Common Weakness Enumeration

CWE-1395

Allowed-with-Review

Dependency on Vulnerable Third-Party Component

Abstraction: Class · Status: Incomplete

The product has a dependency on a third-party component that contains one or more known vulnerabilities.

110 vulnerabilities reference this CWE, most recent first.

CVE-2023-5332 (GCVE-0-2023-5332)

Vulnerability from cvelistv5 – Published: 2023-12-04 06:30 – Updated: 2024-10-03 06:23
VLAI
Title
Dependency on Vulnerable Third-Party Component in GitLab
Summary
Patch in third party library Consul requires 'enable-script-checks' to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE.
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
Impacted products
Vendor Product Version
GitLab GitLab Affected: 9.5.0 , < 16.2.8 (semver)
Affected: 16.3.0 , < 16.3.5 (semver)
Affected: 16.4 , < 16.4.1 (semver)
    cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*
Create a notification for this product.
Credits
This issue was reported internally.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-02T07:52:08.548Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "name": "GitLab Issue #8171",
            "tags": [
              "issue-tracking",
              "x_transferred"
            ],
            "url": "https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171"
          },
          {
            "tags": [
              "x_transferred"
            ],
            "url": "https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:a:gitlab:gitlab:*:*:*:*:*:*:*:*"
          ],
          "defaultStatus": "unaffected",
          "product": "GitLab",
          "repo": "git://git@gitlab.com:gitlab-org/gitlab.git",
          "vendor": "GitLab",
          "versions": [
            {
              "lessThan": "16.2.8",
              "status": "affected",
              "version": "9.5.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.3.5",
              "status": "affected",
              "version": "16.3.0",
              "versionType": "semver"
            },
            {
              "lessThan": "16.4.1",
              "status": "affected",
              "version": "16.4",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "This issue was reported internally."
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Patch in third party library Consul requires \u0027enable-script-checks\u0027 to be set to False. This was required to enable a patch by the vendor. Without this setting the patch could be bypassed. This only affects GitLab-EE."
        }
      ],
      "metrics": [
        {
          "cvssV3_1": {
            "attackComplexity": "HIGH",
            "attackVector": "NETWORK",
            "availabilityImpact": "NONE",
            "baseScore": 5.9,
            "baseSeverity": "MEDIUM",
            "confidentialityImpact": "HIGH",
            "integrityImpact": "HIGH",
            "privilegesRequired": "HIGH",
            "scope": "UNCHANGED",
            "userInteraction": "NONE",
            "vectorString": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:N",
            "version": "3.1"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395: Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2024-10-03T06:23:16.051Z",
        "orgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
        "shortName": "GitLab"
      },
      "references": [
        {
          "name": "GitLab Issue #8171",
          "tags": [
            "issue-tracking"
          ],
          "url": "https://gitlab.com/gitlab-org/omnibus-gitlab/-/issues/8171"
        },
        {
          "url": "https://www.hashicorp.com/blog/protecting-consul-from-rce-risk-in-specific-configurations"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "value": "Upgrade to versions 16.2.8, 16.3.5, 16.4.1 or above."
        }
      ],
      "title": "Dependency on Vulnerable Third-Party Component in GitLab"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "ceab7361-8a18-47b1-92ba-4d7d25f6715a",
    "assignerShortName": "GitLab",
    "cveId": "CVE-2023-5332",
    "datePublished": "2023-12-04T06:30:33.856Z",
    "dateReserved": "2023-10-02T12:01:25.316Z",
    "dateUpdated": "2024-10-03T06:23:16.051Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2022-4988 (GCVE-0-2022-4988)

