CWE-1395
Allowed-with-ReviewDependency on Vulnerable Third-Party Component
Abstraction: Class · Status: Incomplete
The product has a dependency on a third-party component that contains one or more known vulnerabilities.
110 vulnerabilities reference this CWE, most recent first.
CVE-2023-5332 (GCVE-0-2023-5332)
Vulnerability from cvelistv5 – Published: 2023-12-04 06:30 – Updated: 2024-10-03 06:23- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://gitlab.com/gitlab-org/omnibus-gitlab/-/is… | issue-tracking |
| https://www.hashicorp.com/blog/protecting-consul-… |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T07:52:08.548Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "GitLab Issue #8171",
"tags": [
"issue-tracking",
"x_transferred"
],
"url": "https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171"
},
{
"tags": [
"x_transferred"
],
"url": "https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
],
"defaultStatus": "unaffected",
"product": "GitLab",
"repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
"vendor": "GitLab",
"versions": [
{
"lessThan": "16.2.8",
"status": "affected",
"version": "9.5.0",
"versionType": "semver"
},
{
"lessThan": "16.3.5",
"status": "affected",
"version": "16.3.0",
"versionType": "semver"
},
{
"lessThan": "16.4.1",
"status": "affected",
"version": "16.4",
"versionType": "semver"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "This issue was reported internally."
}
],
"descriptions": [
{
"lang": "en",
"value": "Patch in third party library Consul requires \u0027enable-script-checks\u0027 to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 5.9,
"baseSeverity": "MEDIUM",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "HIGH",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2024-10-03T06:23:16.051Z",
"orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"shortName": "GitLab"
},
"references": [
{
"name": "GitLab Issue #8171",
"tags": [
"issue-tracking"
],
"url": "https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171"
},
{
"url": "https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations"
}
],
"solutions": [
{
"lang": "en",
"value": "Upgrade to versions 16.2.8, 16.3.5, 16.4.1 or above."
}
],
"title": "Dependency on Vulnerable Third-Party Component in GitLab"
}
},
"cveMetadata": {
"assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
"assignerShortName": "GitLab",
"cveId": "CVE-2023-5332",
"datePublished": "2023-12-04T06:30:33.856Z",
"dateReserved": "2023-10-02T12:01:25.316Z",
"dateUpdated": "2024-10-03T06:23:16.051Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2022-4988 (GCVE-0-2022-4988)
Vulnerability from cvelistv5 – Published: 2026-05-11 19:04 – Updated: 2026-05-13 12:56- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://freeimage.sourceforge.io/ | |
| https://metacpan.org/release/KMX/Alien-FreeImage-… | |
| https://nvd.nist.gov/vuln/detail/CVE-2015-0852 | vendor-advisory |
| https://nvd.nist.gov/vuln/detail/CVE-2025-65803 | vendor-advisory |
| https://github.com/kmx/alien-freeimage/issues/4 | issue-tracking |
| https://github.com/kmx/alien-freeimage/issues/5 | issue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| KMX | Alien::FreeImage |
Affected:
0 , ≤ 1.001
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "LOW",
"baseScore": 7.3,
"baseSeverity": "HIGH",
"confidentialityImpact": "LOW",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4988",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-05-13T12:55:23.634268Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-05-13T12:56:15.512Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Alien-FreeImage",
"product": "Alien::FreeImage",
"repo": "https://github.com/kmx/alien-freeimage",
"vendor": "KMX",
"versions": [
{
"lessThanOrEqual": "1.001",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries.\n\nAlien::FreeImage contains version 3.17.0 of the FreeImage library from 2017, which has known vulnerabilities such as CVE-2015-0852 and CVE-2025-65803. The library embeds other images libraries that also have known vulnerabilities."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T19:04:40.885Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"url": "https://freeimage.sourceforge.io/"
},
{
"url": "https://metacpan.org/release/KMX/Alien-FreeImage-1.001/source/src/Source"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0852"
},
{
"tags": [
"vendor-advisory"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65803"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/kmx/alien-freeimage/issues/4"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/kmx/alien-freeimage/issues/5"
}
],
"source": {
"discovery": "UNKNOWN"
},
"timeline": [
{
"lang": "en",
"time": "2017-07-11T00:00:00.000Z",
"value": "Alien::FreeImage released with FreeImage 3.17.0"
},
{
"lang": "en",
"time": "2022-06-29T00:00:00.000Z",
"value": "Issues added to git repository regarding security vulnerabilities"
},
{
"lang": "en",
"time": "2022-06-29T00:00:00.000Z",
"value": "Several issues added to CPANSA::DB"
},
{
"lang": "en",
"time": "2026-03-27T00:00:00.000Z",
"value": "Issues logged with CPANSec"
}
],
"title": "Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries",
"workarounds": [
{
"lang": "en",
"value": "The latest version of the FreeImage library is 3.18.0 from 2018, which also appears to have serious vulnerabilities.\n\nUsers are advised to use alternatives."
