of a malicious `postinstall` script\n* Remote Access Trojan (RAT) installation\n* Exfiltration of credentials and sensitive data\n\n**Not impacted:**\n\n* Bruno desktop app users\n* Users who installed outside the attack window\n\n\n### **Patches**\n\nThe compromised `axios` versions (`1.14.1`, `0.30.4`) have been **removed from npm**, and new installations will now resolve to safe versions.\n\nAdditionally, Bruno has taken further hardening steps:\n\n* Pinned `axios` to a known safe version to prevent accidental resolution to malicious releases\n* Fix implemented in: [https://github.com/usebruno/bruno/pull/7632](https://github.com/usebruno/bruno/pull/7632)\n\n\n### **Recommendation**\n\nIf users installed **@usebruno/cli** during the affected window:\n1. Reinstall dependencies\n2. Rotate all credentials and secrets:\n\nFor additional guidance on securing your system, refer to this article:\nhttps://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat",
  "id": "GHSA-658g-p7jg-wx5g",
  "modified": "2026-04-06T23:41:01Z",
  "published": "2026-04-02T18:34:04Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/usebruno/bruno/security/advisories/GHSA-658g-p7jg-wx5g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34841"
    },
    {
      "type": "WEB",
      "url": "https://github.com/axios/axios/issues/10604"
    },
    {
      "type": "WEB",
      "url": "https://github.com/usebruno/bruno/pull/7632"
    },
    {
      "type": "ADVISORY",
      "url": "https://github.com/advisories/GHSA-fw8c-xr5c-95f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/usebruno/bruno"
    },
    {
      "type": "WEB",
      "url": "https://www.aikido.dev/blog/axios-npm-compromised-maintainer-hijacked-rat"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Axios npm Supply Chain Incident Impacting @usebruno/cli"
}

GHSA-6JQF-MV7M-3Q7P

Vulnerability from github – Published: 2025-11-13 22:36 – Updated: 2025-11-17 21:50
VLAI
Summary
File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency
Details

The standard library net/http package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.

See https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 2.45.1"
      },
      "package": {
        "ecosystem": "Go",
        "name": "github.com/filebrowser/filebrowser/v2"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.45.2"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-11-13T22:36:01Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "The standard library `net/http` package dependency used by File Browser improperly accepts a bare LF as a line terminator in chunked data chunk-size lines. I can permit request smuggling if a net/http server is used in conjunction with a server that incorrectly accepts a bare LF as part of a chunk-ext.\n\nSee https://nvd.nist.gov/vuln/detail/CVE-2025-22871 for more details.",
  "id": "GHSA-6jqf-mv7m-3q7p",
  "modified": "2025-11-17T21:50:44Z",
  "published": "2025-11-13T22:36:01Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/filebrowser/filebrowser/security/advisories/GHSA-6jqf-mv7m-3q7p"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-22871"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/filebrowser/filebrowser"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "File Browser has risk of HTTP Request/Response smuggling through vulnerable dependency"
}

GHSA-6VXV-WG6J-5QWP

Vulnerability from github – Published: 2026-06-19 21:42 – Updated: 2026-06-19 21:42
VLAI
Summary
Gogs: XSS in .ipynb files renderer due to outdated notebookjs
Details

Summary

Gogs renders Jupyter notebook files (.ipynb) using jsvine/notebookjs, but the version is outdated, missing patches for known XSS vulnerabilities.

Details

Gogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:

https://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47

The latest version of jsvine/notebookjs is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.

PoC

  1. Create a new repository
  2. Create a file inside the repository named xss.ipynb and give it the following content:
{"cells": [{"cell_type": "markdown", "metadata": {}, "source": ["<img src=x onerror=\"alert(origin)\">"]}], "metadata": {}, "nbformat": 4, "nbformat_minor": 2}