Vulnerability from cvelistv5 – Published: 2026-05-11 19:04 – Updated: 2026-05-13 12:56
VLAI
Title
Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries
Summary
Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries. Alien::FreeImage contains version 3.17.0 of the FreeImage library from 2017, which has known vulnerabilities such as CVE-2015-0852 and CVE-2025-65803. The library embeds other images libraries that also have known vulnerabilities.
SSVC
Exploitation: none Automatable: yes Technical Impact: partial
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
Impacted products
Vendor Product Version
KMX Alien::FreeImage Affected: 0 , ≤ 1.001 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "LOW",
              "baseScore": 7.3,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "LOW",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-4988",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-05-13T12:55:23.634268Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-05-13T12:56:15.512Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Alien-FreeImage",
          "product": "Alien::FreeImage",
          "repo": "https://github.com/kmx/alien-freeimage",
          "vendor": "KMX",
          "versions": [
            {
              "lessThanOrEqual": "1.001",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries.\n\nAlien::FreeImage contains version 3.17.0 of the FreeImage library from 2017, which has known vulnerabilities such as CVE-2015-0852 and CVE-2025-65803.  The library embeds other images libraries that also have known vulnerabilities."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-11T19:04:40.885Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "url": "https://freeimage.sourceforge.io/"
        },
        {
          "url": "https://metacpan.org/release/KMX/Alien-FreeImage-1.001/source/src/Source"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-0852"
        },
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65803"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/kmx/alien-freeimage/issues/4"
        },
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/kmx/alien-freeimage/issues/5"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "timeline": [
        {
          "lang": "en",
          "time": "2017-07-11T00:00:00.000Z",
          "value": "Alien::FreeImage released with FreeImage 3.17.0"
        },
        {
          "lang": "en",
          "time": "2022-06-29T00:00:00.000Z",
          "value": "Issues added to git repository regarding security vulnerabilities"
        },
        {
          "lang": "en",
          "time": "2022-06-29T00:00:00.000Z",
          "value": "Several issues added to CPANSA::DB"
        },
        {
          "lang": "en",
          "time": "2026-03-27T00:00:00.000Z",
          "value": "Issues logged with CPANSec"
        }
      ],
      "title": "Alien::FreeImage versions through 1.001 for Perl contains several vulnerable libraries",
      "workarounds": [
        {
          "lang": "en",
          "value": "The latest version of the FreeImage library is 3.18.0 from 2018, which also appears to have serious vulnerabilities.\n\nUsers are advised to use alternatives."
        }
      ],
      "x_generator": {
        "engine": "cpansec-cna-tool 0.1"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2022-4988",
    "datePublished": "2026-05-11T19:04:40.885Z",
    "dateReserved": "2026-05-08T07:05:02.847Z",
    "dateUpdated": "2026-05-13T12:56:15.512Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

CVE-2022-4976 (GCVE-0-2022-4976)

Vulnerability from cvelistv5 – Published: 2025-06-12 00:33 – Updated: 2025-06-13 16:03
VLAI
Title
Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities
Summary
Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities. The bundled library is affected by CVE-2014-8139, CVE-2014-8140 and CVE-2014-8141.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
References
Impacted products
Vendor Product Version
ETJ Archive::Unzip::Burst Affected: 0.01 , ≤ 0.09 (custom)
Create a notification for this product.
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2022-4976",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-06-13T15:50:26.541283Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-06-13T16:03:31.477Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "Archive-Unzip-Burst",
          "product": "Archive::Unzip::Burst",
          "repo": "https://github.com/mohawk2/Archive-Unzip-Burst",
          "vendor": "ETJ",
          "versions": [
            {
              "lessThanOrEqual": "0.09",
              "status": "affected",
              "version": "0.01",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities.\u003cbr\u003e\u003cbr\u003eThe bundled library is affected by CVE-2014-8139, CVE-2014-8140 and CVE-2014-8141.\u003cbr\u003e"
            }
          ],
          "value": "Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities.\n\nThe bundled library is affected by CVE-2014-8139, CVE-2014-8140 and CVE-2014-8141."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-06-12T00:33:13.976Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://rt.cpan.org/Public/Bug/Display.html?id=143547"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "Archive::Unzip::Burst from 0.01 through 0.09 for Perl contains a bundled InfoZip library that is affected by several vulnerabilities",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2022-4976",
    "datePublished": "2025-06-12T00:33:13.976Z",
    "dateReserved": "2025-06-09T20:21:41.530Z",
    "dateUpdated": "2025-06-13T16:03:31.477Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

CVE-2020-36846 (GCVE-0-2020-36846)

