From 575cfcd8eae406d891e7351f936a63419f84d6e5 Mon Sep 17 00:00:00 2001
From: Daniel Rose <danrose@gmx.de>
Date: Fri, 24 Apr 2026 10:34:07 +0200
Subject: [PATCH 1/2] fix: use non-vulnerable version of
 Microsoft.AspNetCore.DataProtection

CVE-2026-40372: versions prior to 10.0.7 are vulnerable
---
 Directory.Build.props | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index c998b1454..eada57c7e 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -125,7 +125,8 @@
     <MicrosoftAspNetCoreAuthenticationOpenIdConnectVersion>$(AspNetCoreTenRuntimeVersion)</MicrosoftAspNetCoreAuthenticationOpenIdConnectVersion>
     <MicrosoftExtensionsCachingMemoryVersion>$(NetTenRuntimeVersion)</MicrosoftExtensionsCachingMemoryVersion>
     <MicrosoftExtensionsHostingVersion>$(NetTenRuntimeVersion)</MicrosoftExtensionsHostingVersion>
-    <MicrosoftAspNetCoreDataProtectionVersion>$(AspNetCoreTenRuntimeVersion)</MicrosoftAspNetCoreDataProtectionVersion>
+    <!--CVE: GHSA-9mv3-2cwr-p262-->
+    <MicrosoftAspNetCoreDataProtectionVersion>10.0.7</MicrosoftAspNetCoreDataProtectionVersion>
     <SystemSecurityCryptographyPkcsVersion>$(SystemSecurityCryptographyServicingVersion)</SystemSecurityCryptographyPkcsVersion>
     <SystemSecurityCryptographyXmlVersion>$(SystemSecurityCryptographyServicingVersion)</SystemSecurityCryptographyXmlVersion>
     <MicrosoftExtensionsLoggingVersion>$(NetTenRuntimeVersion)</MicrosoftExtensionsLoggingVersion>

From 24dd8f9889d56460571ea181d5b1f4d1f3a87f7d Mon Sep 17 00:00:00 2001
From: Daniel Rose <danrose@gmx.de>
Date: Fri, 24 Apr 2026 14:28:02 +0200
Subject: [PATCH 2/2] fix: bump System.Security.Cryptography packages to 10.0.7

Needed to match the version of Microsoft.AspNetCore.DataProtection.
---
 Directory.Build.props | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Directory.Build.props b/Directory.Build.props
index eada57c7e..711e84100 100644
--- a/Directory.Build.props
+++ b/Directory.Build.props
@@ -120,7 +120,7 @@
     <NetTenRuntimeVersion>10.0.0</NetTenRuntimeVersion>
     <AspNetCoreTenRuntimeVersion>10.0.0</AspNetCoreTenRuntimeVersion>
     <!--CVE: GHSA-37gx-xxp4-5rgx, GHSA-w3x6-4m5h-cxqf-->
-    <SystemSecurityCryptographyServicingVersion>10.0.6</SystemSecurityCryptographyServicingVersion>
+    <SystemSecurityCryptographyServicingVersion>10.0.7</SystemSecurityCryptographyServicingVersion>
     <MicrosoftAspNetCoreAuthenticationJwtBearerVersion>$(AspNetCoreTenRuntimeVersion)</MicrosoftAspNetCoreAuthenticationJwtBearerVersion>
     <MicrosoftAspNetCoreAuthenticationOpenIdConnectVersion>$(AspNetCoreTenRuntimeVersion)</MicrosoftAspNetCoreAuthenticationOpenIdConnectVersion>
     <MicrosoftExtensionsCachingMemoryVersion>$(NetTenRuntimeVersion)</MicrosoftExtensionsCachingMemoryVersion>