Publish Advisories

GHSA-2vrm-gr82-f7m5
GHSA-7xxh-373w-35vg
GHSA-hcc4-c3v8-rx92

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-2vrm-gr82-f7m5/GHSA-2vrm-gr82-f7m5.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2vrm-gr82-f7m5",
+  "modified": "2026-04-01T21:20:06Z",
+  "published": "2026-04-01T21:20:06Z",
+  "aliases": [
+    "CVE-2026-34514"
+  ],
+  "summary": "AIOHTTP has CRLF injection through multipart part content type header construction",
+  "details": "### Summary\n\nAn attacker who controls the `content_type` parameter in aiohttp could use this to inject extra headers or similar exploits.\n\n### Impact\n\nIf an application allows untrusted data to be used for the multipart `content_type` parameter when constructing a request, an attacker may be able to manipulate the request to send something other than what the developer intended.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "aiohttp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.13.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.13.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-2vrm-gr82-f7m5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/aio-libs/aiohttp/commit/9a6ada97e2c6cf1ce31727c6c9fcea17c21f6f06"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/aio-libs/aiohttp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-113"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T21:20:06Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-7xxh-373w-35vg/GHSA-7xxh-373w-35vg.json

@@ -0,0 +1,57 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7xxh-373w-35vg",
+  "modified": "2026-04-01T21:19:03Z",
+  "published": "2026-04-01T21:19:03Z",
+  "aliases": [
+    "CVE-2026-34747"
+  ],
+  "summary": "Payload has an SQL Injection via Query Handling",
+  "details": "### Impact\n\nCertain request inputs were not properly validated. An attacker could craft requests that influence SQL query execution, potentially exposing or modifying data in collections.\n\n### Patches\n\nThis issue has been fixed in **v3.79.1** and later. Query input validation has been hardened.\n\nUpgrade to **v3.79.1 or later**.\n\n### Workarounds\n\nUntil developers can upgrade:\n\n- Limit access to endpoints that accept dynamic query inputs to trusted users only.  \n- Validate or sanitize input from untrusted clients before sending it to query endpoints.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "payload"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.79.1"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/payloadcms/payload/security/advisories/GHSA-7xxh-373w-35vg"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/payloadcms/payload"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T21:19:03Z",
+    "nvd_published_at": null
+  }
+}

advisories/github-reviewed/2026/04/GHSA-hcc4-c3v8-rx92/GHSA-hcc4-c3v8-rx92.json

@@ -0,0 +1,64 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hcc4-c3v8-rx92",
+  "modified": "2026-04-01T21:19:22Z",
+  "published": "2026-04-01T21:19:22Z",
+  "aliases": [
+    "CVE-2026-34513"
+  ],
+  "summary": "AIOHTTP Affected by Denial of Service (DoS) via Unbounded DNS Cache in TCPConnector",
+  "details": "### Summary\n\nAn unbounded DNS cache could result in excessive memory usage possibly resulting in a DoS situation.\n\n### Impact\n\nIf an application makes requests to a very large number of hosts, this could cause the DNS cache to continue growing and slowly use excessive amounts of memory.\n\n-----\n\nPatch: https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "aiohttp"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.13.4"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.13.3"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/aio-libs/aiohttp/security/advisories/GHSA-hcc4-c3v8-rx92"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/aio-libs/aiohttp/commit/c4d77c3533122be353b8afca8e8675e3b4cbda98"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/aio-libs/aiohttp"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-770"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-01T21:19:22Z",
+    "nvd_published_at": null
+  }
+}