}
],
"x_generator": {
"engine": "cpansec-cna-tool 0.1"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2022-4988",
"datePublished": "2026-05-11T19:04:40.885Z",
"dateReserved": "2026-05-08T07:05:02.847Z",
"dateUpdated": "2026-05-13T12:56:15.512Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2022-4976 (GCVE-0-2022-4976)
Vulnerability from cvelistv5 – Published: 2025-06-12 00:33 – Updated: 2025-06-13 16:03- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://rt.cpan.org/Public/Bug/Display.html?id=143547 | issue-tracking |
| Vendor | Product | Version | |
|---|---|---|---|
| ETJ | Archive::Unzip::Burst |
Affected:
0.01 , ≤ 0.09
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2022-4976",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-06-13T15:50:26.541283Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-06-13T16:03:31.477Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "Archive-Unzip-Burst",
"product": "Archive::Unzip::Burst",
"repo": "https://github.com/mohawk2/Archive-Unzip-Burst",
"vendor": "ETJ",
"versions": [
{
"lessThanOrEqual": "0.09",
"status": "affected",
"version": "0.01",
"versionType": "custom"
}
]
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities.\u003cbr\u003e\u003cbr\u003eThe bundled library is affected by CVE-2014-8139, CVE-2014-8140 and CVE-2014-8141.\u003cbr\u003e"
}
],
"value": "Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities.\n\nThe bundled library is affected by CVE-2014-8139, CVE-2014-8140 and CVE-2014-8141."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-06-12T00:33:13.976Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://rt.cpan.org/Public/Bug/Display.html?id=143547"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2022-4976",
"datePublished": "2025-06-12T00:33:13.976Z",
"dateReserved": "2025-06-09T20:21:41.530Z",
"dateUpdated": "2025-06-13T16:03:31.477Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
CVE-2020-36846 (GCVE-0-2020-36846)
Vulnerability from cvelistv5 – Published: 2025-05-30 00:50 – Updated: 2025-05-30 22:01- CWE-1395 - Dependency on Vulnerable Third-Party Component
| URL | Tags |
|---|---|
| https://github.com/google/brotli/pull/826 | issue-tracking |
| https://github.com/advisories/GHSA-5v8v-66v8-mwm7 | third-party-advisory |
| https://github.com/timlegge/perl-IO-Compress-Brot… | mitigation |
| https://nvd.nist.gov/vuln/detail/CVE-2020-8927 | vdb-entry |
| https://github.com/google/brotli/commit/223d80cfb… | patch |
| Vendor | Product | Version | |
|---|---|---|---|
| TIMLEGGE | IO::Compress::Brotli |
Affected:
0 , < 0.007
(custom)
|
{
"containers": {
"adp": [
{
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 9.8,
"baseSeverity": "CRITICAL",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
},
{
"other": {
"content": {
"id": "CVE-2020-36846",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2025-05-30T14:40:47.592851Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T22:01:41.998Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"collectionURL": "https://cpan.org/modules",
"defaultStatus": "unaffected",
"packageName": "IO-Compress-Brotli",
"product": "IO::Compress::Brotli",
"programFiles": [
"brotli/c/dec/bit_reader.h"
],
"repo": "https://github.com/timlegge/perl-IO-Compress-Brotli",
"vendor": "TIMLEGGE",
"versions": [
{
"lessThan": "0.007",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Robert Rothenberg (RRWO)"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library.\u0026nbsp; Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a \"one-shot\" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007\u0026nbsp;or later. If one cannot update, we recommend to use the \"streaming\" API as opposed to the \"one-shot\" API, and impose chunk size limits."