Vulnerability from cvelistv5 – Published: 2025-05-30 00:50 – Updated: 2025-05-30 22:01
VLAI
Title
IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library
Summary
A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library.  Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a "one-shot" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007 or later. If one cannot update, we recommend to use the "streaming" API as opposed to the "one-shot" API, and impose chunk size limits.
SSVC
Exploitation: none Automatable: yes Technical Impact: total
CISA Coordinator (v2.0.3)
CWE
  • CWE-1395 - Dependency on Vulnerable Third-Party Component
Assigner
Impacted products
Vendor Product Version
TIMLEGGE IO::Compress::Brotli Affected: 0 , < 0.007 (custom)
Create a notification for this product.
Credits
Robert Rothenberg (RRWO)
Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "HIGH",
              "baseScore": 9.8,
              "baseSeverity": "CRITICAL",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "HIGH",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2020-36846",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-05-30T14:40:47.592851Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-05-30T22:01:41.998Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "collectionURL": "https://cpan.org/modules",
          "defaultStatus": "unaffected",
          "packageName": "IO-Compress-Brotli",
          "product": "IO::Compress::Brotli",
          "programFiles": [
            "brotli/c/dec/bit_reader.h"
          ],
          "repo": "https://github.com/timlegge/perl-IO-Compress-Brotli",
          "vendor": "TIMLEGGE",
          "versions": [
            {
              "lessThan": "0.007",
              "status": "affected",
              "version": "0",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "Robert Rothenberg (RRWO)"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library.\u0026nbsp; Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a \"one-shot\" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007\u0026nbsp;or later. If one cannot update, we recommend to use the \"streaming\" API as opposed to the \"one-shot\" API, and impose chunk size limits."
            }
          ],
          "value": "A buffer overflow, as described in CVE-2020-8927, exists in the embedded Brotli library.\u00a0 Versions of IO::Compress::Brotli prior to 0.007 included a version of the brotli library prior to version 1.0.8, where an attacker controlling the input length of a \"one-shot\" decompression request to a script can trigger a crash, which happens when copying over chunks of data larger than 2 GiB. It is recommended to update your IO::Compress::Brotli module to 0.007\u00a0or later. If one cannot update, we recommend to use the \"streaming\" API as opposed to the \"one-shot\" API, and impose chunk size limits."
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-1395",
              "description": "CWE-1395 Dependency on Vulnerable Third-Party Component",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-05-30T00:50:28.582Z",
        "orgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
        "shortName": "CPANSec"
      },
      "references": [
        {
          "tags": [
            "issue-tracking"
          ],
          "url": "https://github.com/google/brotli/pull/826"
        },
        {
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://github.com/advisories/GHSA-5v8v-66v8-mwm7"
        },
        {
          "tags": [
            "mitigation"
          ],
          "url": "https://github.com/timlegge/perl-IO-Compress-Brotli/blob/8b44c83b23bb4658179e1494af4b725a1bc476bc/Changes#L52"
        },
        {
          "tags": [
            "vdb-entry"
          ],
          "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8927"
        },
        {
          "tags": [
            "patch"
          ],
          "url": "https://github.com/google/brotli/commit/223d80cfbec8fd346e32906c732c8ede21f0cea6"
        }
      ],
      "source": {
        "discovery": "UNKNOWN"
      },
      "title": "IO::Compress::Brotli versions prior to 0.007 for Perl have an integer overflow in the bundled Brotli C library",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "9b29abf9-4ab0-4765-b253-1875cd9b441e",
    "assignerShortName": "CPANSec",
    "cveId": "CVE-2020-36846",
    "datePublished": "2025-05-30T00:50:28.582Z",
    "dateReserved": "2025-05-28T01:44:05.054Z",
    "dateUpdated": "2025-05-30T22:01:41.998Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

GHSA-26GQ-GRMH-6XM6

Vulnerability from github – Published: 2026-02-06 19:44 – Updated: 2026-02-06 19:44
VLAI
Summary
Gogs vulnerable to Stored XSS via Mermaid diagrams
Details

Summary

Stored XSS via mermaid diagrams due to usage of vulnerable renderer library

Details

Gogs introduced support for rendering mermaid diagrams in version 0.13.0.

