Sync Collecting Fix Commits: Fri Jun 5 08:21:02 UTC 2026

aboutcode-automation · aboutcode-automation · commit 793a933fc2ac · 2026-06-05T08:21:02.000Z
Signed-off-by: AboutCode Automation &lt;automation@aboutcode.org&gt;
diff --git a/data/fix-commits/advisory-database-b78f1d41.json b/data/fix-commits/advisory-database-b78f1d41.json
@@ -1,6 +1,9 @@
 {
   "vcs_url": "https://github.com/github/advisory-database",
   "vulnerabilities": {
+    "GHSA-3MQG-485V-X9G7": {
+      "df946d7c6a3aac3107866356844452717eb163be": "Publish GHSA-3mqg-485v-x9g7"
+    },
     "GHSA-XP6R-8PCC-XV5P": {
       "0cad4e91b6be43f5595c1f3ff922f8e6c1b36dcf": "Publish GHSA-xp6r-8pcc-xv5p"
     },
diff --git a/data/fix-commits/bc-java-fd129cd9.json b/data/fix-commits/bc-java-fd129cd9.json
@@ -1,6 +1,9 @@
 {
   "vcs_url": "https://github.com/bcgit/bc-java",
   "vulnerabilities": {
+    "CVE-2026-5588": {
+      "6d9da1b13c466e840408d953116c46c6afdb9cc2": "Reject composite signatures missing or with extra components in CompositeVerifier (CVE-2026-5588 follow-up): require one component per key so a signature stripped to a verifying prefix no longer validates"
+    },
     "CVE-2018-5382": {
       "c014f78b148685527c5646b1204cd7f595005afa": "updates from FIPS API\nadded ref to CVE-2018-5382 in releasenotes.",
       "4534f41ab3ce581d1bb69d64276ab60d0df49a7e": "updates from FIPS API\nadded ref to CVE-2018-5382 in releasenotes.",
diff --git a/data/fix-commits/imagemagick-b15feb65.json b/data/fix-commits/imagemagick-b15feb65.json
@@ -1,6 +1,15 @@
 {
   "vcs_url": "https://github.com/imagemagick/imagemagick",
   "vulnerabilities": {
+    "GHSA-J8RH-V2R8-V94X": {
+      "b535126ba5abf23f2693e62ed79f10277d938cf4": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-j8rh-v2r8-v94x"
+    },
+    "GHSA-7C7M-FPJW-GWCQ": {
+      "174275bc1b53e2f23bbff7cd013dc9faa8a99c5a": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-7c7m-fpjw-gwcq"
+    },
+    "GHSA-6VXP-GFWF-HCR9": {
+      "f3ff3afee942a19e3041568bfa740d48213a3dec": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-6vxp-gfwf-hcr9"
+    },
     "GHSA-C8R2-MC3P-4F8J": {
       "fe20c950a7ee8b965a9a061ac97d695bcb308d63": "https://github.com/ImageMagick/ImageMagick/security/advisories/GHSA-c8r2-mc3p-4f8j"
     },
diff --git a/data/fix-commits/neovim-ab74b3b5.json b/data/fix-commits/neovim-ab74b3b5.json
@@ -1,6 +1,9 @@
 {
   "vcs_url": "https://github.com/neovim/neovim",
   "vulnerabilities": {
+    "GHSA-65P9-MWWX-7468": {
+      "e887cfb3b564c2248d902d524a9616440057a87d": "vim-patch:9.2.0597: [security]: possible code execution with python complete (#40117)\n\nProblem:  [security]: another possible code execution with python complete\n          (David Carliez)\nSolution: Strip default expressions and annotations from generated\n          source for pythoncomplete and python3complete.\n\nGithub Security Advisory:\nhttps://github.com/vim/vim/security/advisories/GHSA-65p9-mwwx-7468\n\nhttps://github.com/vim/vim/commit/c8c63673bc4253212820626aeeb75999d9a539d2\n\nCo-authored-by: Christian Brabandt <cb@256bit.org>"
+    },
     "GHSA-52MC-RQ6P-RC7C": {