}
],
"value": "A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library.\u00a0 Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a \"one-shot\" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007\u00a0or later. If one cannot update, we recommend to use the \"streaming\" API as opposed to the \"one-shot\" API, and impose chunk size limits."
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-1395",
"description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2025-05-30T00:50:28.582Z",
"orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"shortName": "CPANSec"
},
"references": [
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/google/brotli/pull/826"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://github.com/advisories/GHSA-5v8v-66v8-mwm7"
},
{
"tags": [
"mitigation"
],
"url": "https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52"
},
{
"tags": [
"vdb-entry"
],
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8927"
},
{
"tags": [
"patch"
],
"url": "https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library",
"x_generator": {
"engine": "Vulnogram 0.2.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
"assignerShortName": "CPANSec",
"cveId": "CVE-2020-36846",
"datePublished": "2025-05-30T00:50:28.582Z",
"dateReserved": "2025-05-28T01:44:05.054Z",
"dateUpdated": "2025-05-30T22:01:41.998Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1"
}
GHSA-26GQ-GRMH-6XM6
Vulnerability from github – Published: 2026-02-06 19:44 – Updated: 2026-02-06 19:44Summary
Stored XSS via mermaid diagrams due to usage of vulnerable renderer library
Details
Gogs introduced support for rendering mermaid diagrams in version 0.13.0.
Currently used version of the library mermaid 11.9.0 is vulnerable to at least two XSS scenarios with publicly available payloads
Resources: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw
PoC
- Create a markdown file eg.
README.mdcontaining following malicious mermaid diagram (payload based on CVE-2025-54880)
architecture-beta
group api(cloud)[API]
service db "<img src=x onerror=\"alert(document.domain)\">" [Database] in api
- The XSS should pop whenever either repository or file is viewed
Demo
https://github.com/user-attachments/assets/98320f62-6c1c-4254-aa61-95598c725235
Impact
The attacker can potentially achieve account takeover In a worst case scenario if the victim were an instance admin this could lead to a compromise of the entire deployment
Proposed remediation steps
- Upgrade to a patched version of the third party library https://github.com/mermaid-js/mermaid/releases/tag/v10.9.5
- Consider running mermaid using
sandboxlevel which would mitigate impact of future potential cross-site scripting issues https://mermaid.js.org/config/usage.html#securitylevel
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 0.13.3"
},
"package": {
"ecosystem": "Go",
"name": "gogs.io/gogs"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.13.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-02-06T19:44:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nStored XSS via mermaid diagrams due to usage of vulnerable renderer library\n\n### Details\nGogs introduced support for rendering mermaid diagrams in version [0.13.0.](https://github.com/gogs/gogs/releases/tag/v0.13.0)\n\nCurrently used version of the library [mermaid 11.9.0](https://github.com/gogs/gogs/tree/main/public/plugins/mermaid-11.9.0) is vulnerable to at least two XSS scenarios with publicly available payloads\n\nResources:\nhttps://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh\nhttps://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw\n\n### PoC\n\n1. Create a markdown file eg. `README.md` containing following malicious mermaid diagram (payload based on [CVE-2025-54880](https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw))\n```\narchitecture-beta\n group api(cloud)[API]\n service db \"\u003cimg src=x onerror=\\\"alert(document.domain)\\\"\u003e\" [Database] in api\n```\n2. The XSS should pop whenever either repository or file is viewed\n\n#### Demo\n\nhttps://github.com/user-attachments/assets/98320f62-6c1c-4254-aa61-95598c725235\n\n### Impact\nThe attacker can potentially achieve account takeover\nIn a worst case scenario if the victim were an instance admin this could lead to a compromise of the entire deployment\n\n### Proposed remediation steps\n1. Upgrade to a patched version of the third party library\nhttps://github.com/mermaid-js/mermaid/releases/tag/v10.9.5\n2. Consider running mermaid using `sandbox` level which would mitigate impact of future potential cross-site scripting issues\nhttps://mermaid.js.org/config/usage.html#securitylevel",
"id": "GHSA-26gq-grmh-6xm6",
"modified": "2026-02-06T19:44:14Z",
"published": "2026-02-06T19:44:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/security/advisories/GHSA-26gq-grmh-6xm6"
},
{
"type": "WEB",
"url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh"
},
{
"type": "WEB",
"url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw"
},
{
"type": "WEB",
"url": "https://github.com/gogs/gogs/commit/71a72a72ad1c8cea7940c9d7e4cbdfbc0fc3d401"
},
{
"type": "PACKAGE",
"url": "https://github.com/gogs/gogs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": "Gogs vulnerable to Stored XSS via Mermaid diagrams"
}
GHSA-2GH6-WC3M-G37F
Vulnerability from github – Published: 2024-09-17 19:29 – Updated: 2024-09-17 19:29Impact
hermes-management is vulnerable to RCE when it processes user-controlled data due to using Apache commons-jxpath.