Currently used version of the library mermaid 11.9.0 is vulnerable to at least two XSS scenarios with publicly available payloads

Resources: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw

PoC

  1. Create a markdown file eg. README.md containing following malicious mermaid diagram (payload based on CVE-2025-54880)
architecture-beta
    group api(cloud)[API]
    service db "<img src=x onerror=\"alert(document.domain)\">" [Database] in api
  1. The XSS should pop whenever either repository or file is viewed

Demo

https://github.com/user-attachments/assets/98320f62-6c1c-4254-aa61-95598c725235

Impact

The attacker can potentially achieve account takeover In a worst case scenario if the victim were an instance admin this could lead to a compromise of the entire deployment

Proposed remediation steps

  1. Upgrade to a patched version of the third party library https://github.com/mermaid-js/mermaid/releases/tag/v10.9.5
  2. Consider running mermaid using sandbox level which would mitigate impact of future potential cross-site scripting issues https://mermaid.js.org/config/usage.html#securitylevel
Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.13.3"
      },
      "package": {
        "ecosystem": "Go",
        "name": "gogs.io/gogs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.13.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-02-06T19:44:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nStored XSS via mermaid diagrams due to usage of vulnerable renderer library\n\n### Details\nGogs introduced support for rendering mermaid diagrams in version [0.13.0.](https://github.com/gogs/gogs/releases/tag/v0.13.0)\n\nCurrently used version of the library [mermaid 11.9.0](https://github.com/gogs/gogs/tree/main/public/plugins/mermaid-11.9.0) is vulnerable to at least two XSS scenarios with publicly available payloads\n\nResources:\nhttps://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh\nhttps://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw\n\n### PoC\n\n1. Create a markdown file eg. `README.md` containing following malicious mermaid diagram (payload based on [CVE-2025-54880](https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw))\n```\narchitecture-beta\n    group api(cloud)[API]\n    service db \"\u003cimg src=x onerror=\\\"alert(document.domain)\\\"\u003e\" [Database] in api\n```\n2. The XSS should pop whenever either repository or file is viewed\n\n#### Demo\n\nhttps://github.com/user-attachments/assets/98320f62-6c1c-4254-aa61-95598c725235\n\n### Impact\nThe attacker can potentially achieve account takeover\nIn a worst case scenario if the victim were an instance admin this could lead to a compromise of the entire deployment\n\n### Proposed remediation steps\n1. Upgrade to a patched version of the third party library\nhttps://github.com/mermaid-js/mermaid/releases/tag/v10.9.5\n2. Consider running mermaid using `sandbox` level which would mitigate impact of future potential cross-site scripting issues\nhttps://mermaid.js.org/config/usage.html#securitylevel",
  "id": "GHSA-26gq-grmh-6xm6",
  "modified": "2026-02-06T19:44:14Z",
  "published": "2026-02-06T19:44:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/security/advisories/GHSA-26gq-grmh-6xm6"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-8gwm-58g9-j8pw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/gogs/gogs/commit/71a72a72ad1c8cea7940c9d7e4cbdfbc0fc3d401"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/gogs/gogs"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Gogs vulnerable to Stored XSS via Mermaid diagrams"
}

GHSA-2GH6-WC3M-G37F

Vulnerability from github – Published: 2024-09-17 19:29 – Updated: 2024-09-17 19:29
VLAI
Summary
hermes-management is vulnerable to RCE due to Apache commons-jxpath
Details

Impact

hermes-management is vulnerable to RCE when it processes user-controlled data due to using Apache commons-jxpath.

Patches

Upgrade Hermes to at least hermes-2.2.9

References

https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "pl.allegro.tech.hermes:hermes-management"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "2.2.9"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-09-17T19:29:24Z",
    "nvd_published_at": null,
    "severity": "CRITICAL"
  },
  "details": "### Impact\nhermes-management is vulnerable to RCE when it processes user-controlled data due to using Apache commons-jxpath.\n\n### Patches\nUpgrade Hermes to at least hermes-2.2.9\n\n### References\nhttps://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852/\n",
  "id": "GHSA-2gh6-wc3m-g37f",
  "modified": "2024-09-17T19:29:24Z",
  "published": "2024-09-17T19:29:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/allegro/hermes/security/advisories/GHSA-2gh6-wc3m-g37f"
    },
    {
      "type": "WEB",
      "url": "https://github.com/allegro/hermes/commit/72ecc5aa41e37fd614443dd35d9200b66a61afb1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/allegro/hermes"
    },
    {
      "type": "WEB",
      "url": "https://hackinglab.cz/en/blog/remote-code-execution-in-jxpath-library-cve-2022-41852"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "hermes-management is vulnerable to RCE due to Apache commons-jxpath"
}

GHSA-2MHW-8QCG-GR96

Vulnerability from github – Published: 2026-03-19 18:10 – Updated: 2026-03-19 18:10
VLAI
Summary
skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version
Details

Impact

The Linux wheels for skia-python vendor a vulnerable version of libfreetype that is affected by CVE-2025-27363 [1].

