Action not permitted
Modal body text goes here.
Modal Title
Modal Body
CVE-2026-33036 (GCVE-0-2026-33036)
Vulnerability from cvelistv5 – Published: 2026-03-20 05:17 – Updated: 2026-03-25 13:57
VLAI
EPSS
Title
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
Summary
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
Severity
7.5 (High)
CWE
- CWE-776 - Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/NaturalIntelligence/fast-xml-p… | x_refsource_CONFIRM |
| https://github.com/NaturalIntelligence/fast-xml-p… | x_refsource_MISC |
| https://github.com/NaturalIntelligence/fast-xml-p… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| NaturalIntelligence | fast-xml-parser |
Affected:
>= 4.0.0-beta.3, < 5.5.6
|
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33036",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T13:57:14.886976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T13:57:58.233Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "fast-xml-parser",
"vendor": "NaturalIntelligence",
"versions": [
{
"status": "affected",
"version": "\u003e= 4.0.0-beta.3, \u003c 5.5.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-776",
"description": "CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T05:17:03.290Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
},
{
"name": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
},
{
"name": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
}
],
"source": {
"advisory": "GHSA-8gc5-j5rx-235r",
"discovery": "UNKNOWN"
},
"title": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33036",
"datePublished": "2026-03-20T05:17:03.290Z",
"dateReserved": "2026-03-17T18:10:50.210Z",
"dateUpdated": "2026-03-25T13:57:58.233Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2",
"vulnerability-lookup:meta": {
"epss": {
"cve": "CVE-2026-33036",
"date": "2026-05-29",
"epss": "0.00027",
"percentile": "0.083"
},
"nvd": "{\"cve\":{\"id\":\"CVE-2026-33036\",\"sourceIdentifier\":\"security-advisories@github.com\",\"published\":\"2026-03-20T06:16:11.630\",\"lastModified\":\"2026-03-23T16:28:10.930\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6.\"},{\"lang\":\"es\",\"value\":\"fast-xml-parser permite a los usuarios procesar XML desde objetos JS sin bibliotecas basadas en C/C++ ni callbacks. Las versiones 4.0.0-beta.3 hasta la 5.5.5 contienen una vulnerabilidad de bypass donde las referencias de caracteres num\u00e9ricos (\u0026amp;#NNN;, \u0026amp;#xHH;) y las entidades XML est\u00e1ndar evaden completamente los l\u00edmites de expansi\u00f3n de entidades (p. ej., maxTotalExpansions, maxExpandedLength) a\u00f1adidos para corregir CVE-2026-26278, lo que permite la denegaci\u00f3n de servicio por expansi\u00f3n de entidades XML. La causa ra\u00edz es que replaceEntitiesValue() en OrderedObjParser.js solo aplica el conteo de expansi\u00f3n en entidades definidas en DOCTYPE, mientras que el bucle lastEntities que maneja las entidades num\u00e9ricas/est\u00e1ndar no realiza ning\u00fan conteo. Un atacante que suministre 1M de referencias de entidades num\u00e9ricas como A puede forzar una asignaci\u00f3n de memoria de ~147MB y un uso intensivo de CPU, lo que podr\u00eda bloquear el proceso, incluso cuando los desarrolladores han configurado l\u00edmites estrictos. Este problema ha sido corregido en la versi\u00f3n 5.5.6.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\",\"baseScore\":7.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"NONE\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":3.6}]},\"weaknesses\":[{\"source\":\"security-advisories@github.com\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-776\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*\",\"versionStartIncluding\":\"4.0.1\",\"versionEndExcluding\":\"5.5.6\",\"matchCriteriaId\":\"AB9177BC-BACD-4367-9063-398ACE2AB4A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*\",\"matchCriteriaId\":\"2398B145-2ED8-4197-8838-FAE7AD7666E7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*\",\"matchCriteriaId\":\"44B6C4BE-69F4-4651-80EE-055D1F99F7EF\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*\",\"matchCriteriaId\":\"4B32E8C4-15A7-466D-98A7-9EDD6B45F883\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*\",\"matchCriteriaId\":\"23CDA792-75FA-48A7-8577-4266A0BFB3A7\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*\",\"matchCriteriaId\":\"D4B7FD7D-0059-4D5B-898D-539AB43AA24A\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*\",\"matchCriteriaId\":\"42844DDE-AD5B-4684-8104-1C2D133C6098\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*\",\"matchCriteriaId\":\"C045B7F2-16A9-47C9-B08D-71847A940B93\"}]}]}],\"references\":[{\"url\":\"https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Patch\"]},{\"url\":\"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Product\",\"Release Notes\"]},{\"url\":\"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r\",\"source\":\"security-advisories@github.com\",\"tags\":[\"Exploit\",\"Mitigation\",\"Vendor Advisory\"]}]}}",
"vulnrichment": {
"containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-33036\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"poc\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-03-25T13:57:14.886976Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-03-25T13:57:44.654Z\"}}], \"cna\": {\"title\": \"fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)\", \"source\": {\"advisory\": \"GHSA-8gc5-j5rx-235r\", \"discovery\": \"UNKNOWN\"}, \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 7.5, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H\", \"integrityImpact\": \"NONE\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"HIGH\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"NONE\"}}], \"affected\": [{\"vendor\": \"NaturalIntelligence\", \"product\": \"fast-xml-parser\", \"versions\": [{\"status\": \"affected\", \"version\": \"\u003e= 4.0.0-beta.3, \u003c 5.5.6\"}]}], \"references\": [{\"url\": \"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r\", \"name\": \"https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r\", \"tags\": [\"x_refsource_CONFIRM\"]}, {\"url\": \"https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01\", \"name\": \"https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01\", \"tags\": [\"x_refsource_MISC\"]}, {\"url\": \"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6\", \"name\": \"https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6\", \"tags\": [\"x_refsource_MISC\"]}], \"descriptions\": [{\"lang\": \"en\", \"value\": \"fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6.\"}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-776\", \"description\": \"CWE-776: Improper Restriction of Recursive Entity References in DTDs (\u0027XML Entity Expansion\u0027)\"}]}], \"providerMetadata\": {\"orgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"shortName\": \"GitHub_M\", \"dateUpdated\": \"2026-03-20T05:17:03.290Z\"}}}",
"cveMetadata": "{\"cveId\": \"CVE-2026-33036\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-03-25T13:57:58.233Z\", \"dateReserved\": \"2026-03-17T18:10:50.210Z\", \"assignerOrgId\": \"a0819718-46f1-4df5-94e2-005712e83aaa\", \"datePublished\": \"2026-03-20T05:17:03.290Z\", \"assignerShortName\": \"GitHub_M\"}",
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
}
}
CERTFR-2026-AVI-0667
Vulnerability from certfr_avis - Published: 2026-05-29 - Updated: 2026-05-29
De multiples vulnérabilités ont été découvertes dans les produits IBM. Certaines d'entre elles permettent à un attaquant de provoquer une exécution de code arbitraire à distance, une élévation de privilèges et un déni de service à distance.
