320 行
8.5 KiB
JSON
320 行
8.5 KiB
JSON
{
|
|
"generated_at": "2026-03-18T03:59:28+00:00",
|
|
"advisory_count": 89,
|
|
"run_count": 114,
|
|
"statuses": {
|
|
"verified-real": 67,
|
|
"triage-manual": 22
|
|
},
|
|
"run_statuses": {
|
|
"verified-real": 110,
|
|
"blocked-artifact": 3,
|
|
"triage-manual": 1
|
|
},
|
|
"recent_failures": [
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2026-1525",
|
|
"status": "triage-manual",
|
|
"title": "Undici has an HTTP Request/Response Smuggling issue",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2026-1528",
|
|
"status": "triage-manual",
|
|
"title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2022-32210",
|
|
"status": "triage-manual",
|
|
"title": "ProxyAgent vulnerable to MITM",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2026-2229",
|
|
"status": "triage-manual",
|
|
"title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2026-1527",
|
|
"status": "triage-manual",
|
|
"title": "Undici has CRLF Injection in undici via `upgrade` option",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2026-1526",
|
|
"status": "triage-manual",
|
|
"title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2026-2581",
|
|
"status": "triage-manual",
|
|
"title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2025-47279",
|
|
"status": "triage-manual",
|
|
"title": "undici Denial of Service attack via bad certificate data",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "vite--CVE-2025-31125",
|
|
"status": "triage-manual",
|
|
"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "vite--CVE-2025-58752",
|
|
"status": "triage-manual",
|
|
"title": "Vite's `server.fs` settings were not applied to HTML files",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "vite--CVE-2025-58751",
|
|
"status": "triage-manual",
|
|
"title": "Vite middleware may serve files starting with the same name with the public directory",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "vite--CVE-2025-62522",
|
|
"status": "triage-manual",
|
|
"title": "vite allows server.fs.deny bypass via backslash on Windows",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "vite--CVE-2025-32395",
|
|
"status": "triage-manual",
|
|
"title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "vite--CVE-2024-45811",
|
|
"status": "triage-manual",
|
|
"title": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "vite--CVE-2025-31486",
|
|
"status": "triage-manual",
|
|
"title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "vite--CVE-2025-46565",
|
|
"status": "triage-manual",
|
|
"title": "Vite's server.fs.deny bypassed with /. for files under project root",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "vite--CVE-2025-30208",
|
|
"status": "triage-manual",
|
|
"title": "Vite bypasses server.fs.deny when using ?raw??",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2026-22036",
|
|
"status": "triage-manual",
|
|
"title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2023-45143",
|
|
"status": "triage-manual",
|
|
"title": "Undici's cookie header not cleared on cross-origin redirect in fetch",
|
|
"blocked_reason": null
|
|
},
|
|
{
|
|
"run_id": "",
|
|
"advisory_id": "undici--CVE-2025-22150",
|
|
"status": "triage-manual",
|
|
"title": "Use of Insufficiently Random Values in undici",
|
|
"blocked_reason": null
|
|
}
|