The root cause is a chain of unfortunate events:

  1. skia-python builds wheels using pinned pypa/cibuildwheel@2.21.3 [2]

  2. cibuildwheel 2.21.3 in turn pins manylinux container images [3]

  3. In these images, version 2.9.1-9.el8 of RedHat package freetype is preinstalled. This package version is vulnerable and has since been patched in 2.9.1-10.

  4. During the skia-python Linux build, libfreetype is vendored from the system, resulting in skia-python.libs/libfreetype-29a7443c.so.6.16.1

[ To find the provenance of your vendored libfreetype, we extracted the 8-character hash of the original binary file that is added during the build process (29a7443c), and matched it against our database of hashes all historic Red Hat, Debian and Ubuntu releases of freetype. ]

  1. Because freetype is only a transitive dependency of the packages explicitly installed by the build script [4], it is not upgraded to the patched version [4].

  2. As a result, the published wheels embed a vulnerable libfreetype, even though patched packages are available upstream.

This appears to be a broader manylinux ecosystem issue. The base images do not enforce that yum update runs on container start, so preinstalled libraries may remain vulnerable indefinitely.

Patches

In the case of skia-python, the solution is to explicitly install freetype in the build process and rebuild the wheels.

The original report was suggesting the above, but in the current build_Linux.sh script, the patched freetype-devel version 2.9.1-10 gets installed as a dependency. It's just that we need to rebuild the wheel for a new release.

Workarounds

Users must upgrade the wheel package after release.

References

  1. https://nvd.nist.gov/vuln/detail/CVE-2025-27363
  2. https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/.github/workflows/ci.yml#L38
  3. https://github.com/pypa/cibuildwheel/blob/v2.21.3/cibuildwheel/resources/pinned_docker_images.cfg
  4. https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/scripts/build_Linux.sh#L6
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "skia-python"
      },
      "versions": [
        "144.0"
      ]
    },
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 138.0"
      },
      "package": {
        "ecosystem": "PyPI",
        "name": "skia-python"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "144.0.post1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-787"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-03-19T18:10:25Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n\nThe Linux wheels for skia-python vendor a vulnerable version of\nlibfreetype that is affected by CVE-2025-27363 [1].\n\nThe root cause is a chain of unfortunate events:\n\n1. skia-python builds wheels using pinned pypa/cibuildwheel@2.21.3 [2]\n\n2. cibuildwheel 2.21.3 in turn pins manylinux container images [3]\n\n3. In these images, version 2.9.1-9.el8 of RedHat package freetype is\n*preinstalled*. This package version is vulnerable and has since been\npatched in 2.9.1-10.\n\n4. During the skia-python Linux build, libfreetype is vendored from the\nsystem, resulting in skia-python.libs/libfreetype-29a7443c.so.6.16.1\n\n[ To find the provenance of your vendored libfreetype, we extracted the\n8-character hash of the original binary file that is added during the\nbuild process (29a7443c), and matched it against our database of hashes\nall historic Red Hat, Debian and Ubuntu releases of freetype. ]\n\n5. Because freetype is only a *transitive* dependency of the packages\nexplicitly installed by the build script [4], it is not upgraded to the\npatched version [4].\n\n5. As a result, the published wheels embed a vulnerable libfreetype,\neven though patched packages are available upstream.\n\nThis appears to be a broader manylinux ecosystem issue. The base images\ndo not enforce that `yum update` runs on container start, so\npreinstalled libraries may remain vulnerable indefinitely.\n\n\n### Patches\n\n\u003e In the case of skia-python, the solution is to explicitly install freetype in the build process and rebuild the wheels.\n\nThe original report was suggesting the above, but in the current `build_Linux.sh` script, the patched `freetype-devel` version 2.9.1-10 gets installed as a dependency. It\u0027s just that we need to rebuild the wheel for a new release.\n\n### Workarounds\n\nUsers must upgrade the wheel package after release.\n\n### References\n\n1. https://nvd.nist.gov/vuln/detail/CVE-2025-27363\n2. https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/.github/workflows/ci.yml#L38\n3. https://github.com/pypa/cibuildwheel/blob/v2.21.3/cibuildwheel/resources/pinned_docker_images.cfg\n4. https://github.com/kyamagu/skia-python/blob/9ffb045811f9b5508e152302d5b81aadca6edd8d/scripts/build_Linux.sh#L6",
  "id": "GHSA-2mhw-8qcg-gr96",
  "modified": "2026-03-19T18:10:25Z",
  "published": "2026-03-19T18:10:25Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kyamagu/skia-python/security/advisories/GHSA-2mhw-8qcg-gr96"
    },
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27363"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kyamagu/skia-python"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "skia-python vendors vulnerable libfreetype because of pinned cibuildwheel version"
}