Solutions
Se référer au bulletin de sécurité de l'éditeur pour l'obtention des correctifs (cf. section Documentation).
Impacted products
| Vendor | Product | Description | ||
|---|---|---|---|---|
| IBM | Cognos Analytics | Cognos Analytics Mobile versions antérieures à 1.1.26 | ||
| IBM | Sterling Control Center | Sterling Control Center versions 6.3.1.0 sans le correctif iFix09 | ||
| IBM | Tivoli Monitoring | Tivoli Monitoring sans le dernier correctif de sécurité | ||
| IBM | QRadar SIEM | QRadar SIEM versions 7.5.0 antérieures à 7.5.0 UP15 IF03 | ||
| IBM | Sterling Control Center | Sterling Control Center versions 6.4.2.0 sans le correctif iFix04 | ||
| IBM | QRadar Suite Software | QRadar Suite Software versions antérieures à 1.11.11.0 | ||
| IBM | N/A | Analyst Workflow versions antérieures à 3.1.0 | ||
| IBM | Cloud Pak | Cloud Pak for Security versions antérieures à 1.11.11.0 | ||
| IBM | Sterling Control Center | Sterling Control Center versions 6.4.1.0 sans le correctif iFix03 |
References
| Title | Publication Time | Tags | |||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||
{
"$ref": "https://www.cert.ssi.gouv.fr/openapi.json",
"affected_systems": [
{
"description": "Cognos Analytics Mobile versions ant\u00e9rieures \u00e0 1.1.26",
"product": {
"name": "Cognos Analytics",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.3.1.0 sans le correctif iFix09",
"product": {
"name": "Sterling Control Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Tivoli Monitoring sans le dernier correctif de s\u00e9curit\u00e9",
"product": {
"name": "Tivoli Monitoring",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar SIEM versions 7.5.0 ant\u00e9rieures \u00e0 7.5.0 UP15 IF03",
"product": {
"name": "QRadar SIEM",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.4.2.0 sans le correctif iFix04",
"product": {
"name": "Sterling Control Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "QRadar Suite Software versions ant\u00e9rieures \u00e0 1.11.11.0",
"product": {
"name": "QRadar Suite Software",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Analyst Workflow versions ant\u00e9rieures \u00e0 3.1.0",
"product": {
"name": "N/A",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Cloud Pak for Security versions ant\u00e9rieures \u00e0 1.11.11.0",
"product": {
"name": "Cloud Pak",
"vendor": {
"name": "IBM",
"scada": false
}
}
},
{
"description": "Sterling Control Center versions 6.4.1.0 sans le correctif iFix03",
"product": {
"name": "Sterling Control Center",
"vendor": {
"name": "IBM",
"scada": false
}
}
}
],
"affected_systems_content": "",
"content": "## Solutions\n\nSe r\u00e9f\u00e9rer au bulletin de s\u00e9curit\u00e9 de l\u0027\u00e9diteur pour l\u0027obtention des correctifs (cf. section Documentation).",
"cves": [
{
"name": "CVE-2026-27980",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27980"
},
{
"name": "CVE-2026-35388",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35388"
},
{
"name": "CVE-2006-10003",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-10003"
},
{
"name": "CVE-2026-27135",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27135"
},
{
"name": "CVE-2026-41324",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41324"
},
{
"name": "CVE-2026-40466",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40466"
},
{
"name": "CVE-2026-2229",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2229"
},
{
"name": "CVE-2026-35386",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35386"
},
{
"name": "CVE-2026-32597",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32597"
},
{
"name": "CVE-2025-12816",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12816"
},
{
"name": "CVE-2026-22036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22036"
},
{
"name": "CVE-2026-31402",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31402"
},
{
"name": "CVE-2025-53643",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-53643"
},
{
"name": "CVE-2025-68741",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68741"
},
{
"name": "CVE-2026-33349",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33349"
},
{
"name": "CVE-2026-34982",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34982"
},
{
"name": "CVE-2026-33940",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33940"
},
{
"name": "CVE-2024-12797",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-12797"
},
{
"name": "CVE-2026-40974",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40974"
},
{
"name": "CVE-2026-1527",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1527"
},
{
"name": "CVE-2026-32875",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32875"
},
{
"name": "CVE-2026-31988",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31988"
},
{
"name": "CVE-2024-28102",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-28102"
},
{
"name": "CVE-2026-40977",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40977"
},
{
"name": "CVE-2026-22013",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22013"
},
{
"name": "CVE-2026-28421",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28421"
},
{
"name": "CVE-2026-1525",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1525"
},
{
"name": "CVE-2026-22018",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22018"
},
{
"name": "CVE-2026-31431",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31431"
},
{
"name": "CVE-2025-6176",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6176"
},
{
"name": "CVE-2025-11953",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-11953"
},
{
"name": "CVE-2026-23745",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23745"
},
{
"name": "CVE-2025-59471",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59471"
},
{
"name": "CVE-2026-33941",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33941"
},
{
"name": "CVE-2026-0848",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0848"
},
{
"name": "CVE-2025-41248",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41248"
},
{
"name": "CVE-2026-33412",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33412"
},
{
"name": "CVE-2026-5121",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5121"
},
{
"name": "CVE-2025-15284",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-15284"
},
{
"name": "CVE-2026-34282",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34282"
},
{
"name": "CVE-2025-59472",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-59472"
},
{
"name": "CVE-2026-2581",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2581"
},
{
"name": "CVE-2021-23337",
"url": "https://www.cve.org/CVERecord?id=CVE-2021-23337"
},
{
"name": "CVE-2025-64718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64718"
},
{
"name": "CVE-2026-23401",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23401"
},
{
"name": "CVE-2025-40252",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-40252"
},
{
"name": "CVE-2025-66031",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66031"
},
{
"name": "CVE-2025-62718",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-62718"
},
{
"name": "CVE-2026-21860",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21860"
},
{
"name": "CVE-2026-4800",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4800"
},
{
"name": "CVE-2026-0847",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0847"
},
{
"name": "CVE-2026-4424",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4424"
},
{
"name": "CVE-2025-6545",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6545"
},
{
"name": "CVE-2026-23865",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23865"
},
{
"name": "CVE-2026-28417",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-28417"
},
{
"name": "CVE-2023-5764",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-5764"
},
{
"name": "CVE-2026-5598",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5598"
},
{
"name": "CVE-2026-30922",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-30922"
},
{
"name": "CVE-2026-23191",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23191"
},
{
"name": "CVE-2026-2359",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2359"
},
{
"name": "CVE-2026-6918",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6918"
},
{
"name": "CVE-2026-35535",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35535"
},
{
"name": "CVE-2025-68724",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-68724"
},
{
"name": "CVE-2026-33939",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33939"
},
{
"name": "CVE-2026-27699",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27699"
},
{
"name": "CVE-2025-65945",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-65945"
},
{
"name": "CVE-2026-33228",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33228"
},
{