Patches
Upgrade Hermes to at least hermes-2.2.9
References
https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "pl.allegro.tech.hermes:hermes-management"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.2.9"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2024-09-17T19:29:24Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Impact\nhermes-management is vulnerable to RCE when it processes user-controlled data due to using Apache commons-jxpath.\n\n### Patches\nUpgrade Hermes to at least hermes-2.2.9\n\n### References\nhttps://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/\n",
"id": "GHSA-2gh6-wc3m-g37f",
"modified": "2024-09-17T19:29:24Z",
"published": "2024-09-17T19:29:24Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/allegro/hermes/security/advisories/GHSA-2gh6-wc3m-g37f"
},
{
"type": "WEB",
"url": "https://github.com/allegro/hermes/commit/72ecc5aa41e37fd614443dd35d9200b66a61afb1"
},
{
"type": "PACKAGE",
"url": "https://github.com/allegro/hermes"
},
{
"type": "WEB",
"url": "https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "hermes-management is vulnerable to RCE due to Apache commons-jxpath"
}
GHSA-2MHW-8QCG-GR96
Vulnerability from github – Published: 2026-03-19 18:10 – Updated: 2026-03-19 18:10Impact
The Linux wheels for skia-python vendor a vulnerable version of libfreetype that is affected by CVE-2025-27363 [1].
The root cause is a chain of unfortunate events:
-
skia-python builds wheels using pinned pypa/cibuildwheel@2.21.3 [2]
-
cibuildwheel 2.21.3 in turn pins manylinux container images [3]
-
In these images, version 2.9.1-9.el8 of RedHat package freetype is preinstalled. This package version is vulnerable and has since been patched in 2.9.1-10.
-
During the skia-python Linux build, libfreetype is vendored from the system, resulting in skia-python.libs/libfreetype-29a7443c.so.6.16.1
[ To find the provenance of your vendored libfreetype, we extracted the 8-character hash of the original binary file that is added during the build process (29a7443c), and matched it against our database of hashes all historic Red Hat, Debian and Ubuntu releases of freetype. ]
-
Because freetype is only a transitive dependency of the packages explicitly installed by the build script [4], it is not upgraded to the patched version [4].
-
As a result, the published wheels embed a vulnerable libfreetype, even though patched packages are available upstream.
This appears to be a broader manylinux ecosystem issue. The base images
do not enforce that yum update runs on container start, so
preinstalled libraries may remain vulnerable indefinitely.
Patches
In the case of skia-python, the solution is to explicitly install freetype in the build process and rebuild the wheels.
The original report was suggesting the above, but in the current build_Linux.sh script, the patched freetype-devel version 2.9.1-10 gets installed as a dependency. It's just that we need to rebuild the wheel for a new release.
Workarounds
Users must upgrade the wheel package after release.