image

  1. Save the file and view the file in Gogs. Notice that the XSS popup triggers:

image

Impact

Any user with rights to create repositories can create XSS payloads that take over the victim's account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.14.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-80"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-06-19T21:42:52Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\n\nGogs renders Jupyter notebook files (`.ipynb`) using [jsvine/notebookjs](https://github.com/jsvine/notebookjs), but the version is outdated, missing patches for known XSS vulnerabilities.\n\n### Details\n\nGogs uses version 0.4.2 of notebookjs to render Jupyter notebook files:\n\nhttps://github.com/gogs/gogs/blob/7297aee50d4c115836c7de8a3a233daaef87b911/templates/base/head.tmpl#L47\n\nThe latest version of [jsvine/notebookjs](https://github.com/jsvine/notebookjs) is 0.8.3, patching many XSS vulnerabilities in its releases. The proof of concept below shows an example working payload that renders HTML through Markdown.\n\n### PoC\n\n1. Create a new repository\n2. Create a file inside the repository named `xss.ipynb` and give it the following content:\n\n```json\n{\"cells\": [{\"cell_type\": \"markdown\", \"metadata\": {}, \"source\": [\"\u003cimg src=x onerror=\\\"alert(origin)\\\"\u003e\"]}], \"metadata\": {}, \"nbformat\": 4, \"nbformat_minor\": 2}\n```\n\n\u003cimg width=\"1054\" height=\"208\" alt=\"image\" src=\"https://github.com/user-attachments/assets/49b7f33c-c4df-4537-99e9-b1ea74f2c6de\" /\u003e\n\n3. Save the file and view the file in Gogs. Notice that the XSS popup triggers:\n\n\u003cimg width=\"1317\" height=\"407\" alt=\"image\" src=\"https://github.com/user-attachments/assets/3b18d870-7194-41b0-92db-687e952abc07\" /\u003e\n\n### Impact\n\nAny user with rights to create repositories can create XSS payloads that take over the victim\u0027s account when visited. Either through their own exploration of the files or by directly linking them the vulnerable URL.",
  "id": "GHSA-6vxv-wg6j-5qwp",
  "modified": "2026-06-19T21:42:52Z",
  "published": "2026-06-19T21:42:52Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-6vxv-wg6j-5qwp"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Gogs: XSS in .ipynb files renderer due to outdated notebookjs"
}

GHSA-79V4-65XG-PQ4G

Vulnerability from github – Published: 2025-02-11 18:06 – Updated: 2025-02-12 18:20
VLAI
Summary
Vulnerable OpenSSL included in cryptography wheels
Details

pyca/cryptography's wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt.

If you are building cryptography source ("sdist") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "cryptography"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "42.0.0"
            },
            {
              "fixed": "44.0.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-12797"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-392"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2025-02-11T18:06:42Z",
    "nvd_published_at": "2025-02-11T16:15:38Z",
    "severity": "LOW"
  },
  "details": "pyca/cryptography\u0027s wheels include a statically linked copy of OpenSSL. The versions of OpenSSL included in cryptography 42.0.0-44.0.0 are vulnerable to a security issue. More details about the vulnerability itself can be found in https://openssl-library.org/news/secadv/20250211.txt.\n\nIf you are building cryptography source (\"sdist\") then you are responsible for upgrading your copy of OpenSSL. Only users installing from wheels built by the cryptography project (i.e., those distributed on PyPI) need to update their cryptography versions.",
  "id": "GHSA-79v4-65xg-pq4g",
  "modified": "2025-02-12T18:20:06Z",
  "published": "2025-02-11T18:06:42Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pyca/cryptography/security/advisories/GHSA-79v4-65xg-pq4g"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-12797"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/738d4f9fdeaad57660dcba50a619fafced3fd5e9"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/798779d43494549b611233f92652f0da5328fbe7"
    },
    {
      "type": "WEB",
      "url": "https://github.com/openssl/openssl/commit/87ebd203feffcf92ad5889df92f90bb0ee10a699"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pyca/cryptography"
    },
    {
      "type": "WEB",
      "url": "https://openssl-library.org/news/secadv/20250211.txt"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/11/3"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2025/02/11/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Vulnerable OpenSSL included in cryptography wheels"
}

Mitigation
Requirements Policy

In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.

Mitigation
Requirements

Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].

Mitigation
Architecture and Design Implementation Integration Manufacturing

Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."

Mitigation
Operation Patching and Maintenance

Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.

Mitigation
Operation Patching and Maintenance

Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.

No CAPEC attack patterns related to this CWE.