"name": "CVE-2025-12758",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12758"
},
{
"name": "CVE-2026-40175",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40175"
},
{
"name": "CVE-2026-41044",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-41044"
},
{
"name": "CVE-2006-10002",
"url": "https://www.cve.org/CVERecord?id=CVE-2006-10002"
},
{
"name": "CVE-2026-5795",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-5795"
},
{
"name": "CVE-2026-40975",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40975"
},
{
"name": "CVE-2026-27942",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27942"
},
{
"name": "CVE-2024-41073",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-41073"
},
{
"name": "CVE-2026-26960",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26960"
},
{
"name": "CVE-2025-5187",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-5187"
},
{
"name": "CVE-2026-4923",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4923"
},
{
"name": "CVE-2026-4867",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4867"
},
{
"name": "CVE-2024-9902",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-9902"
},
{
"name": "CVE-2024-8775",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-8775"
},
{
"name": "CVE-2026-27199",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27199"
},
{
"name": "CVE-2026-27903",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27903"
},
{
"name": "CVE-2025-66471",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66471"
},
{
"name": "CVE-2026-21441",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-21441"
},
{
"name": "CVE-2025-66030",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66030"
},
{
"name": "CVE-2024-11079",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-11079"
},
{
"name": "CVE-2026-23897",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23897"
},
{
"name": "CVE-2026-35385",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35385"
},
{
"name": "CVE-2026-34601",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34601"
},
{
"name": "CVE-2026-29057",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29057"
},
{
"name": "CVE-2026-32874",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32874"
},
{
"name": "CVE-2026-4519",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4519"
},
{
"name": "CVE-2026-34197",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34197"
},
{
"name": "CVE-2026-25128",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25128"
},
{
"name": "CVE-2025-13333",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13333"
},
{
"name": "CVE-2025-12635",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-12635"
},
{
"name": "CVE-2026-24842",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24842"
},
{
"name": "CVE-2025-66221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66221"
},
{
"name": "CVE-2026-23950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23950"
},
{
"name": "CVE-2026-33036",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33036"
},
{
"name": "CVE-2026-35414",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35414"
},
{
"name": "CVE-2026-2950",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2950"
},
{
"name": "CVE-2026-3304",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-3304"
},
{
"name": "CVE-2026-33916",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33916"
},
{
"name": "CVE-2026-22016",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22016"
},
{
"name": "CVE-2026-22021",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22021"
},
{
"name": "CVE-2026-6100",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-6100"
},
{
"name": "CVE-2026-22007",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22007"
},
{
"name": "CVE-2026-34268",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-34268"
},
{
"name": "CVE-2026-29786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29786"
},
{
"name": "CVE-2024-29371",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-29371"
},
{
"name": "CVE-2026-1519",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1519"
},
{
"name": "CVE-2026-1528",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1528"
},
{
"name": "CVE-2023-26132",
"url": "https://www.cve.org/CVERecord?id=CVE-2023-26132"
},
{
"name": "CVE-2026-1526",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-1526"
},
{
"name": "CVE-2026-33937",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33937"
},
{
"name": "CVE-2026-31808",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31808"
},
{
"name": "CVE-2026-27459",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27459"
},
{
"name": "CVE-2026-25639",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25639"
},
{
"name": "CVE-2026-40973",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-40973"
},
{
"name": "CVE-2026-39373",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39373"
},
{
"name": "CVE-2026-27448",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27448"
},
{
"name": "CVE-2026-8620",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8620"
},
{
"name": "CVE-2025-69277",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-69277"
},
{
"name": "CVE-2026-8633",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-8633"
},
{
"name": "CVE-2026-26278",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26278"
},
{
"name": "CVE-2025-22870",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-22870"
},
{
"name": "CVE-2026-23490",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-23490"
},
{
"name": "CVE-2025-14009",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14009"
},
{
"name": "CVE-2025-7339",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-7339"
},
{
"name": "CVE-2025-41249",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-41249"
},
{
"name": "CVE-2026-25896",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25896"
},
{
"name": "CVE-2026-26996",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-26996"
},
{
"name": "CVE-2026-4786",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4786"
},
{
"name": "CVE-2026-33938",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-33938"
},
{
"name": "CVE-2025-64756",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-64756"
},
{
"name": "CVE-2026-32141",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-32141"
},
{
"name": "CVE-2026-30951",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-30951"
},
{
"name": "CVE-2026-35387",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35387"
},
{
"name": "CVE-2026-24001",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-24001"
},
{
"name": "CVE-2025-58754",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-58754"
},
{
"name": "CVE-2026-27837",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27837"
},
{
"name": "CVE-2025-6547",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-6547"
},
{
"name": "CVE-2026-29063",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-29063"
},
{
"name": "CVE-2026-39983",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-39983"
},
{
"name": "CVE-2026-22008",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-22008"
},
{
"name": "CVE-2025-14813",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-14813"
},
{
"name": "CVE-2026-31802",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-31802"
},
{
"name": "CVE-2025-13465",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-13465"
},
{
"name": "CVE-2025-67221",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-67221"
},
{
"name": "CVE-2026-4926",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-4926"
},
{
"name": "CVE-2026-25547",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-25547"
},
{
"name": "CVE-2026-27904",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-27904"
},
{
"name": "CVE-2026-2739",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-2739"
},
{
"name": "CVE-2024-56462",
"url": "https://www.cve.org/CVERecord?id=CVE-2024-56462"
},
{
"name": "CVE-2026-35213",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-35213"
},
{
"name": "CVE-2025-66418",
"url": "https://www.cve.org/CVERecord?id=CVE-2025-66418"
},
{
"name": "CVE-2026-0846",
"url": "https://www.cve.org/CVERecord?id=CVE-2026-0846"
}
],
"initial_release_date": "2026-05-29T00:00:00",
"last_revision_date": "2026-05-29T00:00:00",
"links": [],
"reference": "CERTFR-2026-AVI-0667",
"revisions": [
{
"description": "Version initiale",
"revision_date": "2026-05-29T00:00:00.000000"
}
],
"risks": [
{
"description": "D\u00e9ni de service \u00e0 distance"
},
{
"description": "Injection de code indirecte \u00e0 distance (XSS)"
},
{
"description": "Ex\u00e9cution de code arbitraire \u00e0 distance"
},
{
"description": "Atteinte \u00e0 l\u0027int\u00e9grit\u00e9 des donn\u00e9es"
},
{
"description": "Injection SQL (SQLi)"
},
{