References
- https://nvd.nist.gov/vuln/detail/CVE-2025-27363
- https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/.github/workflows/ci.yml#L38
- https://github.com/pypa/cibuildwheel/blob/v2.21.3/cibuildwheel/resources/pinned_docker_images.cfg
- https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/scripts/build_Linux.sh#L6
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "skia-python"
},
"versions": [
"144.0"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 138.0"
},
"package": {
"ecosystem": "PyPI",
"name": "skia-python"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "144.0.post1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-787"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-19T18:10:25Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nThe Linux wheels for skia-python vendor a vulnerable version of\nlibfreetype that is affected by CVE-2025-27363 [1].\n\nThe root cause is a chain of unfortunate events:\n\n1. skia-python builds wheels using pinned pypa/cibuildwheel@2.21.3 [2]\n\n2. cibuildwheel 2.21.3 in turn pins manylinux container images [3]\n\n3. In these images, version 2.9.1-9.el8 of RedHat package freetype is\n*preinstalled*. This package version is vulnerable and has since been\npatched in 2.9.1-10.\n\n4. During the skia-python Linux build, libfreetype is vendored from the\nsystem, resulting in skia-python.libs/libfreetype-29a7443c.so.6.16.1\n\n[ To find the provenance of your vendored libfreetype, we extracted the\n8-character hash of the original binary file that is added during the\nbuild process (29a7443c), and matched it against our database of hashes\nall historic Red Hat, Debian and Ubuntu releases of freetype. ]\n\n5. Because freetype is only a *transitive* dependency of the packages\nexplicitly installed by the build script [4], it is not upgraded to the\npatched version [4].\n\n5. As a result, the published wheels embed a vulnerable libfreetype,\neven though patched packages are available upstream.\n\nThis appears to be a broader manylinux ecosystem issue. The base images\ndo not enforce that `yum update` runs on container start, so\npreinstalled libraries may remain vulnerable indefinitely.\n\n\n### Patches\n\n\u003e In the case of skia-python, the solution is to explicitly install freetype in the build process and rebuild the wheels.\n\nThe original report was suggesting the above, but in the current `build_Linux.sh` script, the patched `freetype-devel` version 2.9.1-10 gets installed as a dependency. It\u0027s just that we need to rebuild the wheel for a new release.\n\n### Workarounds\n\nUsers must upgrade the wheel package after release.\n\n### References\n\n1. https://nvd.nist.gov/vuln/detail/CVE-2025-27363\n2. https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/.github/workflows/ci.yml#L38\n3. https://github.com/pypa/cibuildwheel/blob/v2.21.3/cibuildwheel/resources/pinned_docker_images.cfg\n4. https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/scripts/build_Linux.sh#L6",
"id": "GHSA-2mhw-8qcg-gr96",
"modified": "2026-03-19T18:10:25Z",
"published": "2026-03-19T18:10:25Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/kyamagu/skia-python/security/advisories/GHSA-2mhw-8qcg-gr96"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27363"
},
{
"type": "PACKAGE",
"url": "https://github.com/kyamagu/skia-python"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version"
}
GHSA-32WQ-PPWG-3W4M
Vulnerability from github – Published: 2026-04-01 23:57 – Updated: 2026-04-01 23:57Impact
Microsoft.Bcl.Memory, a transitive dependency of EnhancedLinq.Async, had a Denial of Service security vulnerability, CVE-2026-26127, thus affecting EnhancedLinq.Async versions that had vulnerable versions of Microsoft.Bcl.Memory as a transitive dependency.
Patches
EnhancedLinq.Async 1.0.0 Beta 3 updates the dependency on System.Linq.AsyncEnumerable to version 10.0.4 or newer which in turn updates the transitive dependency on Microsoft.Bcl.Memory from version 10.0.3 to 10.0.4 or newer, resolving the vulnerability.
Workarounds
No workarounds exist for this vulnerability.
How to fix the issue
To update the EnhancedLinq.Async NuGet package, use one of the following methods:
NuGet Package Manager UI in Visual Studio: - Open the project in Visual Studio. - Right-click on the project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages". - In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from configured package sources. - Select the package(s) to update. A specific version can be chosen from the dropdown, or the latest available version can be selected. - Click the "Update" button.
