Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 01e4cd2cb1d6 · 2025-10-23T20:33:41.000Z
GHSA-7pq9-rf9p-wcrf GHSA-g99p-47x7-mq88 GHSA-3qcp-9v8c-6jp7 GHSA-xcg2-9pp4-j82x
diff --git a/advisories/github-reviewed/2025/09/GHSA-7pq9-rf9p-wcrf/GHSA-7pq9-rf9p-wcrf.json b/advisories/github-reviewed/2025/09/GHSA-7pq9-rf9p-wcrf/GHSA-7pq9-rf9p-wcrf.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7pq9-rf9p-wcrf",
-  "modified": "2025-09-30T15:16:03Z",
+  "modified": "2025-10-23T20:32:35Z",
   "published": "2025-09-29T20:40:02Z",
   "aliases": [
     "CVE-2025-59941"
@@ -51,6 +51,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/filecoin-project/go-f3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/vuln/GO-2025-3989"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2025/09/GHSA-g99p-47x7-mq88/GHSA-g99p-47x7-mq88.json b/advisories/github-reviewed/2025/09/GHSA-g99p-47x7-mq88/GHSA-g99p-47x7-mq88.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g99p-47x7-mq88",
-  "modified": "2025-09-30T15:16:09Z",
+  "modified": "2025-10-23T20:32:56Z",
   "published": "2025-09-29T20:40:08Z",
   "aliases": [
     "CVE-2025-59942"
@@ -47,6 +47,10 @@
     {
       "type": "PACKAGE",
       "url": "https://github.com/filecoin-project/go-f3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://pkg.go.dev/vuln/GO-2025-3990"
     }
   ],
   "database_specific": {
diff --git a/advisories/github-reviewed/2025/10/GHSA-3qcp-9v8c-6jp7/GHSA-3qcp-9v8c-6jp7.json b/advisories/github-reviewed/2025/10/GHSA-3qcp-9v8c-6jp7/GHSA-3qcp-9v8c-6jp7.json
@@ -1,21 +1,47 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3qcp-9v8c-6jp7",
-  "modified": "2025-10-23T18:31:15Z",
+  "modified": "2025-10-23T20:31:36Z",
   "published": "2025-10-23T18:31:15Z",
   "aliases": [
     "CVE-2025-61413"
   ],
+  "summary": "Piranha CMS vulnerable to stored cross-site scripting (XSS)",
   "details": "A stored cross-site scripting (XSS) vulnerability in the /manager/pages component of Piranha CMS v12.1 allows attackers to execute arbitrary web scripts or HTML via creating a page and injecting a crafted payload into the Markdown blocks.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "NuGet",
+        "name": "Piranha"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "12.0.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61413"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/PiranhaCMS/piranha.core"
     },
     {
@@ -28,10 +54,12 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-23T20:31:36Z",
     "nvd_published_at": "2025-10-23T18:16:23Z"
   }
 }
diff --git a/advisories/github-reviewed/2025/10/GHSA-xcg2-9pp4-j82x/GHSA-xcg2-9pp4-j82x.json b/advisories/github-reviewed/2025/10/GHSA-xcg2-9pp4-j82x/GHSA-xcg2-9pp4-j82x.json
@@ -0,0 +1,98 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xcg2-9pp4-j82x",
+  "modified": "2025-10-23T20:31:31Z",
+  "published": "2025-10-23T20:31:30Z",
+  "aliases": [
+    "CVE-2025-62517"
+  ],
+  "summary": "rollbar vulnerable to Prototype Pollution in merge()",
+  "details": "### Impact\n\nPrototype pollution vulnerability in merge(). If application code calls `rollbar.configure()` with untrusted input, prototype pollution is possible.\n\n### Patches\n\nFixed in 2.26.5 and 3.0.0-beta5.\n\n### Workarounds\n\nEnsure that values passed to `rollbar.configure()` do not contain untrusted input.\n\n### References\n\nFixed in https://github.com/rollbar/rollbar.js/pull/1394 (2.26.x) and https://github.com/rollbar/rollbar.js/pull/1390 (3.x)",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "rollbar"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.26.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 2.26.4"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "rollbar"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.0.0-alpha1"
+            },
+            {
+              "fixed": "3.0.0-beta5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.0.0-beta4"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/rollbar/rollbar.js/security/advisories/GHSA-xcg2-9pp4-j82x"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rollbar/rollbar.js/pull/1390"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rollbar/rollbar.js/pull/1394"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rollbar/rollbar.js/commit/61032fe6c208b71e249514800808a54bcb8cb8bb"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rollbar/rollbar.js/commit/d717def8b68f4a947975d0aebb729869cdb2d343"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rollbar/rollbar.js"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-1321"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2025-10-23T20:31:30Z",
+    "nvd_published_at": null
+  }
+}

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-7pq9-rf9p-wcrf",`
`4`		`- "modified": "2025-09-30T15:16:03Z",`
	`4`	`+ "modified": "2025-10-23T20:32:35Z",`
`5`	`5`	`"published": "2025-09-29T20:40:02Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-59941"`
`@@ -51,6 +51,10 @@`
`51`	`51`	`{`
`52`	`52`	`"type": "PACKAGE",`
`53`	`53`	`"url": "https://github.com/filecoin-project/go-f3"`
	`54`	`+ },`
	`55`	`+ {`
	`56`	`+ "type": "WEB",`
	`57`	`+ "url": "https://pkg.go.dev/vuln/GO-2025-3989"`
`54`	`58`	`}`
`55`	`59`	`],`
`56`	`60`	`"database_specific": {`
Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"schema_version": "1.4.0",`
`3`	`3`	`"id": "GHSA-g99p-47x7-mq88",`
`4`		`- "modified": "2025-09-30T15:16:09Z",`
	`4`	`+ "modified": "2025-10-23T20:32:56Z",`
`5`	`5`	`"published": "2025-09-29T20:40:08Z",`
`6`	`6`	`"aliases": [`
`7`	`7`	`"CVE-2025-59942"`
`@@ -47,6 +47,10 @@`
`47`	`47`	`{`
`48`	`48`	`"type": "PACKAGE",`
`49`	`49`	`"url": "https://github.com/filecoin-project/go-f3"`
	`50`	`+ },`
	`51`	`+ {`
	`52`	`+ "type": "WEB",`
	`53`	`+ "url": "https://pkg.go.dev/vuln/GO-2025-3990"`
`50`	`54`	`}`
`51`	`55`	`],`
`52`	`56`	`"database_specific": {`