Publish Advisories

GHSA-m6m4-34cj-4hh7
GHSA-r54r-wmmq-mh84
GHSA-wr6m-jg37-68xh

Author: advisory-database[bot]

…-m6m4-34cj-4hh7/GHSA-m6m4-34cj-4hh7.json …-m6m4-34cj-4hh7/GHSA-m6m4-34cj-4hh7.jsonadvisories/unreviewed/2026/03/GHSA-m6m4-34cj-4hh7/GHSA-m6m4-34cj-4hh7.json renamed to advisories/github-reviewed/2026/03/GHSA-m6m4-34cj-4hh7/GHSA-m6m4-34cj-4hh7.json advisories/unreviewed/2026/03/GHSA-m6m4-34cj-4hh7/GHSA-m6m4-34cj-4hh7.json renamed to advisories/github-reviewed/2026/03/GHSA-m6m4-34cj-4hh7/GHSA-m6m4-34cj-4hh7.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m6m4-34cj-4hh7",
-  "modified": "2026-03-21T00:31:42Z",
+  "modified": "2026-03-23T21:50:51Z",
   "published": "2026-03-21T00:31:42Z",
   "aliases": [
     "CVE-2026-4506"
   ],
+  "summary": "MindSQL is vulnerable to Code Injection through its ask_db function",
   "details": "A vulnerability was found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "mindsql"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.2.1"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -27,6 +48,10 @@
       "type": "WEB",
       "url": "https://github.com/Ka7arotto/cve/blob/main/MindSQL-RCE.md"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/Mindinventory/MindSQL"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/?ctiid.352072"
@@ -44,9 +69,9 @@
     "cwe_ids": [
       "CWE-74"
     ],
-    "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-23T21:50:51Z",
     "nvd_published_at": "2026-03-20T22:16:29Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-r54r-wmmq-mh84/GHSA-r54r-wmmq-mh84.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r54r-wmmq-mh84",
-  "modified": "2026-03-03T21:20:14Z",
+  "modified": "2026-03-23T21:51:24Z",
   "published": "2026-03-03T21:20:14Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-28483"
+  ],
   "summary": "OpenClaw: ZIP extraction race could write outside destination via parent symlink rebind",
   "details": "### Summary\nZIP extraction in OpenClaw could be raced into writing outside the intended destination directory via parent-directory symlink rebind between validation and write.\n\n### Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Vulnerable versions: `<= 2026.3.1`\n- Latest published vulnerable version confirmed: `2026.3.1` (npm as of 2026-03-02)\n- Patched version: `2026.3.2` (released)\n\n### Technical Details\nIn `src/infra/archive.ts`, ZIP extraction previously validated output paths, then later opened/truncated the destination path in a separate step. A local race on parent-directory symlink state could redirect the final write outside the extraction root.\n\nThe fix hardens ZIP writes by binding writes to the opened file handle identity and avoiding the pre-write truncate race path, with shared fd realpath verification in `src/infra/fs-safe.ts` and regression coverage in `src/infra/archive.test.ts`.\n\n### Fix Commit(s)\n- `7dac9b05dd9d38dd3929637f26fa356fd8bdd107`",
   "severity": [

advisories/github-reviewed/2026/03/GHSA-wr6m-jg37-68xh/GHSA-wr6m-jg37-68xh.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-wr6m-jg37-68xh",
-  "modified": "2026-03-02T21:49:51Z",
+  "modified": "2026-03-23T21:52:21Z",
   "published": "2026-03-02T21:49:51Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-32066"
+  ],
   "summary": "OpenClaw has unbounded memory growth in Zalo webhook via query-string key churn (unauthenticated DoS)",
   "details": "### Summary\nUnauthenticated requests to a reachable Zalo webhook endpoint could trigger unbounded in-memory key growth by varying query strings on the same valid webhook route.\n\n### Impact\nAn attacker could cause memory pressure and potential process instability or OOM, degrading availability.\n\n### Fix\nWebhook security tracking now normalizes keys to matched webhook path semantics (query excluded) and bounds/prunes tracking state to prevent unbounded growth.\n\n### Affected and Patched Versions\n- Affected: `<= 2026.2.26`\n- Patched: `2026.3.1`",
   "severity": [