Using the NuGet Package Manager Console in Visual Studio: - Open the project in Visual Studio. - Navigate to "Tools > NuGet Package Manager > Package Manager Console". - To update a specific package to its latest version, use the following Update-Package command:
Update-Package -Id EnhancedLinq.Async
Using the .NET CLI (Command Line Interface): - Open a terminal or command prompt in the project's directory. - To update a specific package to its latest version, use the following add package command:
dotnet package update EnhancedLinq.Async
Once the NuGet package reference has been updated, the application must be recompiled and redeployed.
{
"affected": [
{
"package": {
"ecosystem": "NuGet",
"name": "EnhancedLinq.Async"
},
"ranges": [
{
"events": [
{
"introduced": "1.0.0-beta.1"
},
{
"fixed": "1.0.0-beta.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-129",
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-01T23:57:06Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n`Microsoft.Bcl.Memory`, a transitive dependency of `EnhancedLinq.Async`, had a Denial of Service security vulnerability, [CVE-2026-26127](https://github.com/dotnet/announcements/issues/384), thus affecting `EnhancedLinq.Async` versions that had vulnerable versions of `Microsoft.Bcl.Memory` as a transitive dependency.\n\n### Patches\n`EnhancedLinq.Async` 1.0.0 Beta 3 updates the dependency on `System.Linq.AsyncEnumerable` to version 10.0.4 or newer which in turn updates the transitive dependency on `Microsoft.Bcl.Memory` from version 10.0.3 to 10.0.4 or newer, resolving the vulnerability.\n\n### Workarounds\nNo workarounds exist for this vulnerability.\n\n### How to fix the issue\n\nTo update the `EnhancedLinq.Async` NuGet package, use one of the following methods:\n\n**NuGet Package Manager UI in Visual Studio:**\n- Open the project in Visual Studio.\n- Right-click on the project in Solution Explorer and select \"Manage NuGet Packages...\" or navigate to \"Project \u003e Manage NuGet Packages\".\n- In the NuGet Package Manager window, select the \"Updates\" tab. This tab lists packages with available updates from configured package sources.\n- Select the package(s) to update. A specific version can be chosen from the dropdown, or the latest available version can be selected.\n- Click the \"Update\" button.\n\n**Using the NuGet Package Manager Console in Visual Studio:**\n- Open the project in Visual Studio.\n- Navigate to \"Tools \u003e NuGet Package Manager \u003e Package Manager Console\".\n- To update a specific package to its latest version, use the following Update-Package command:\n\n```\nUpdate-Package -Id EnhancedLinq.Async\n```\n\n**Using the .NET CLI (Command Line Interface):**\n- Open a terminal or command prompt in the project\u0027s directory.\n- To update a specific package to its latest version, use the following add package command:\n\n```\ndotnet package update EnhancedLinq.Async\n```\n\nOnce the NuGet package reference has been updated, the application must be recompiled and redeployed.",
"id": "GHSA-32wq-ppwg-3w4m",
"modified": "2026-04-01T23:57:06Z",
"published": "2026-04-01T23:57:06Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/alastairlundy/EnhancedLinq/security/advisories/GHSA-32wq-ppwg-3w4m"
},
{
"type": "WEB",
"url": "https://github.com/dotnet/announcements/issues/384"
},
{
"type": "PACKAGE",
"url": "https://github.com/alastairlundy/EnhancedLinq"
},
{
"type": "WEB",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26127"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "EnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory"
}
GHSA-37XQ-Q42P-RV3P
Vulnerability from github – Published: 2023-08-24 22:18 – Updated: 2024-06-26 15:20During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki.