"description": "Non sp\u00e9cifi\u00e9 par l\u0027\u00e9diteur"
},
{
"description": "Falsification de requ\u00eates c\u00f4t\u00e9 serveur (SSRF)"
},
{
"description": "Contournement de la politique de s\u00e9curit\u00e9"
},
{
"description": "Atteinte \u00e0 la confidentialit\u00e9 des donn\u00e9es"
},
{
"description": "\u00c9l\u00e9vation de privil\u00e8ges"
}
],
"summary": "De multiples vuln\u00e9rabilit\u00e9s ont \u00e9t\u00e9 d\u00e9couvertes dans les produits IBM. Certaines d\u0027entre elles permettent \u00e0 un attaquant de provoquer une ex\u00e9cution de code arbitraire \u00e0 distance, une \u00e9l\u00e9vation de privil\u00e8ges et un d\u00e9ni de service \u00e0 distance.",
"title": "Multiples vuln\u00e9rabilit\u00e9s dans les produits IBM",
"vendor_advisories": [
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274185",
"url": "https://www.ibm.com/support/pages/node/7274185"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274154",
"url": "https://www.ibm.com/support/pages/node/7274154"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274180",
"url": "https://www.ibm.com/support/pages/node/7274180"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274183",
"url": "https://www.ibm.com/support/pages/node/7274183"
},
{
"published_at": "2026-05-25",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7273957",
"url": "https://www.ibm.com/support/pages/node/7273957"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274184",
"url": "https://www.ibm.com/support/pages/node/7274184"
},
{
"published_at": "2026-05-28",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274314",
"url": "https://www.ibm.com/support/pages/node/7274314"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274182",
"url": "https://www.ibm.com/support/pages/node/7274182"
},
{
"published_at": "2026-05-27",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7274181",
"url": "https://www.ibm.com/support/pages/node/7274181"
},
{
"published_at": "2026-05-22",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7273803",
"url": "https://www.ibm.com/support/pages/node/7273803"
},
{
"published_at": "2026-05-22",
"title": "Bulletin de s\u00e9curit\u00e9 IBM 7272901",
"url": "https://www.ibm.com/support/pages/node/7272901"
}
]
}
cleanstart-2026-ad27625
Vulnerability from cleanstart
Published
2026-05-18 13:41
Modified
2026-05-06 06:31
Summary
Security fixes for CVE-2022-25881, CVE-2022-33987, CVE-2025-25285, CVE-2025-62718, CVE-2025-69873, CVE-2026-21637, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-33036, CVE-2026-33349, CVE-2026-33750, CVE-2026-33916, CVE-2026-33937, CVE-2026-41650, CVE-2026-4800, CVE-2026-4923, CVE-2026-4926, ghsa-23c5-xmqv-rm74, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-442j-39wm-28r2, ghsa-48c2-rrv3-qjmp, ghsa-72xf-g2v4-qvf3, ghsa-7r86-cg39-jmmj, ghsa-7rx3-28cr-v5wh, ghsa-9cx6-37pm-9jff, ghsa-c2c7-rcm5-vvqj, ghsa-chqc-8p9q-pq6q, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-gh4j-gqv2-49f6, ghsa-j3q9-mxjg-w52f, ghsa-pfrx-2q88-qq97, ghsa-r5fr-rjxr-66jc, ghsa-rc47-6667-2j5j, ghsa-rmvr-2pp2-xj38, ghsa-rp42-5vxx-qpwr, ghsa-w5hq-g745-h8pq, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf applied in versions: 2.6.0-r1, 2.6.0-r2, 2.6.0-r3, 2.6.0-r4
Details
Multiple security vulnerabilities affect the mongosh package. These issues are resolved in later releases. See references for individual vulnerability details.
References
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "mongosh"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.6.0-r4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the mongosh package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-AD27625",
"modified": "2026-05-06T06:31:52Z",
"published": "2026-05-18T13:41:09.057005Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-AD27625.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-25881"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2022-33987"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-25285"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-62718"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-21637"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33349"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33916"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33937"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-41650"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4923"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4926"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2qvq-rjwj-gvw9"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2w6w-674q-4c4q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3mfm-83xf-c92r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3p68-rc4w-qgx5"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-442j-39wm-28r2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-48c2-rrv3-qjmp"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-72xf-g2v4-qvf3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7rx3-28cr-v5wh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9cx6-37pm-9jff"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-chqc-8p9q-pq6q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-gh4j-gqv2-49f6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-j3q9-mxjg-w52f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-pfrx-2q88-qq97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rc47-6667-2j5j"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rmvr-2pp2-xj38"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-rp42-5vxx-qpwr"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w5hq-g745-h8pq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xhpv-hc6g-r9c6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xjpj-3mr7-gcpf"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-25881"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-33987"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25285"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62718"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21637"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33349"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33916"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33937"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41650"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4923"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4926"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2022-25881, CVE-2022-33987, CVE-2025-25285, CVE-2025-62718, CVE-2025-69873, CVE-2026-21637, CVE-2026-23745, CVE-2026-24842, CVE-2026-26960, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-33036, CVE-2026-33349, CVE-2026-33750, CVE-2026-33916, CVE-2026-33937, CVE-2026-41650, CVE-2026-4800, CVE-2026-4923, CVE-2026-4926, ghsa-23c5-xmqv-rm74, ghsa-2qvq-rjwj-gvw9, ghsa-2w6w-674q-4c4q, ghsa-3mfm-83xf-c92r, ghsa-3p68-rc4w-qgx5, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-442j-39wm-28r2, ghsa-48c2-rrv3-qjmp, ghsa-72xf-g2v4-qvf3, ghsa-7r86-cg39-jmmj, ghsa-7rx3-28cr-v5wh, ghsa-9cx6-37pm-9jff, ghsa-c2c7-rcm5-vvqj, ghsa-chqc-8p9q-pq6q, ghsa-f23m-r3pf-42rh, ghsa-f886-m6hf-6m8v, ghsa-gh4j-gqv2-49f6, ghsa-j3q9-mxjg-w52f, ghsa-pfrx-2q88-qq97, ghsa-r5fr-rjxr-66jc, ghsa-rc47-6667-2j5j, ghsa-rmvr-2pp2-xj38, ghsa-rp42-5vxx-qpwr, ghsa-w5hq-g745-h8pq, ghsa-xhpv-hc6g-r9c6, ghsa-xjpj-3mr7-gcpf applied in versions: 2.6.0-r1, 2.6.0-r2, 2.6.0-r3, 2.6.0-r4",
"upstream": [
"CVE-2022-25881",
"CVE-2022-33987",
"CVE-2025-25285",
"CVE-2025-62718",
"CVE-2025-69873",
"CVE-2026-21637",
"CVE-2026-23745",
"CVE-2026-24842",
"CVE-2026-26960",
"CVE-2026-2950",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-33036",
"CVE-2026-33349",
"CVE-2026-33750",
"CVE-2026-33916",
"CVE-2026-33937",
"CVE-2026-41650",
"CVE-2026-4800",
"CVE-2026-4923",
"CVE-2026-4926",
"ghsa-23c5-xmqv-rm74",
"ghsa-2qvq-rjwj-gvw9",
"ghsa-2w6w-674q-4c4q",
"ghsa-3mfm-83xf-c92r",
"ghsa-3p68-rc4w-qgx5",
"ghsa-3ppc-4f35-3m26",
"ghsa-3v7f-55p6-f55p",
"ghsa-442j-39wm-28r2",
"ghsa-48c2-rrv3-qjmp",
"ghsa-72xf-g2v4-qvf3",
"ghsa-7r86-cg39-jmmj",
"ghsa-7rx3-28cr-v5wh",
"ghsa-9cx6-37pm-9jff",
"ghsa-c2c7-rcm5-vvqj",
"ghsa-chqc-8p9q-pq6q",
"ghsa-f23m-r3pf-42rh",
"ghsa-f886-m6hf-6m8v",
"ghsa-gh4j-gqv2-49f6",
"ghsa-j3q9-mxjg-w52f",
"ghsa-pfrx-2q88-qq97",
"ghsa-r5fr-rjxr-66jc",
"ghsa-rc47-6667-2j5j",
"ghsa-rmvr-2pp2-xj38",
"ghsa-rp42-5vxx-qpwr",
"ghsa-w5hq-g745-h8pq",
"ghsa-xhpv-hc6g-r9c6",
"ghsa-xjpj-3mr7-gcpf"
]
}
cleanstart-2026-ce10526
Vulnerability from cleanstart
Published
2026-05-18 13:17
Modified
2026-05-13 11:44