GHSA-32WQ-PPWG-3W4M

Vulnerability from github – Published: 2026-04-01 23:57 – Updated: 2026-04-01 23:57
VLAI
Summary
EnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory
Details

Impact

Microsoft.Bcl.Memory, a transitive dependency of EnhancedLinq.Async, had a Denial of Service security vulnerability, CVE-2026-26127, thus affecting EnhancedLinq.Async versions that had vulnerable versions of Microsoft.Bcl.Memory as a transitive dependency.

Patches

EnhancedLinq.Async 1.0.0 Beta 3 updates the dependency on System.Linq.AsyncEnumerable to version 10.0.4 or newer which in turn updates the transitive dependency on Microsoft.Bcl.Memory from version 10.0.3 to 10.0.4 or newer, resolving the vulnerability.

Workarounds

No workarounds exist for this vulnerability.

How to fix the issue

To update the EnhancedLinq.Async NuGet package, use one of the following methods:

NuGet Package Manager UI in Visual Studio: - Open the project in Visual Studio. - Right-click on the project in Solution Explorer and select "Manage NuGet Packages..." or navigate to "Project > Manage NuGet Packages". - In the NuGet Package Manager window, select the "Updates" tab. This tab lists packages with available updates from configured package sources. - Select the package(s) to update. A specific version can be chosen from the dropdown, or the latest available version can be selected. - Click the "Update" button.

Using the NuGet Package Manager Console in Visual Studio: - Open the project in Visual Studio. - Navigate to "Tools > NuGet Package Manager > Package Manager Console". - To update a specific package to its latest version, use the following Update-Package command:

Update-Package -Id EnhancedLinq.Async

Using the .NET CLI (Command Line Interface): - Open a terminal or command prompt in the project's directory. - To update a specific package to its latest version, use the following add package command:

