Publish Advisories

GHSA-2238-xc5r-v9hj
GHSA-5339-hvwr-7582
GHSA-5wmx-573v-2qwq
GHSA-g5xx-pwrp-g3fv

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-2238-xc5r-v9hj/GHSA-2238-xc5r-v9hj.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2238-xc5r-v9hj",
-  "modified": "2026-03-12T17:50:28Z",
+  "modified": "2026-03-12T19:13:56Z",
   "published": "2026-03-12T17:50:28Z",
   "aliases": [
     "CVE-2026-24125"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/tinacms/tinacms/security/advisories/GHSA-2238-xc5r-v9hj"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24125"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/tinacms/tinacms"
@@ -55,6 +59,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-12T17:50:28Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-12T17:16:39Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-5339-hvwr-7582/GHSA-5339-hvwr-7582.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5339-hvwr-7582",
-  "modified": "2026-03-12T14:19:25Z",
+  "modified": "2026-03-12T19:14:29Z",
   "published": "2026-03-12T14:19:25Z",
   "aliases": [
     "CVE-2026-31873"
@@ -43,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/unjs/unhead/security/advisories/GHSA-5339-hvwr-7582"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31873"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/unjs/unhead"
@@ -59,6 +63,6 @@
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-12T14:19:25Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-12T18:16:24Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-5wmx-573v-2qwq/GHSA-5wmx-573v-2qwq.json

@@ -1,14 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-5wmx-573v-2qwq",
-  "modified": "2026-03-06T22:52:54Z",
+  "modified": "2026-03-12T19:13:40Z",
   "published": "2026-03-05T15:30:36Z",
   "aliases": [
     "CVE-2025-69534"
   ],
   "summary": "Python-Markdown has an Uncaught Exception",
   "details": "Python-Markdown version 3.8 contain a vulnerability where malformed HTML-like sequences can cause html.parser.HTMLParser to raise an unhandled AssertionError during Markdown parsing. Because Python-Markdown does not catch this exception, any application that processes attacker-controlled Markdown may crash. This enables remote, unauthenticated Denial of Service in web applications, documentation systems, CI/CD pipelines, and any service that renders untrusted Markdown. The issue was acknowledged by the vendor and fixed in version 3.8.1. This issue causes a remote Denial of Service in any application parsing untrusted Markdown, and can lead to Information Disclosure through uncaught exceptions.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P"
@@ -63,7 +67,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-248"
+      "CWE-248",
+      "CWE-400"
     ],
     "severity": "MODERATE",
     "github_reviewed": true,

advisories/github-reviewed/2026/03/GHSA-g5xx-pwrp-g3fv/GHSA-g5xx-pwrp-g3fv.json

@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g5xx-pwrp-g3fv",
-  "modified": "2026-03-12T14:19:15Z",
+  "modified": "2026-03-12T19:14:22Z",
   "published": "2026-03-12T14:19:15Z",
   "aliases": [
     "CVE-2026-31860"
   ],
   "summary": "Unhead has XSS bypass in `useHeadSafe` via attribute name injection and case-sensitive protocol check",
   "details": "## Summary\n\n`useHeadSafe()` can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered `<head>` tags. This is the composable that Nuxt docs recommend for safely handling user-generated content.\n\n## Details\n\n**XSS via `data-*` attribute name injection**\n\nThe `acceptDataAttrs` function (safe.ts, line 16-20) allows any property key starting with `data-` through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing.\n\n```typescript\nfunction acceptDataAttrs(value: Record<string, string>) {\n  return Object.fromEntries(\n    Object.entries(value || {}).filter(([key]) => key === 'id' || key.startsWith('data-')),\n  )\n}\n```\n\nThis result gets merged into every tag's props at line 114:\n\n```typescript\ntag.props = { ...acceptDataAttrs(prev), ...next }\n```\n\nThen `propsToString` (propsToString.ts, line 26) interpolates property keys directly into the HTML string with no sanitization:\n\n```typescript\nattrs += value === true ? ` ${key}` : ` ${key}=\"${encodeAttribute(value)}\"`\n```\n\nA space in the key breaks out of the attribute name. Everything after the space becomes separate HTML attributes.\n\n### PoC\n\nThe most practical vector uses a `link` tag. `<link rel=\"stylesheet\">` fires `onload` once the stylesheet loads, giving reliable script execution:\n\n```javascript\nuseHeadSafe({\n  link: [{\n    rel: 'stylesheet',\n    href: '/valid-stylesheet.css',\n    'data-x onload=alert(document.domain) y': 'z'\n  }]\n})\n```\n\nSSR output:\n\n```html\n<link data-x onload=alert(document.domain) y=\"z\" rel=\"stylesheet\" href=\"/valid-stylesheet.css\">\n```\n\nThe browser parses `onload=alert(document.domain)` as its own attribute. Once the stylesheet loads, the handler fires.\n\nThe same injection works on any tag type since `acceptDataAttrs` is applied to all of them at line 114. Here's the same thing on a `meta` tag (the injected attributes render, though `onclick` doesn't fire on non-interactive `<meta>` elements):\n\n```javascript\nuseHeadSafe({\n  meta: [{\n    name: 'description',\n    content: 'legitimate content',\n    'data-x onclick=alert(document.domain) y': 'z'\n  }]\n})\n```\n\n### Realistic scenario\n\nA Nuxt app accepts SEO metadata from a CMS or user profile. The developer uses `useHeadSafe()` as the docs recommend. An attacker puts a `data-*` key with spaces and an event handler into their input. The payload renders into the HTML on every page load.\n\n## Suggested fix\n\nFor vulnerability 1, validate that attribute names only contain characters legal in HTML attributes:\n\n```typescript\nconst SAFE_ATTR_RE = /^[a-zA-Z][a-zA-Z0-9\\-]*$/\n\nfunction acceptDataAttrs(value: Record<string, string>) {\n  return Object.fromEntries(\n    Object.entries(value || {}).filter(\n      ([key]) => (key === 'id' || key.startsWith('data-')) && SAFE_ATTR_RE.test(key)\n    ),\n  )\n}\n```",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -38,6 +43,10 @@
       "type": "WEB",
       "url": "https://github.com/unjs/unhead/security/advisories/GHSA-g5xx-pwrp-g3fv"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31860"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/unjs/unhead/commit/9ecc4f9568b0e23938f36d4b23fcfa4a18a89045"
@@ -55,9 +64,9 @@
     "cwe_ids": [
       "CWE-79"
     ],
-    "severity": "HIGH",
+    "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-12T14:19:15Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-12T18:16:24Z"
   }
 }