       "de8c2db57796a18d918def998526d68ae50c9ed0": "vim-patch:9.2.0561: [security]: possible code execution with python3complete\n\nProblem:  [security]: possible code execution with python3complete\nSolution: Disable execution of import/from statements\n\nGithub Security Advisory:\nhttps://github.com/vim/vim/security/advisories/GHSA-52mc-rq6p-rc7c\n\nhttps://github.com/vim/vim/commit/4b850457e12e1a678dd209f2868154f7553cbf8d\n\nCo-authored-by: Christian Brabandt <cb@256bit.org>"
     },
diff --git a/data/fix-commits/nixpkgs-97436190.json b/data/fix-commits/nixpkgs-97436190.json
@@ -1,36 +1,41 @@
 {
   "vcs_url": "https://github.com/nixos/nixpkgs",
   "vulnerabilities": {
-    "GHSA-VCC4-2C75-VC9V": {
-      "96d8886cd7065323c5c85179e1a0bf3226452f7f": "caddy: 2.11.3 -> 2.11.4\n\nhttps://github.com/caddyserver/caddy/releases/tag/v2.11.4\n\nFixes: GHSA-vcc4-2c75-vc9v (https://github.com/caddyserver/caddy/pull/7785)\n(cherry picked from commit e7e7984e947e6f41ceae21727cd74aa5fa269648)",
-      "27259aeb2271c8301a741c7c0aeaff6ab15aff1a": "caddy: 2.11.3 -> 2.11.4\n\nhttps://github.com/caddyserver/caddy/releases/tag/v2.11.4\n\nFixes: GHSA-vcc4-2c75-vc9v (https://github.com/caddyserver/caddy/pull/7785)\n(cherry picked from commit e7e7984e947e6f41ceae21727cd74aa5fa269648)",
-      "e7e7984e947e6f41ceae21727cd74aa5fa269648": "caddy: 2.11.3 -> 2.11.4\n\nhttps://github.com/caddyserver/caddy/releases/tag/v2.11.4\n\nFixes: GHSA-vcc4-2c75-vc9v (https://github.com/caddyserver/caddy/pull/7785)"
-    },
     "CVE-2026-6873": {
+      "ac986b65d9eff37f2168d2817564780263e27337": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 2dc12f9e904942f8f5ef9baf5263caddf40f347a)",
       "32ff989879ca372003d44ee8421d81f3353c8ac0": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 3b5d44bff532312e311282d9768c5204fc8d601a)",
       "3b5d44bff532312e311282d9768c5204fc8d601a": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587",
       "2dc12f9e904942f8f5ef9baf5263caddf40f347a": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587"
     },
     "CVE-2026-7666": {
+      "ac986b65d9eff37f2168d2817564780263e27337": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 2dc12f9e904942f8f5ef9baf5263caddf40f347a)",
       "32ff989879ca372003d44ee8421d81f3353c8ac0": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 3b5d44bff532312e311282d9768c5204fc8d601a)",
       "3b5d44bff532312e311282d9768c5204fc8d601a": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587",
       "2dc12f9e904942f8f5ef9baf5263caddf40f347a": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587"
     },
     "CVE-2026-8404": {
+      "ac986b65d9eff37f2168d2817564780263e27337": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 2dc12f9e904942f8f5ef9baf5263caddf40f347a)",
       "32ff989879ca372003d44ee8421d81f3353c8ac0": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 3b5d44bff532312e311282d9768c5204fc8d601a)",
       "3b5d44bff532312e311282d9768c5204fc8d601a": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587",
       "2dc12f9e904942f8f5ef9baf5263caddf40f347a": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587"
     },
     "CVE-2026-35193": {
+      "ac986b65d9eff37f2168d2817564780263e27337": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 2dc12f9e904942f8f5ef9baf5263caddf40f347a)",
       "32ff989879ca372003d44ee8421d81f3353c8ac0": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 3b5d44bff532312e311282d9768c5204fc8d601a)",