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27143, CVE-2026-27144, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33036, CVE-2026-33750, CVE-2026-33810, CVE-2026-35209, CVE-2026-42338, CVE-2026-4800, CVE-2026-6951, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-737v-mqg7-c878, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-f23m-r3pf-42rh, ghsa-f269-vfmq-vjvj, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-hffm-xvc3-vprc, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-v2v4-37r5-5v8g, ghsa-v3rj-xjv7-4jmq, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883, ghsa-xq3m-2v4x-88gg applied in versions: 43.123.6-r0, 43.123.8-r1, 43.123.8-r2, 43.123.8-r3, 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-CE10526",
"modified": "2026-05-13T11:44:57Z",
"published": "2026-05-18T13:17:48.128214Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-CE10526.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35209"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-6951"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-737v-mqg7-c878"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hffm-xvc3-vprc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v3rj-xjv7-4jmq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xq3m-2v4x-88gg"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35209"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6951"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27143, CVE-2026-27144, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33036, CVE-2026-33750, CVE-2026-33810, CVE-2026-35209, CVE-2026-42338, CVE-2026-4800, CVE-2026-6951, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-737v-mqg7-c878, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-f23m-r3pf-42rh, ghsa-f269-vfmq-vjvj, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-hffm-xvc3-vprc, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-v2v4-37r5-5v8g, ghsa-v3rj-xjv7-4jmq, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883, ghsa-xq3m-2v4x-88gg applied in versions: 43.123.6-r0, 43.123.8-r1, 43.123.8-r2, 43.123.8-r3, 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27143",
"CVE-2026-27144",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-2950",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33036",
"CVE-2026-33750",
"CVE-2026-33810",
"CVE-2026-35209",
"CVE-2026-42338",
"CVE-2026-4800",
"CVE-2026-6951",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-3v7f-55p6-f55p",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-737v-mqg7-c878",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-c2c7-rcm5-vvqj",
"ghsa-f23m-r3pf-42rh",
"ghsa-f269-vfmq-vjvj",
"ghsa-f886-m6hf-6m8v",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-hffm-xvc3-vprc",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r5fr-rjxr-66jc",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v2v4-37r5-5v8g",
"ghsa-v3rj-xjv7-4jmq",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883",
"ghsa-xq3m-2v4x-88gg"
]
}
cleanstart-2026-dv49099
Vulnerability from cleanstart
Published
2026-04-01 09:31
Modified
2026-03-23 10:49
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-DV49099",
"modified": "2026-03-23T10:49:42Z",
"published": "2026-04-01T09:31:16.419730Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-DV49099.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-gs57401
Vulnerability from cleanstart
Published
2026-04-01 09:43
Modified
2026-03-19 07:48
Summary
Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.3-r1"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-GS57401",
"modified": "2026-03-19T07:48:38Z",
"published": "2026-04-01T09:43:24.793409Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-GS57401.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-2391, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.3-r1",
"upstream": [
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-2391",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-nb51079
Vulnerability from cleanstart
Published
2026-05-18 13:17
Modified
2026-05-13 11:51
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27143, CVE-2026-27144, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33036, CVE-2026-33750, CVE-2026-33810, CVE-2026-35209, CVE-2026-42338, CVE-2026-4800, CVE-2026-6951, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-737v-mqg7-c878, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-f23m-r3pf-42rh, ghsa-f269-vfmq-vjvj, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-hffm-xvc3-vprc, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-v2v4-37r5-5v8g, ghsa-v3rj-xjv7-4jmq, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883, ghsa-xq3m-2v4x-88gg applied in versions: 43.123.6-r0, 43.123.8-r1, 43.123.8-r2, 43.123.8-r3, 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-NB51079",
"modified": "2026-05-13T11:51:19Z",
"published": "2026-05-18T13:17:47.972643Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-NB51079.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-35209"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-6951"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3v7f-55p6-f55p"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-737v-mqg7-c878"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-c2c7-rcm5-vvqj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f23m-r3pf-42rh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f886-m6hf-6m8v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-hffm-xvc3-vprc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r5fr-rjxr-66jc"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v2v4-37r5-5v8g"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v3rj-xjv7-4jmq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-xq3m-2v4x-88gg"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27143"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27144"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2950"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32280"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32281"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32282"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32283"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32289"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33750"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33810"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-35209"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-42338"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4800"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6951"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27143, CVE-2026-27144, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-2950, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-32280, CVE-2026-32281, CVE-2026-32282, CVE-2026-32283, CVE-2026-32289, CVE-2026-33036, CVE-2026-33750, CVE-2026-33810, CVE-2026-35209, CVE-2026-42338, CVE-2026-4800, CVE-2026-6951, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-3v7f-55p6-f55p, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-737v-mqg7-c878, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-c2c7-rcm5-vvqj, ghsa-f23m-r3pf-42rh, ghsa-f269-vfmq-vjvj, ghsa-f886-m6hf-6m8v, ghsa-fj3w-jwp8-x2g3, ghsa-hffm-xvc3-vprc, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r5fr-rjxr-66jc, ghsa-r6q2-hw4h-h46w, ghsa-v2v4-37r5-5v8g, ghsa-v3rj-xjv7-4jmq, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883, ghsa-xq3m-2v4x-88gg applied in versions: 43.123.6-r0, 43.123.8-r1, 43.123.8-r2, 43.123.8-r3, 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27143",
"CVE-2026-27144",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-2950",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-32280",
"CVE-2026-32281",
"CVE-2026-32282",
"CVE-2026-32283",
"CVE-2026-32289",
"CVE-2026-33036",
"CVE-2026-33750",
"CVE-2026-33810",
"CVE-2026-35209",
"CVE-2026-42338",
"CVE-2026-4800",
"CVE-2026-6951",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-3v7f-55p6-f55p",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-737v-mqg7-c878",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-c2c7-rcm5-vvqj",
"ghsa-f23m-r3pf-42rh",
"ghsa-f269-vfmq-vjvj",
"ghsa-f886-m6hf-6m8v",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-hffm-xvc3-vprc",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r5fr-rjxr-66jc",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v2v4-37r5-5v8g",
"ghsa-v3rj-xjv7-4jmq",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883",
"ghsa-xq3m-2v4x-88gg"
]
}
cleanstart-2026-ow14933
Vulnerability from cleanstart
Published
2026-05-18 13:33
Modified
2026-05-10 16:06
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-OW14933",
"modified": "2026-05-10T16:06:08Z",
"published": "2026-05-18T13:33:43.873182Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-OW14933.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
cleanstart-2026-sw34937
Vulnerability from cleanstart
Published
2026-04-01 09:43
Modified
2026-03-19 07:58
Summary
Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0
Details
Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.