Impact
This vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS
Patches
Affected users are recommended to upgrade to version 0.3.7
References
See also https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md
{
"affected": [
{
"package": {
"ecosystem": "crates.io",
"name": "ntpd"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.3.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395"
],
"github_reviewed": true,
"github_reviewed_at": "2023-08-24T22:18:39Z",
"nvd_published_at": null,
"severity": "LOW"
},
"details": "During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki.\n\n### Impact\nThis vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS\n\n### Patches\nAffected users are recommended to upgrade to version 0.3.7\n\n### References\nSee also https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md\n",
"id": "GHSA-37xq-q42p-rv3p",
"modified": "2024-06-26T15:20:09Z",
"published": "2023-08-24T22:18:39Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-37xq-q42p-rv3p"
},
{
"type": "WEB",
"url": "https://github.com/pendulum-project/ntpd-rs/commit/927952a440176a18f3ded132eb831ae7f7ac5c00"
},
{
"type": "PACKAGE",
"url": "https://github.com/pendulum-project/ntpd-rs"
},
{
"type": "WEB",
"url": "https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
"type": "CVSS_V3"
}
],
"summary": "ntpd has Dependency on Vulnerable Third-Party Component"
}
GHSA-39H7-PWV7-RC3X
Vulnerability from github – Published: 2026-04-24 20:41 – Updated: 2026-04-24 20:41Impact
@excalidraw/excalidraw@0.18.0 depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path.
This is patched in @excalidraw/excalidraw@0.18.1 by updating @excalidraw/mermaid-to-excalidraw to 2.2.2, which uses a patched Mermaid 11 release.
Moderate severity as this XSS requires manual user action - pasting unsafe Mermaid diagram into the Excalidraw editor. No semi-automated attack vector exists by default (such as accessing a link).
Patches
- Stable
@excalidraw/excalidraw@0.18.1is patched. - Unstable
@excalidraw/excalidraw@nexthas resolved to patched builds since@excalidraw/excalidraw@0.18.0-f29edfon 2025-08-21. - Direct consumers of
@excalidraw/mermaid-to-excalidrawshould use1.1.3or later.
Workarounds
None.
Resources
- Upstream Mermaid advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
- CVE-2025-54881
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "@excalidraw/excalidraw"
},
"ranges": [
{
"events": [
{
"introduced": "0.18.0"
},
{
"fixed": "0.18.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"0.18.0"
]
},
{
"package": {
"ecosystem": "npm",
"name": "@excalidraw/mermaid-to-excalidraw"
},
"ranges": [
{
"events": [
{
"introduced": "0.3.0"
},
{
"fixed": "1.1.3"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [],
"database_specific": {
"cwe_ids": [
"CWE-1395",
"CWE-79"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T20:41:51Z",
"nvd_published_at": null,
"severity": "MODERATE"
},
"details": "### Impact\n\n`@excalidraw/excalidraw@0.18.0` depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid\u2019s KaTeX label rendering path.\n\nThis is patched in `@excalidraw/excalidraw@0.18.1` by updating `@excalidraw/mermaid-to-excalidraw` to `2.2.2`, which uses a patched Mermaid 11 release.\n\nModerate severity as this XSS requires manual user action - pasting unsafe Mermaid diagram into the Excalidraw editor. No semi-automated attack vector exists by default (such as accessing a link).\n\n### Patches\n\n- Stable `@excalidraw/excalidraw@0.18.1` is patched.\n- Unstable `@excalidraw/excalidraw@next` has resolved to patched builds since `@excalidraw/excalidraw@0.18.0-f29edf` on 2025-08-21.\n- Direct consumers of `@excalidraw/mermaid-to-excalidraw` should use `1.1.3` or later.\n\n### Workarounds\n\nNone.\n\n### Resources\n\n- Upstream Mermaid advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh\n- CVE-2025-54881",
"id": "GHSA-39h7-pwv7-rc3x",
"modified": "2026-04-24T20:41:51Z",
"published": "2026-04-24T20:41:51Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/excalidraw/excalidraw/security/advisories/GHSA-39h7-pwv7-rc3x"
},
{
"type": "WEB",
"url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh"
},
{
"type": "PACKAGE",
"url": "https://github.com/excalidraw/excalidraw"
},
{
"type": "WEB",
"url": "https://github.com/excalidraw/excalidraw/releases/tag/v0.18.1"
}
],
"schema_version": "1.4.0",
"severity": [],
"summary": "Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)"
}
Mitigation
In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.
Mitigation
Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].
Mitigation
Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."
Mitigation
Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.
Mitigation
Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.
No CAPEC attack patterns related to this CWE.