       "3b5d44bff532312e311282d9768c5204fc8d601a": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587",
       "2dc12f9e904942f8f5ef9baf5263caddf40f347a": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587"
     },
     "CVE-2026-48587": {
+      "ac986b65d9eff37f2168d2817564780263e27337": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 2dc12f9e904942f8f5ef9baf5263caddf40f347a)",
       "32ff989879ca372003d44ee8421d81f3353c8ac0": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587\n\n(cherry picked from commit 3b5d44bff532312e311282d9768c5204fc8d601a)",
       "3b5d44bff532312e311282d9768c5204fc8d601a": "python3Packages.django_5: 5.2.14 -> 5.2.15\n\nhttps://docs.djangoproject.com/en/5.2/releases/5.2.15/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587",
       "2dc12f9e904942f8f5ef9baf5263caddf40f347a": "python3Packages.django_6: 6.0.5 -> 6.0.6\n\nhttps://docs.djangoproject.com/en/6.0/releases/6.0.6/\nhttps://www.djangoproject.com/weblog/2026/jun/03/security-releases/\n\nFixes:\nCVE-2026-6873, CVE-2026-7666, CVE-2026-8404, CVE-2026-35193,\nCVE-2026-48587"
     },
+    "GHSA-VCC4-2C75-VC9V": {
+      "96d8886cd7065323c5c85179e1a0bf3226452f7f": "caddy: 2.11.3 -> 2.11.4\n\nhttps://github.com/caddyserver/caddy/releases/tag/v2.11.4\n\nFixes: GHSA-vcc4-2c75-vc9v (https://github.com/caddyserver/caddy/pull/7785)\n(cherry picked from commit e7e7984e947e6f41ceae21727cd74aa5fa269648)",
+      "27259aeb2271c8301a741c7c0aeaff6ab15aff1a": "caddy: 2.11.3 -> 2.11.4\n\nhttps://github.com/caddyserver/caddy/releases/tag/v2.11.4\n\nFixes: GHSA-vcc4-2c75-vc9v (https://github.com/caddyserver/caddy/pull/7785)\n(cherry picked from commit e7e7984e947e6f41ceae21727cd74aa5fa269648)",
+      "e7e7984e947e6f41ceae21727cd74aa5fa269648": "caddy: 2.11.3 -> 2.11.4\n\nhttps://github.com/caddyserver/caddy/releases/tag/v2.11.4\n\nFixes: GHSA-vcc4-2c75-vc9v (https://github.com/caddyserver/caddy/pull/7785)"
+    },
     "CVE-2026-28847": {
       "79ac2b3e244b7ceb5bb9f31366a2f91158361b3a": "webkitgtk_6_0: 2.52.3 \u2192 2.52.4\n\nhttps://github.com/WebKit/WebKit/compare/webkitgtk-2.52.3...webkitgtk-2.52.4\nhttps://webkitgtk.org/2026/06/02/webkitgtk2.52.4-released.html\nhttps://webkitgtk.org/security/WSA-2026-0003.html\n\nCVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903,\nCVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946,\nCVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658,\nCVE-2026-43660\n\n(cherry picked from commit f66b70ac403fce30d6276cdb376dc27c3ed96f12)",
       "70becd4ad8b7d24e8da20b492103659858660ddb": "webkitgtk_6_0: 2.52.3 \u2192 2.52.4\n\nhttps://github.com/WebKit/WebKit/compare/webkitgtk-2.52.3...webkitgtk-2.52.4\nhttps://webkitgtk.org/2026/06/02/webkitgtk2.52.4-released.html\nhttps://webkitgtk.org/security/WSA-2026-0003.html\n\nCVE-2026-28847, CVE-2026-28883, CVE-2026-28901, CVE-2026-28902, CVE-2026-28903,\nCVE-2026-28904, CVE-2026-28905, CVE-2026-28907, CVE-2026-28942, CVE-2026-28946,\nCVE-2026-28947, CVE-2026-28953, CVE-2026-28955, CVE-2026-28958, CVE-2026-43658,\nCVE-2026-43660\n\n(cherry picked from commit f66b70ac403fce30d6276cdb376dc27c3ed96f12)",
diff --git a/data/fix-commits/qemu-0a8b25ef.json b/data/fix-commits/qemu-0a8b25ef.json