References
| URL | Type | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
{
"affected": [
{
"package": {
"ecosystem": "CleanStart",
"name": "renovate"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "43.4.4-r0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"credits": [],
"database_specific": {},
"details": "Multiple security vulnerabilities affect the renovate package. These issues are resolved in later releases. See references for individual vulnerability details.",
"id": "CLEANSTART-2026-SW34937",
"modified": "2026-03-19T07:58:44Z",
"published": "2026-04-01T09:43:38.907490Z",
"references": [
{
"type": "ADVISORY",
"url": "https://github.com/cleanstart-dev/cleanstart-security-advisories/tree/main/advisories/2026/CLEANSTART-2026-SW34937.json"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-23c5-xmqv-rm74"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-25h7-pfq9-p65f"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2g4f-4pwh-qvx6"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-2mjp-6q6p-2qxm"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-34x7-hfp2-rc4v"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-37qj-frw5-hhjh"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-38c4-r59v-3vqw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-3ppc-4f35-3m26"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-4992-7rv2-5pvq"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-5j98-mcp5-4vw2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-73rr-hh4g-fpgx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7h2j-956f-4vf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-7r86-cg39-jmmj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-83g3-92jg-28cx"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8gc5-j5rx-235r"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8qq5-rm4j-mr97"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-8wc6-vgrq-x6cf"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-9ppj-qmqm-q256"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-f269-vfmq-vjvj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-fj3w-jwp8-x2g3"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-jmr7-xgp7-cmfj"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-m7jm-9gc2-mpf2"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-phc3-fgpg-7m6h"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qffp-2rhf-9h96"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-qpx9-hpmf-5gmw"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r275-fr43-pm7q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-r6q2-hw4h-h46w"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-v9p9-hfj2-hcw8"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-vrm6-8vpv-qv8q"
},
{
"type": "WEB",
"url": "https://osv.dev/vulnerability/ghsa-w7fw-mjwx-w883"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-64756"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69873"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1525"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1526"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1527"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1528"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2229"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2327"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23745"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2391"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24842"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25128"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25547"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2581"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26278"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27601"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27903"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27904"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28292"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29786"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31802"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-32141"
},
{
"type": "WEB",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
}
],
"related": [],
"schema_version": "1.7.3",
"summary": "Security fixes for CVE-2025-64756, CVE-2025-69873, CVE-2026-1525, CVE-2026-1526, CVE-2026-1527, CVE-2026-1528, CVE-2026-2229, CVE-2026-2327, CVE-2026-23745, CVE-2026-2391, CVE-2026-24842, CVE-2026-25128, CVE-2026-25547, CVE-2026-2581, CVE-2026-25896, CVE-2026-26278, CVE-2026-26960, CVE-2026-27601, CVE-2026-27903, CVE-2026-27904, CVE-2026-27942, CVE-2026-28292, CVE-2026-29786, CVE-2026-31802, CVE-2026-32141, CVE-2026-33036, ghsa-23c5-xmqv-rm74, ghsa-25h7-pfq9-p65f, ghsa-2g4f-4pwh-qvx6, ghsa-2mjp-6q6p-2qxm, ghsa-34x7-hfp2-rc4v, ghsa-37qj-frw5-hhjh, ghsa-38c4-r59v-3vqw, ghsa-3ppc-4f35-3m26, ghsa-4992-7rv2-5pvq, ghsa-5j98-mcp5-4vw2, ghsa-73rr-hh4g-fpgx, ghsa-7h2j-956f-4vf2, ghsa-7r86-cg39-jmmj, ghsa-83g3-92jg-28cx, ghsa-8gc5-j5rx-235r, ghsa-8qq5-rm4j-mr97, ghsa-8wc6-vgrq-x6cf, ghsa-9ppj-qmqm-q256, ghsa-f269-vfmq-vjvj, ghsa-fj3w-jwp8-x2g3, ghsa-jmr7-xgp7-cmfj, ghsa-m7jm-9gc2-mpf2, ghsa-phc3-fgpg-7m6h, ghsa-qffp-2rhf-9h96, ghsa-qpx9-hpmf-5gmw, ghsa-r275-fr43-pm7q, ghsa-r6q2-hw4h-h46w, ghsa-v9p9-hfj2-hcw8, ghsa-vrm6-8vpv-qv8q, ghsa-w7fw-mjwx-w883 applied in versions: 43.4.4-r0",
"upstream": [
"CVE-2025-64756",
"CVE-2025-69873",
"CVE-2026-1525",
"CVE-2026-1526",
"CVE-2026-1527",
"CVE-2026-1528",
"CVE-2026-2229",
"CVE-2026-2327",
"CVE-2026-23745",
"CVE-2026-2391",
"CVE-2026-24842",
"CVE-2026-25128",
"CVE-2026-25547",
"CVE-2026-2581",
"CVE-2026-25896",
"CVE-2026-26278",
"CVE-2026-26960",
"CVE-2026-27601",
"CVE-2026-27903",
"CVE-2026-27904",
"CVE-2026-27942",
"CVE-2026-28292",
"CVE-2026-29786",
"CVE-2026-31802",
"CVE-2026-32141",
"CVE-2026-33036",
"ghsa-23c5-xmqv-rm74",
"ghsa-25h7-pfq9-p65f",
"ghsa-2g4f-4pwh-qvx6",
"ghsa-2mjp-6q6p-2qxm",
"ghsa-34x7-hfp2-rc4v",
"ghsa-37qj-frw5-hhjh",
"ghsa-38c4-r59v-3vqw",
"ghsa-3ppc-4f35-3m26",
"ghsa-4992-7rv2-5pvq",
"ghsa-5j98-mcp5-4vw2",
"ghsa-73rr-hh4g-fpgx",
"ghsa-7h2j-956f-4vf2",
"ghsa-7r86-cg39-jmmj",
"ghsa-83g3-92jg-28cx",
"ghsa-8gc5-j5rx-235r",
"ghsa-8qq5-rm4j-mr97",
"ghsa-8wc6-vgrq-x6cf",
"ghsa-9ppj-qmqm-q256",
"ghsa-f269-vfmq-vjvj",
"ghsa-fj3w-jwp8-x2g3",
"ghsa-jmr7-xgp7-cmfj",
"ghsa-m7jm-9gc2-mpf2",
"ghsa-phc3-fgpg-7m6h",
"ghsa-qffp-2rhf-9h96",
"ghsa-qpx9-hpmf-5gmw",
"ghsa-r275-fr43-pm7q",
"ghsa-r6q2-hw4h-h46w",
"ghsa-v9p9-hfj2-hcw8",
"ghsa-vrm6-8vpv-qv8q",
"ghsa-w7fw-mjwx-w883"
]
}
FKIE_CVE-2026-33036
Vulnerability from fkie_nvd - Published: 2026-03-20 06:16 - Updated: 2026-03-23 16:28
Severity
Summary
fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (&#NNN;, &#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like A can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process—even when developers have configured strict limits. This issue has been fixed in version 5.5.6.