dotnet package update EnhancedLinq.Async

Once the NuGet package reference has been updated, the application must be recompiled and redeployed.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "NuGet",
        "name": "EnhancedLinq.Async"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "1.0.0-beta.1"
            },
            {
              "fixed": "1.0.0-beta.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-129",
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-01T23:57:06Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Impact\n`Microsoft.Bcl.Memory`, a transitive dependency of `EnhancedLinq.Async`, had a Denial of Service security vulnerability, [CVE-2026-26127](https://github.com/dotnet/announcements/issues/384), thus affecting `EnhancedLinq.Async` versions that had vulnerable versions of `Microsoft.Bcl.Memory` as a transitive dependency.\n\n### Patches\n`EnhancedLinq.Async` 1.0.0 Beta 3 updates the dependency on `System.Linq.AsyncEnumerable` to version 10.0.4 or newer which in turn updates the transitive dependency on `Microsoft.Bcl.Memory` from version 10.0.3 to 10.0.4 or newer, resolving the vulnerability.\n\n### Workarounds\nNo workarounds exist for this vulnerability.\n\n### How to fix the issue\n\nTo update the `EnhancedLinq.Async` NuGet package, use one of the following methods:\n\n**NuGet Package Manager UI in Visual Studio:**\n- Open the project in Visual Studio.\n- Right-click on the project in Solution Explorer and select \"Manage NuGet Packages...\" or navigate to \"Project \u003e Manage NuGet Packages\".\n- In the NuGet Package Manager window, select the \"Updates\" tab. This tab lists packages with available updates from configured package sources.\n- Select the package(s) to update. A specific version can be chosen from the dropdown, or the latest available version can be selected.\n- Click the \"Update\" button.\n\n**Using the NuGet Package Manager Console in Visual Studio:**\n- Open the project in Visual Studio.\n- Navigate to \"Tools \u003e NuGet Package Manager \u003e Package Manager Console\".\n- To update a specific package to its latest version, use the following Update-Package command:\n\n```\nUpdate-Package -Id EnhancedLinq.Async\n```\n\n**Using the .NET CLI (Command Line Interface):**\n- Open a terminal or command prompt in the project\u0027s directory.\n- To update a specific package to its latest version, use the following add package command:\n\n```\ndotnet package update EnhancedLinq.Async\n```\n\nOnce the NuGet package reference has been updated, the application must be recompiled and redeployed.",
  "id": "GHSA-32wq-ppwg-3w4m",
  "modified": "2026-04-01T23:57:06Z",
  "published": "2026-04-01T23:57:06Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/alastairlundy/EnhancedLinq/security/advisories/GHSA-32wq-ppwg-3w4m"
    },
    {
      "type": "WEB",
      "url": "https://github.com/dotnet/announcements/issues/384"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/alastairlundy/EnhancedLinq"
    },
    {
      "type": "WEB",
      "url": "https://www.cve.org/CVERecord?id=CVE-2026-26127"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
      "type": "CVSS_V3"
    }
  ],
  "summary": "EnhancedLinq.Async is Vulnerable to Denial of Service via Transitive Dependency Microsoft.Bcl.Memory"
}

GHSA-37XQ-Q42P-RV3P

Vulnerability from github – Published: 2023-08-24 22:18 – Updated: 2024-06-26 15:20
VLAI
Summary
ntpd has Dependency on Vulnerable Third-Party Component
Details

During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki.

Impact

This vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS

Patches

Affected users are recommended to upgrade to version 0.3.7

References

See also https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "crates.io",
        "name": "ntpd"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.3.7"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-24T22:18:39Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "During startup, an attacker that can man-in-the-middle traffic to and from NTS key exchange servers can trigger a very expensive key validation process due to a vulnerability in webpki.\n\n### Impact\nThis vulnerability can lead to excessive cpu usage on startup on clients configured to use NTS\n\n### Patches\nAffected users are recommended to upgrade to version 0.3.7\n\n### References\nSee also https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md\n",
  "id": "GHSA-37xq-q42p-rv3p",
  "modified": "2024-06-26T15:20:09Z",
  "published": "2023-08-24T22:18:39Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/pendulum-project/ntpd-rs/security/advisories/GHSA-37xq-q42p-rv3p"
    },
    {
      "type": "WEB",
      "url": "https://github.com/pendulum-project/ntpd-rs/commit/927952a440176a18f3ded132eb831ae7f7ac5c00"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/pendulum-project/ntpd-rs"
    },
    {
      "type": "WEB",
      "url": "https://github.com/rustsec/advisory-db/blob/main/crates/rustls-webpki/RUSTSEC-2023-0053.md"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:L",
      "type": "CVSS_V3"
    }
  ],
  "summary": "ntpd has Dependency on Vulnerable Third-Party Component"
}

GHSA-39H7-PWV7-RC3X

Vulnerability from github – Published: 2026-04-24 20:41 – Updated: 2026-04-24 20:41
VLAI
Summary
Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)
Details

Impact

@excalidraw/excalidraw@0.18.0 depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid’s KaTeX label rendering path.

This is patched in @excalidraw/excalidraw@0.18.1 by updating @excalidraw/mermaid-to-excalidraw to 2.2.2, which uses a patched Mermaid 11 release.

Moderate severity as this XSS requires manual user action - pasting unsafe Mermaid diagram into the Excalidraw editor. No semi-automated attack vector exists by default (such as accessing a link).

