Publish Advisories

GHSA-3527-qv2q-pfvx
GHSA-22cc-p3c6-wpvm
GHSA-26f5-8h2x-34xh
GHSA-4v6x-c7xx-hw9f
GHSA-qpxp-75px-xjcp
GHSA-vg28-83rp-8xx4

Author: advisory-database[bot]

advisories/github-reviewed/2025/05/GHSA-3527-qv2q-pfvx/GHSA-3527-qv2q-pfvx.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3527-qv2q-pfvx",
-  "modified": "2025-05-05T22:06:59Z",
+  "modified": "2026-03-20T21:27:09Z",
   "published": "2025-05-05T20:40:36Z",
   "aliases": [
     "CVE-2025-46734"
@@ -25,7 +25,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "1.5.0"
             },
             {
               "fixed": "2.7.0"

advisories/github-reviewed/2026/03/GHSA-22cc-p3c6-wpvm/GHSA-22cc-p3c6-wpvm.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-22cc-p3c6-wpvm",
-  "modified": "2026-03-18T16:17:43Z",
+  "modified": "2026-03-20T21:27:39Z",
   "published": "2026-03-18T16:17:43Z",
   "aliases": [
     "CVE-2026-33128"
@@ -62,6 +62,10 @@
       "type": "WEB",
       "url": "https://github.com/h3js/h3/security/advisories/GHSA-22cc-p3c6-wpvm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33128"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/h3js/h3/commit/7791538e15ca22437307c06b78fa155bb73632a6"
@@ -82,6 +86,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-18T16:17:43Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-20T10:16:19Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-26f5-8h2x-34xh/GHSA-26f5-8h2x-34xh.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-26f5-8h2x-34xh",
-  "modified": "2026-03-18T16:17:58Z",
+  "modified": "2026-03-20T21:27:48Z",
   "published": "2026-03-18T16:17:58Z",
   "aliases": [
     "CVE-2026-33129"
@@ -43,9 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/h3js/h3/security/advisories/GHSA-26f5-8h2x-34xh"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33129"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/h3js/h3/pull/1283"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/h3js/h3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/h3js/h3/releases/tag/v2.0.1-rc.9"
     }
   ],
   "database_specific": {
@@ -55,6 +67,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-18T16:17:58Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-20T10:16:19Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-4v6x-c7xx-hw9f/GHSA-4v6x-c7xx-hw9f.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4v6x-c7xx-hw9f",
-  "modified": "2026-03-09T15:50:47Z",
+  "modified": "2026-03-20T21:26:30Z",
   "published": "2026-03-06T23:27:03Z",
   "aliases": [
     "CVE-2026-30838"
   ],
   "summary": "CommonMark has DisallowedRawHtml extension bypass via whitespace in HTML tag names",
-  "details": "### Impact\n\nThe `DisallowedRawHtml` extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing `>`. For example, `<script\\n>` would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input.\n\nAll applications using the `DisallowedRawHtml` extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected.\n\n### Patches\n\nFixed in 2.8.1. The regex character class `[ \\/>]` was changed to `[\\s\\/>]` to match all whitespace characters that browsers accept as valid tag name terminators.\n\n### Workarounds\n\n- Set the `html_input` configuration option to `'escape'` or `'strip'` to disable all raw HTML, though this is a broader restriction than the `DisallowedRawHtml` extension provides.\n- Pass the rendered HTML through a dedicated HTML sanitizer before serving it to users ([always recommended](https://commonmark.thephpleague.com/2.x/security/#additional-filtering))\n\n### Resources\n\n- [CommonMark DisallowedRawHtml documentation](https://commonmark.thephpleague.com/extensions/disallowed-raw-html/)\n- [CWE-79: Improper Neutralization of Input During Web Page Generation](https://cwe.mitre.org/data/definitions/79.html)\n- [CWE-80: Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)](https://cwe.mitre.org/data/definitions/80.html)",
+  "details": "### Impact\n\nThe `DisallowedRawHtml` extension can be bypassed by inserting a newline, tab, or other ASCII whitespace character between a disallowed HTML tag name and the closing `>`. For example, `<script\\n>` would pass through unfiltered and be rendered as a valid HTML tag by browsers. This is a cross-site scripting (XSS) vector for any application that relies on this extension to sanitize untrusted user input.\n\nAll applications using the `DisallowedRawHtml` extension to process untrusted markdown are affected. Applications that use a dedicated HTML sanitizer (such as HTML Purifier) on the rendered output are not affected.\n\n### Patches\n\nFixed in 2.8.1. The regex character class `[ \\/>]` was changed to `[\\s\\/>]` to match all whitespace characters that browsers accept as valid tag name terminators.\n\n### Workarounds\n\n- Set the `html_input` configuration option to `'escape'` or `'strip'` to disable all raw HTML, though this is a broader restriction than the `DisallowedRawHtml` extension provides.\n- Pass the rendered HTML through a dedicated HTML sanitizer before serving it to users ([always recommended](https://commonmark.thephpleague.com/2.x/security/#additional-filtering))",
   "severity": [
     {
       "type": "CVSS_V4",
@@ -25,7 +25,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "2.0.0"
             },
             {
               "fixed": "2.8.1"

advisories/github-reviewed/2026/03/GHSA-qpxp-75px-xjcp/GHSA-qpxp-75px-xjcp.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-qpxp-75px-xjcp",
-  "modified": "2026-03-18T16:17:31Z",
+  "modified": "2026-03-20T21:27:30Z",
   "published": "2026-03-18T16:17:31Z",
   "aliases": [
     "CVE-2026-33123"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-qpxp-75px-xjcp"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33123"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/py-pdf/pypdf/pull/3686"
@@ -61,6 +65,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-18T16:17:31Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-20T10:16:18Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-vg28-83rp-8xx4/GHSA-vg28-83rp-8xx4.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vg28-83rp-8xx4",
-  "modified": "2026-03-18T14:25:15Z",
+  "modified": "2026-03-20T21:27:20Z",
   "published": "2026-03-18T14:25:15Z",
   "aliases": [
     "CVE-2026-33125"
@@ -40,9 +40,17 @@
       "type": "WEB",
       "url": "https://github.com/blakeblackshear/frigate/security/advisories/GHSA-vg28-83rp-8xx4"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33125"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/blakeblackshear/frigate"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/blakeblackshear/frigate/releases/tag/v0.16.3"
     }
   ],
   "database_specific": {
@@ -52,6 +60,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-18T14:25:15Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-20T10:16:19Z"
   }
 }