Publish Advisories

GHSA-6qmh-j78v-ffp7
GHSA-822v-8w6h-5jxp
GHSA-j4j5-9x6g-rgxc
GHSA-m5qg-jc75-4jp6
GHSA-r5v8-c28h-f8r8
GHSA-w287-wwhf-95vv
GHSA-wg36-wvj6-r67p
GHSA-xr7v-m9px-q4qj

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-6qmh-j78v-ffp7/GHSA-6qmh-j78v-ffp7.json

@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6qmh-j78v-ffp7",
+  "modified": "2026-04-14T20:02:31Z",
+  "published": "2026-04-14T20:02:31Z",
+  "aliases": [
+    "CVE-2026-24906"
+  ],
+  "summary": "October CMS has Stored XSS in Backend Editor Markup Classes",
+  "details": "A stored cross-site scripting (XSS) vulnerability was identified in the Backend Editor Settings. The Markup Classes fields (used for paragraph styles, inline styles, table styles, etc.) did not sanitize input to valid CSS class name characters. Malicious values were rendered unsanitized in Froala editor dropdown menus, allowing JavaScript execution when any user opened a RichEditor.\n\n### Impact\n- Stored XSS via editor settings rendered in RichEditor dropdowns\n- Could allow privilege escalation if a superuser opens any RichEditor (e.g., editing a blog post)\n- Requires authenticated backend access with editor settings permissions\n- Triggers on routine content editing operations\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Restrict editor settings permissions to fully trusted administrators only\n\n### References\n- Reported by [Chris Alupului](https://github.com/neosprings)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/system"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.1.10"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.1.9"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/system"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.7.14"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.7.13"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/octobercms/october/security/advisories/GHSA-6qmh-j78v-ffp7"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24906"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/octobercms/october"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T20:02:31Z",
+    "nvd_published_at": "2026-04-14T18:16:45Z"
+  }
+}

…-822v-8w6h-5jxp/GHSA-822v-8w6h-5jxp.json …-822v-8w6h-5jxp/GHSA-822v-8w6h-5jxp.jsonadvisories/unreviewed/2026/04/GHSA-822v-8w6h-5jxp/GHSA-822v-8w6h-5jxp.json renamed to advisories/github-reviewed/2026/04/GHSA-822v-8w6h-5jxp/GHSA-822v-8w6h-5jxp.json advisories/unreviewed/2026/04/GHSA-822v-8w6h-5jxp/GHSA-822v-8w6h-5jxp.json renamed to advisories/github-reviewed/2026/04/GHSA-822v-8w6h-5jxp/GHSA-822v-8w6h-5jxp.json

@@ -1,11 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-822v-8w6h-5jxp",
-  "modified": "2026-04-12T12:30:26Z",
+  "modified": "2026-04-14T20:04:38Z",
   "published": "2026-04-12T12:30:26Z",
   "aliases": [
     "CVE-2026-6125"
   ],
+  "summary": "Warm-Flow has a SpEL Expression Injection in SpelHelper.parseExpression",
   "details": "A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.",
   "severity": [
     {
@@ -14,10 +15,30 @@
     },
     {
       "type": "CVSS_V4",
-      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Maven",
+        "name": "org.dromara.warm:warm-flow-plugin-modes-sb"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.8.5"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
       "type": "ADVISORY",
@@ -31,6 +52,14 @@
       "type": "WEB",
       "url": "https://gitee.com/dromara/warm-flow/issues/IHURVQ"
     },
+    {
+      "type": "WEB",
+      "url": "https://gitee.com/dromara/warm-flow/pulls/387"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/dromara/warm-flow"
+    },
     {
       "type": "WEB",
       "url": "https://vuldb.com/submit/793322"
@@ -48,9 +77,9 @@
     "cwe_ids": [
       "CWE-74"
     ],
-    "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T20:04:38Z",
     "nvd_published_at": "2026-04-12T10:16:01Z"
   }
 }

advisories/github-reviewed/2026/04/GHSA-j4j5-9x6g-rgxc/GHSA-j4j5-9x6g-rgxc.json

@@ -0,0 +1,86 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j4j5-9x6g-rgxc",
+  "modified": "2026-04-14T20:02:50Z",
+  "published": "2026-04-14T20:02:50Z",
+  "aliases": [
+    "CVE-2026-24907"
+  ],
+  "summary": "October CMS has Stored XSS in Event Log Mail Preview",
+  "details": "A stored cross-site scripting (XSS) vulnerability was identified in the Event Log mail preview feature. When viewing logged mail messages, HTML content was rendered in an iframe without proper sandboxing, allowing JavaScript execution in the viewer's browser context.\n\n### Impact\n- Stored XSS via mail template content rendered in Event Log\n- Could allow privilege escalation if a superuser views a malicious log entry\n- Requires authenticated backend access with mail template editing permissions\n- Requires a superuser to view the specific Event Log entry to trigger\n\n### Patches\nThe vulnerability has been patched in v3.7.14 and v4.1.10. All users are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Restrict mail template editing permissions to fully trusted administrators only\n- Restrict Event Log viewing permissions to minimize exposure\n\n### References\n- Reported by [Chris Alupului](https://github.com/neosprings)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/system"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.1.10"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.1.9"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/system"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.7.14"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.7.13"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/octobercms/october/security/advisories/GHSA-j4j5-9x6g-rgxc"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24907"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/octobercms/october"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T20:02:50Z",
+    "nvd_published_at": "2026-04-14T18:16:45Z"
+  }
+}

advisories/github-reviewed/2026/04/GHSA-m5qg-jc75-4jp6/GHSA-m5qg-jc75-4jp6.json

@@ -0,0 +1,87 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m5qg-jc75-4jp6",
+  "modified": "2026-04-14T20:02:05Z",
+  "published": "2026-04-14T20:02:05Z",
+  "aliases": [
+    "CVE-2026-22692"
+  ],
+  "summary": "October Rain has a Twig Sandbox Bypass via Collection Methods",
+  "details": "A sandbox bypass vulnerability was identified in the optional Twig safe mode feature (`CMS_SAFE_MODE`). Certain methods on the `collect()` helper were not properly restricted, allowing authenticated users with template editing permissions to bypass sandbox protections.\n\n### Impact\n- Bypass of Twig sandbox restrictions\n- Only affects installations with `CMS_SAFE_MODE` enabled (disabled by default)\n- Requires authenticated backend access with CMS template editing permissions\n\n### Patches\nThe vulnerability has been patched in v4.1.5 and v3.7.13. All users who have enabled safe mode are encouraged to upgrade to the latest patched version.\n\n### Workarounds\nIf upgrading immediately is not possible:\n- Disable `CMS_SAFE_MODE` if untrusted template editing is not required\n- Restrict CMS template editing permissions to fully trusted administrators only\n\n### References\n- Reported by Łukasz Rybak",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/rain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "4.0.0"
+            },
+            {
+              "fixed": "4.1.5"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 4.1.4"
+      }
+    },
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "october/rain"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "3.7.13"
+            }
+          ]
+        }
+      ],
+      "database_specific": {
+        "last_known_affected_version_range": "<= 3.7.12"
+      }
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/octobercms/october/security/advisories/GHSA-m5qg-jc75-4jp6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22692"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/octobercms/october"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284",
+      "CWE-693"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-04-14T20:02:05Z",
+    "nvd_published_at": "2026-04-14T17:16:28Z"
+  }
+}