Patches

  • Stable @excalidraw/excalidraw@0.18.1 is patched.
  • Unstable @excalidraw/excalidraw@next has resolved to patched builds since @excalidraw/excalidraw@0.18.0-f29edf on 2025-08-21.
  • Direct consumers of @excalidraw/mermaid-to-excalidraw should use 1.1.3 or later.

Workarounds

None.

Resources

  • Upstream Mermaid advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh
  • CVE-2025-54881
Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "npm",
        "name": "@excalidraw/excalidraw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.18.0"
            },
            {
              "fixed": "0.18.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ],
      "versions": [
        "0.18.0"
      ]
    },
    {
      "package": {
        "ecosystem": "npm",
        "name": "@excalidraw/mermaid-to-excalidraw"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0.3.0"
            },
            {
              "fixed": "1.1.3"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-1395",
      "CWE-79"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-04-24T20:41:51Z",
    "nvd_published_at": null,
    "severity": "MODERATE"
  },
  "details": "### Impact\n\n`@excalidraw/excalidraw@0.18.0` depends on a Mermaid conversion package version that resolves to a Mermaid release affected by CVE-2025-54881 / GHSA-7rqq-prvp-x9jh. User-supplied Mermaid sequence diagram labels could trigger XSS through Mermaid\u2019s KaTeX label rendering path.\n\nThis is patched in `@excalidraw/excalidraw@0.18.1` by updating `@excalidraw/mermaid-to-excalidraw` to `2.2.2`, which uses a patched Mermaid 11 release.\n\nModerate severity as this XSS requires manual user action - pasting unsafe Mermaid diagram into the Excalidraw editor. No semi-automated attack vector exists by default (such as accessing a link).\n\n### Patches\n\n- Stable `@excalidraw/excalidraw@0.18.1` is patched.\n- Unstable `@excalidraw/excalidraw@next` has resolved to patched builds since `@excalidraw/excalidraw@0.18.0-f29edf` on 2025-08-21.\n- Direct consumers of `@excalidraw/mermaid-to-excalidraw` should use `1.1.3` or later.\n\n### Workarounds\n\nNone.\n\n### Resources\n\n- Upstream Mermaid advisory: https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh\n- CVE-2025-54881",
  "id": "GHSA-39h7-pwv7-rc3x",
  "modified": "2026-04-24T20:41:51Z",
  "published": "2026-04-24T20:41:51Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/excalidraw/excalidraw/security/advisories/GHSA-39h7-pwv7-rc3x"
    },
    {
      "type": "WEB",
      "url": "https://github.com/mermaid-js/mermaid/security/advisories/GHSA-7rqq-prvp-x9jh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/excalidraw/excalidraw"
    },
    {
      "type": "WEB",
      "url": "https://github.com/excalidraw/excalidraw/releases/tag/v0.18.1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Excalidraw vulnerable to XSS via Mermaid sequence diagram labels (KaTeX rendering)"
}

Mitigation
Requirements Policy

In some industries such as healthcare [REF-1320] [REF-1322] or technologies such as the cloud [REF-1321], it might be unclear about who is responsible for applying patches for third-party vulnerabilities: the vendor, the operator/customer, or a separate service. Clarifying roles and responsibilities can be important to minimize confusion or unnecessary delay when third-party vulnerabilities are disclosed.

Mitigation
Requirements

Require a Bill of Materials for all components and sub-components of the product. For software, require a Software Bill of Materials (SBOM) [REF-1247] [REF-1311].

Mitigation
Architecture and Design Implementation Integration Manufacturing

Maintain a Bill of Materials for all components and sub-components of the product. For software, maintain a Software Bill of Materials (SBOM). According to [REF-1247], "An SBOM is a formal, machine-readable inventory of software components and dependencies, information about those components, and their hierarchical relationships."

Mitigation
Operation Patching and Maintenance

Actively monitor when a third-party component vendor announces vulnerability patches; fix the third-party component as soon as possible; and make it easy for operators/customers to obtain and apply the patch.

Mitigation
Operation Patching and Maintenance

Continuously monitor changes in each of the product's components, especially when the changes indicate new vulnerabilities, end-of-life (EOL) plans, etc.

No CAPEC attack patterns related to this CWE.