Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 80ad438b5359 · 2026-03-12T17:40:16.000Z
GHSA-hvwj-8w5g-28rg GHSA-jx93-g359-86wm GHSA-r8jr-wg88-fq5c GHSA-rgq9-fqf5-fv58 GHSA-jx93-g359-86wm GHSA-r8jr-wg88-fq5c
diff --git a/advisories/github-reviewed/2026/03/GHSA-hvwj-8w5g-28rg/GHSA-hvwj-8w5g-28rg.json b/advisories/github-reviewed/2026/03/GHSA-hvwj-8w5g-28rg/GHSA-hvwj-8w5g-28rg.json
@@ -1,19 +1,49 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hvwj-8w5g-28rg",
-  "modified": "2026-03-12T12:30:29Z",
+  "modified": "2026-03-12T17:39:04Z",
   "published": "2026-03-12T12:30:29Z",
   "aliases": [
     "CVE-2026-3989"
   ],
+  "summary": "SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization",
   "details": "SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "sglang"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.5.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3989"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/sgl-project/sglang"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/sgl-project/sglang/blob/main/scripts/playground/replay_request_dump.py"
@@ -24,10 +54,12 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-12T17:39:04Z",
     "nvd_published_at": "2026-03-12T12:15:59Z"
   }
 }
diff --git a/advisories/github-reviewed/2026/03/GHSA-jx93-g359-86wm/GHSA-jx93-g359-86wm.json b/advisories/github-reviewed/2026/03/GHSA-jx93-g359-86wm/GHSA-jx93-g359-86wm.json
@@ -0,0 +1,65 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jx93-g359-86wm",
+  "modified": "2026-03-12T17:38:54Z",
+  "published": "2026-03-12T12:30:29Z",
+  "aliases": [
+    "CVE-2026-3060"
+  ],
+  "summary": "SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module",
+  "details": "SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated remote code execution through the disaggregation module, which deserializes untrusted data using pickle.loads() without authentication.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "sglang"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.5.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3060"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/sgl-project/sglang"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/sgl-project/sglang/blob/main/python/sglang/srt/disaggregation/encode_receiver.py"
+    },
+    {
+      "type": "WEB",
+      "url": "https://orca.security/resources/blog/sglang-llm-framework-rce-vulnerabilities"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-502"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-12T17:38:54Z",
+    "nvd_published_at": "2026-03-12T12:15:59Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-r8jr-wg88-fq5c/GHSA-r8jr-wg88-fq5c.json b/advisories/github-reviewed/2026/03/GHSA-r8jr-wg88-fq5c/GHSA-r8jr-wg88-fq5c.json
@@ -0,0 +1,88 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r8jr-wg88-fq5c",
+  "modified": "2026-03-12T17:38:28Z",
+  "published": "2026-03-12T12:30:29Z",
+  "aliases": [
+    "CVE-2026-2366"
+  ],
+  "summary": "Keycloak vulnerable to authorization bypass via the Admin API",
+  "details": "A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's unique identifier (UUID) and the Organizations feature is enabled.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "@keycloak/keycloak-admin-client"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.5.5"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.keycloak:keycloak-js-admin-client"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "26.5.5"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2366"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/keycloak/keycloak/issues/47062"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2026-2366"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2439081"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keycloak/keycloak"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-639"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-12T17:38:28Z",
+    "nvd_published_at": "2026-03-12T11:15:55Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/03/GHSA-rgq9-fqf5-fv58/GHSA-rgq9-fqf5-fv58.json b/advisories/github-reviewed/2026/03/GHSA-rgq9-fqf5-fv58/GHSA-rgq9-fqf5-fv58.json
@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rgq9-fqf5-fv58",
-  "modified": "2026-03-12T15:30:25Z",
+  "modified": "2026-03-12T17:38:58Z",
   "published": "2026-03-12T12:30:29Z",
   "aliases": [
     "CVE-2026-3059"
   ],
+  "summary": "SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker",
   "details": "SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads() without authentication.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "sglang"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "0.5.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "WEB",
@@ -23,6 +44,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3059"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/sgl-project/sglang"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/sgl-project/sglang/blob/main/python/sglang/multimodal_gen/runtime/scheduler_client.py"
@@ -37,8 +62,8 @@
       "CWE-502"
     ],
     "severity": "CRITICAL",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-03-12T17:38:58Z",
     "nvd_published_at": "2026-03-12T12:15:59Z"
   }
 }
diff --git a/advisories/unreviewed/2026/03/GHSA-jx93-g359-86wm/GHSA-jx93-g359-86wm.json b/advisories/unreviewed/2026/03/GHSA-jx93-g359-86wm/GHSA-jx93-g359-86wm.json
diff --git a/advisories/unreviewed/2026/03/GHSA-r8jr-wg88-fq5c/GHSA-r8jr-wg88-fq5c.json b/advisories/unreviewed/2026/03/GHSA-r8jr-wg88-fq5c/GHSA-r8jr-wg88-fq5c.json