|
],
|
|
"systems": [
|
|
{
|
|
"system_id": "gitea",
|
|
"display_name": "Gitea",
|
|
"total": 37,
|
|
"verified_real": 37,
|
|
"verified_synthetic": 0,
|
|
"blocked": 0,
|
|
"manual": 0,
|
|
"browser_required": 5,
|
|
"browser_present": 33,
|
|
"latest_update": "2026-03-03T04:57:57.697708Z",
|
|
"category": "platforms",
|
|
"tier": "rolling-24m",
|
|
"output_dir": "07-framework-security/platforms/gitea",
|
|
"families": [
|
|
{
|
|
"family": "authz-bypass",
|
|
"total": 3,
|
|
"verified_real": 3,
|
|
"manual": 0
|
|
},
|
|
{
|
|
"family": "file-upload",
|
|
"total": 2,
|
|
"verified_real": 2,
|
|
"manual": 0
|
|
},
|
|
{
|
|
"family": "proxy-boundary",
|
|
"total": 26,
|
|
"verified_real": 26,
|
|
"manual": 0
|
|
},
|
|
{
|
|
"family": "ssrf",
|
|
"total": 1,
|
|
"verified_real": 1,
|
|
"manual": 0
|
|
},
|
|
{
|
|
"family": "xss",
|
|
"total": 5,
|
|
"verified_real": 5,
|
|
"manual": 0
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"system_id": "nextjs",
|
|
"display_name": "Next.js",
|
|
"total": 26,
|
|
"verified_real": 26,
|
|
"verified_synthetic": 0,
|
|
"blocked": 0,
|
|
"manual": 0,
|
|
"browser_required": 2,
|
|
"browser_present": 21,
|
|
"latest_update": "2026-03-13T22:14:13.665535Z",
|
|
"category": "frameworks",
|
|
"tier": "history-full",
|
|
"output_dir": "07-framework-security/frameworks/nextjs",
|
|
"families": [
|
|
{
|
|
"family": "authz-bypass",
|
|
"total": 2,
|
|
"verified_real": 2,
|
|
"manual": 0
|
|
},
|
|
{
|
|
"family": "deserialization",
|
|
"total": 1,
|
|
"verified_real": 1,
|
|
"manual": 0
|
|
},
|
|
{
|
|
"family": "proxy-boundary",
|
|
"total": 19,
|
|
"verified_real": 19,
|
|
"manual": 0
|
|
},
|
|
{
|
|
"family": "ssrf",
|
|
"total": 2,
|
|
"verified_real": 2,
|
|
"manual": 0
|
|
},
|
|
{
|
|
"family": "xss",
|
|
"total": 2,
|
|
"verified_real": 2,
|
|
"manual": 0
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"system_id": "undici",
|
|
"display_name": "Undici",
|
|
"total": 14,
|
|
"verified_real": 1,
|
|
"verified_synthetic": 0,
|
|
"blocked": 0,
|
|
"manual": 13,
|
|
"browser_required": 0,
|
|
"browser_present": 0,
|
|
"latest_update": "2026-03-14T09:19:54.772219Z",
|
|
"category": "frameworks",
|
|
"tier": "rolling-24m",
|
|
"output_dir": "07-framework-security/frameworks/undici",
|
|
"families": [
|
|
{
|
|
"family": "ssrf",
|
|
"total": 14,
|
|
"verified_real": 1,
|
|
"manual": 13
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"system_id": "vite",
|
|
"display_name": "Vite",
|
|
"total": 12,
|
|
"verified_real": 3,
|
|
"verified_synthetic": 0,
|
|
"blocked": 0,
|
|
"manual": 9,
|
|
"browser_required": 3,
|
|
"browser_present": 3,
|
|
"latest_update": "2026-02-04T04:37:24.129476Z",
|
|
"category": "frameworks",
|
|
"tier": "history-full",
|
|
"output_dir": "07-framework-security/frameworks/vite",
|
|
"families": [
|
|
{
|
|
"family": "file-upload",
|
|
"total": 9,
|
|
"verified_real": 0,
|
|
"manual": 9
|
|
},
|
|
{
|
|
"family": "proxy-boundary",
|
|
"total": 2,
|
|
"verified_real": 2,
|
|
"manual": 0
|
|
},
|
|
{
|
|
"family": "xss",
|
|
"total": 1,
|
|
"verified_real": 1,
|
|
"manual": 0
|
|
}
|
|
]
|
|
}
|
|
],
|
|
"completeness": {
|
|
"advisory_total": 89,
|
|
"verified_real": 67,
|
|
"verified_synthetic": 0,
|
|
"blocked": 0,
|
|
"manual": 22,
|
|
"verified_ratio": 75.3,
|
|
"complete": false
|
|
}
|
|
}
|