References
| URL | Tags | ||
|---|---|---|---|
| security-advisories@github.com | https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01 | Patch | |
| security-advisories@github.com | https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6 | Product, Release Notes | |
| security-advisories@github.com | https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r | Exploit, Mitigation, Vendor Advisory |
Impacted products
| Vendor | Product | Version | |
|---|---|---|---|
| naturalintelligence | fast-xml-parser | * | |
| naturalintelligence | fast-xml-parser | 4.0.0 | |
| naturalintelligence | fast-xml-parser | 4.0.0 | |
| naturalintelligence | fast-xml-parser | 4.0.0 | |
| naturalintelligence | fast-xml-parser | 4.0.0 | |
| naturalintelligence | fast-xml-parser | 4.0.0 | |
| naturalintelligence | fast-xml-parser | 4.0.0 | |
| naturalintelligence | fast-xml-parser | 4.0.0 |
{
"configurations": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:*:*:*:*:*:*:*:*",
"matchCriteriaId": "AB9177BC-BACD-4367-9063-398ACE2AB4A7",
"versionEndExcluding": "5.5.6",
"versionStartIncluding": "4.0.1",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:-:*:*:*:*:*:*",
"matchCriteriaId": "2398B145-2ED8-4197-8838-FAE7AD7666E7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta3:*:*:*:*:*:*",
"matchCriteriaId": "44B6C4BE-69F4-4651-80EE-055D1F99F7EF",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta4:*:*:*:*:*:*",
"matchCriteriaId": "4B32E8C4-15A7-466D-98A7-9EDD6B45F883",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta5:*:*:*:*:*:*",
"matchCriteriaId": "23CDA792-75FA-48A7-8577-4266A0BFB3A7",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta6:*:*:*:*:*:*",
"matchCriteriaId": "D4B7FD7D-0059-4D5B-898D-539AB43AA24A",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta7:*:*:*:*:*:*",
"matchCriteriaId": "42844DDE-AD5B-4684-8104-1C2D133C6098",
"vulnerable": true
},
{
"criteria": "cpe:2.3:a:naturalintelligence:fast-xml-parser:4.0.0:beta8:*:*:*:*:*:*",
"matchCriteriaId": "C045B7F2-16A9-47C9-B08D-71847A940B93",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"cveTags": [],
"descriptions": [
{
"lang": "en",
"value": "fast-xml-parser allows users to process XML from JS object without C/C++ based libraries or callbacks. Versions 4.0.0-beta.3 through 5.5.5 contain a bypass vulnerability where numeric character references (\u0026#NNN;, \u0026#xHH;) and standard XML entities completely evade the entity expansion limits (e.g., maxTotalExpansions, maxExpandedLength) added to fix CVE-2026-26278, enabling XML entity expansion Denial of Service. The root cause is that replaceEntitiesValue() in OrderedObjParser.js only enforces expansion counting on DOCTYPE-defined entities while the lastEntities loop handling numeric/standard entities performs no counting at all. An attacker supplying 1M numeric entity references like \u0026#65; can force ~147MB of memory allocation and heavy CPU usage, potentially crashing the process\u2014even when developers have configured strict limits. This issue has been fixed in version 5.5.6."
},
{
"lang": "es",
"value": "fast-xml-parser permite a los usuarios procesar XML desde objetos JS sin bibliotecas basadas en C/C++ ni callbacks. Las versiones 4.0.0-beta.3 hasta la 5.5.5 contienen una vulnerabilidad de bypass donde las referencias de caracteres num\u00e9ricos (\u0026amp;#NNN;, \u0026amp;#xHH;) y las entidades XML est\u00e1ndar evaden completamente los l\u00edmites de expansi\u00f3n de entidades (p. ej., maxTotalExpansions, maxExpandedLength) a\u00f1adidos para corregir CVE-2026-26278, lo que permite la denegaci\u00f3n de servicio por expansi\u00f3n de entidades XML. La causa ra\u00edz es que replaceEntitiesValue() en OrderedObjParser.js solo aplica el conteo de expansi\u00f3n en entidades definidas en DOCTYPE, mientras que el bucle lastEntities que maneja las entidades num\u00e9ricas/est\u00e1ndar no realiza ning\u00fan conteo. Un atacante que suministre 1M de referencias de entidades num\u00e9ricas como A puede forzar una asignaci\u00f3n de memoria de ~147MB y un uso intensivo de CPU, lo que podr\u00eda bloquear el proceso, incluso cuando los desarrolladores han configurado l\u00edmites estrictos. Este problema ha sido corregido en la versi\u00f3n 5.5.6."
}
],
"id": "CVE-2026-33036",
"lastModified": "2026-03-23T16:28:10.930",
"metrics": {
"cvssMetricV31": [
{
"cvssData": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 7.5,
"baseSeverity": "HIGH",
"confidentialityImpact": "NONE",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"version": "3.1"
},
"exploitabilityScore": 3.9,
"impactScore": 3.6,
"source": "security-advisories@github.com",
"type": "Secondary"
}
]
},
"published": "2026-03-20T06:16:11.630",
"references": [
{
"source": "security-advisories@github.com",
"tags": [
"Patch"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
},
{
"source": "security-advisories@github.com",
"tags": [
"Product",
"Release Notes"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
},
{
"source": "security-advisories@github.com",
"tags": [
"Exploit",
"Mitigation",
"Vendor Advisory"
],
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
}
],
"sourceIdentifier": "security-advisories@github.com",
"vulnStatus": "Analyzed",
"weaknesses": [
{
"description": [
{
"lang": "en",
"value": "CWE-776"
}
],
"source": "security-advisories@github.com",
"type": "Primary"
}
]
}
GHSA-8GC5-J5RX-235R
Vulnerability from github – Published: 2026-03-17 19:45 – Updated: 2026-03-25 14:31
VLAI
Summary
fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)
Details
Summary
The fix for CVE-2026-26278 added entity expansion limits (maxTotalExpansions, maxExpandedLength, maxEntityCount, maxEntitySize) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. Numeric character references (&#NNN; and &#xHH;) and standard XML entities (<, >, etc.) are processed through a separate code path that does NOT enforce any expansion limits.
An attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.
Affected Versions
fast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)
Root Cause
In src/xmlparser/OrderedObjParser.js, the replaceEntitiesValue() function has two separate entity replacement loops:
- Lines 638-670: DOCTYPE entities — expansion counting with
entityExpansionCountandcurrentExpandedLengthtracking. This was the CVE-2026-26278 fix. - Lines 674-677:
lastEntitiesloop — replaces standard entities includingnum_dec(/&#([0-9]{1,7});/g) andnum_hex(/&#x([0-9a-fA-F]{1,6});/g). This loop has NO expansion counting at all.
The numeric entity regex replacements at lines 97-98 are part of lastEntities and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.
Proof of Concept
const { XMLParser } = require('fast-xml-parser');
// Even with strict explicit limits, numeric entities bypass them
const parser = new XMLParser({
processEntities: {
enabled: true,
maxTotalExpansions: 10,
maxExpandedLength: 100,
maxEntityCount: 1,
maxEntitySize: 10
}
});
// 100K numeric entity references — should be blocked by maxTotalExpansions=10
const xml = `<root>${'A'.repeat(100000)}</root>`;
const result = parser.parse(xml);
// Output: 500,000 chars — bypasses maxExpandedLength=100 completely
console.log('Output length:', result.root.length); // 500000
console.log('Expected max:', 100); // limit was 100
Results:
- 100K A references → 500,000 char output (5x default maxExpandedLength of 100,000)
- 1M references → 5,000,000 char output, ~147MB memory consumed
- Even with maxTotalExpansions=10 and maxExpandedLength=100, 10K references produce 50,000 chars
- Hex entities (A) exhibit the same bypass
Impact
Denial of Service — An attacker who can provide XML input to applications using fast-xml-parser can cause: - Excessive memory allocation (147MB+ for 1M entity references) - CPU consumption during regex replacement - Potential process crash via OOM
This is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.
Suggested Fix
Apply the same entityExpansionCount and currentExpandedLength tracking to the lastEntities loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.
Workaround
Set htmlEntities:false
Severity
7.5 (High)
{
"affected": [
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "5.0.0"
},
{
"fixed": "5.5.6"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "npm",
"name": "fast-xml-parser"
},
"ranges": [
{
"events": [
{
"introduced": "4.0.0-beta.3"
},
{
"fixed": "4.5.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33036"
],
"database_specific": {
"cwe_ids": [
"CWE-776"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-17T19:45:41Z",
"nvd_published_at": "2026-03-20T06:16:11Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThe fix for CVE-2026-26278 added entity expansion limits (`maxTotalExpansions`, `maxExpandedLength`, `maxEntityCount`, `maxEntitySize`) to prevent XML entity expansion Denial of Service. However, these limits are only enforced for DOCTYPE-defined entities. **Numeric character references** (`\u0026#NNN;` and `\u0026#xHH;`) and standard XML entities (`\u0026lt;`, `\u0026gt;`, etc.) are processed through a separate code path that does NOT enforce any expansion limits.\n\nAn attacker can use massive numbers of numeric entity references to completely bypass all configured limits, causing excessive memory allocation and CPU consumption.\n\n## Affected Versions\n\nfast-xml-parser v5.x through v5.5.3 (and likely v5.5.5 on npm)\n\n## Root Cause\n\nIn `src/xmlparser/OrderedObjParser.js`, the `replaceEntitiesValue()` function has two separate entity replacement loops:\n\n1. **Lines 638-670**: DOCTYPE entities \u2014 expansion counting with `entityExpansionCount` and `currentExpandedLength` tracking. This was the CVE-2026-26278 fix.\n2. **Lines 674-677**: `lastEntities` loop \u2014 replaces standard entities including `num_dec` (`/\u0026#([0-9]{1,7});/g`) and `num_hex` (`/\u0026#x([0-9a-fA-F]{1,6});/g`). **This loop has NO expansion counting at all.**\n\nThe numeric entity regex replacements at lines 97-98 are part of `lastEntities` and go through the uncounted loop, completely bypassing the CVE-2026-26278 fix.\n\n## Proof of Concept\n\n```javascript\nconst { XMLParser } = require(\u0027fast-xml-parser\u0027);\n\n// Even with strict explicit limits, numeric entities bypass them\nconst parser = new XMLParser({\n processEntities: {\n enabled: true,\n maxTotalExpansions: 10,\n maxExpandedLength: 100,\n maxEntityCount: 1,\n maxEntitySize: 10\n }\n});\n\n// 100K numeric entity references \u2014 should be blocked by maxTotalExpansions=10\nconst xml = `\u003croot\u003e${\u0027\u0026#65;\u0027.repeat(100000)}\u003c/root\u003e`;\nconst result = parser.parse(xml);\n\n// Output: 500,000 chars \u2014 bypasses maxExpandedLength=100 completely\nconsole.log(\u0027Output length:\u0027, result.root.length); // 500000\nconsole.log(\u0027Expected max:\u0027, 100); // limit was 100\n```\n\n**Results:**\n- 100K `\u0026#65;` references \u2192 500,000 char output (5x default maxExpandedLength of 100,000)\n- 1M references \u2192 5,000,000 char output, ~147MB memory consumed\n- Even with `maxTotalExpansions=10` and `maxExpandedLength=100`, 10K references produce 50,000 chars\n- Hex entities (`\u0026#x41;`) exhibit the same bypass\n\n## Impact\n\n**Denial of Service** \u2014 An attacker who can provide XML input to applications using fast-xml-parser can cause:\n- Excessive memory allocation (147MB+ for 1M entity references)\n- CPU consumption during regex replacement\n- Potential process crash via OOM\n\nThis is particularly dangerous because the application developer may have explicitly configured strict entity expansion limits believing they are protected, while numeric entities silently bypass all of them.\n\n## Suggested Fix\n\nApply the same `entityExpansionCount` and `currentExpandedLength` tracking to the `lastEntities` loop (lines 674-677) and the HTML entities loop (lines 680-686), similar to how DOCTYPE entities are tracked at lines 638-670.\n\n## Workaround\n\nSet `htmlEntities:false`",
"id": "GHSA-8gc5-j5rx-235r",
"modified": "2026-03-25T14:31:39Z",
"published": "2026-03-17T19:45:41Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-8gc5-j5rx-235r"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33036"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/bd26122c838e6a55e7d7ac49b4ccc01a49999a01"
},
{
"type": "PACKAGE",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v4.5.5"
},
{
"type": "WEB",
"url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.5.6"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H",
"type": "CVSS_V3"
}
],
"summary": "fast-xml-parser affected by numeric entity expansion bypassing all entity expansion limits (incomplete fix for CVE-2026-26278)"
}
Loading…
Trend slope:
-
(linear fit over daily sighting counts)
Show additional events:
Loading…
Experimental. This forecast is provided for visualization only and may change without notice. Do not use it for operational decisions.
Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.
Loading…
Loading…