4285 行
207 KiB
JSON
4285 行
207 KiB
JSON
{
|
|
"gitea--CVE-2018-15192": {
|
|
"canonical_id": "gitea--CVE-2018-15192",
|
|
"title": "Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea",
|
|
"summary": "Gogs and Gitea SSRF Vulnerability in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-20T20:32:20Z",
|
|
"updated_at": "2026-03-03T04:54:04.686907Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-fg3x-rwq9-74cw",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2018-15192",
|
|
"https://github.com/go-gitea/gitea/commit/599ff1c054e436daa4dc3f049aa8661d9c2395f9",
|
|
"https://github.com/go-gitea/gitea/issues/4624",
|
|
"https://github.com/go-gitea/gitea/pull/17482",
|
|
"https://github.com/gogs/gogs/commit/22717a1c064511cf37c46af5e650baf7184cf25b",
|
|
"https://github.com/gogs/gogs/issues/5366",
|
|
"https://github.com/gogs/gogs/pull/6002"
|
|
],
|
|
"aliases": [
|
|
"CVE-2018-15192",
|
|
"GHSA-fg3x-rwq9-74cw",
|
|
"GO-2023-1971"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"ssrf-url-validation"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"gitea--CVE-2018-18926": {
|
|
"canonical_id": "gitea--CVE-2018-18926",
|
|
"title": "Gitea Remote Code Execution (RCE) in code.gitea.io/gitea",
|
|
"summary": "Gitea Remote Code Execution (RCE) in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T15:29:04Z",
|
|
"updated_at": "2026-03-03T04:52:20.787387Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-hf6f-jq25-8gq9",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2018-18926",
|
|
"https://github.com/go-gitea/gitea/commit/aeb5655c25053bdcd7eee94ea37df88468374162",
|
|
"https://github.com/go-gitea/gitea/issues/5140",
|
|
"https://github.com/go-gitea/gitea/pull/5177"
|
|
],
|
|
"aliases": [
|
|
"CVE-2018-18926",
|
|
"GHSA-hf6f-jq25-8gq9",
|
|
"GO-2022-0844"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2018-18926-20260318035129/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2019-1010261": {
|
|
"canonical_id": "gitea--CVE-2019-1010261",
|
|
"title": "Gitea XSS Vulnerability in code.gitea.io/gitea",
|
|
"summary": "Gitea XSS Vulnerability in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-20T20:31:38Z",
|
|
"updated_at": "2026-03-03T04:53:57.848904Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-5rh7-6gfj-mc87",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2019-1010261",
|
|
"https://github.com/go-gitea/gitea/pull/5905"
|
|
],
|
|
"aliases": [
|
|
"CVE-2019-1010261",
|
|
"GHSA-5rh7-6gfj-mc87",
|
|
"GO-2023-1922"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"xss-output-encoding"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2019-1010261-20260318035135/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2020-13246": {
|
|
"canonical_id": "gitea--CVE-2020-13246",
|
|
"title": "Denial of Service in Gitea in code.gitea.io/gitea",
|
|
"summary": "Denial of Service in Gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T15:29:04Z",
|
|
"updated_at": "2026-03-03T04:52:17.939867Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-g2qx-6ghw-67hm",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2020-13246",
|
|
"https://github.com/go-gitea/gitea/issues/10549",
|
|
"https://github.com/go-gitea/gitea/pull/11438",
|
|
"https://www.youtube.com/watch?v=DmVgADSVS88"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2020-13246",
|
|
"CVE-2020-13246",
|
|
"GHSA-g2qx-6ghw-67hm",
|
|
"GO-2022-0830"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2020-13246-20260318035142/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2021-28378": {
|
|
"canonical_id": "gitea--CVE-2021-28378",
|
|
"title": "Cross-site Scripting in Gitea in code.gitea.io/gitea",
|
|
"summary": "Cross-site Scripting in Gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T15:29:04Z",
|
|
"updated_at": "2026-03-03T04:52:18.307544Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-g95p-88p4-76cm",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-28378",
|
|
"https://blog.gitea.io/2021/03/gitea-1.13.4-is-released",
|
|
"https://github.com/PandatiX/CVE-2021-28378",
|
|
"https://github.com/go-gitea/gitea/pull/14898",
|
|
"https://github.com/go-gitea/gitea/pull/14899"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2021-28378",
|
|
"CVE-2021-28378",
|
|
"GHSA-g95p-88p4-76cm",
|
|
"GO-2022-0832"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"xss-output-encoding"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-28378-20260318035148/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2021-29134": {
|
|
"canonical_id": "gitea--CVE-2021-29134",
|
|
"title": "Path Traversal in Gitea in code.gitea.io/gitea",
|
|
"summary": "Path Traversal in Gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T14:30:29Z",
|
|
"updated_at": "2026-03-03T04:50:06.638863Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-h3q4-vmw4-cpr5",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-29134",
|
|
"https://github.com/go-gitea/gitea/pull/15125/files",
|
|
"https://github.com/go-gitea/gitea/releases",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.13.6"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2021-29134",
|
|
"CVE-2021-29134",
|
|
"GHSA-h3q4-vmw4-cpr5",
|
|
"GO-2022-0353"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"path-traversal-guard"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-29134-20260318035154/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2021-3382": {
|
|
"canonical_id": "gitea--CVE-2021-3382",
|
|
"title": "Buffer Overflow in gitea in code.gitea.io/gitea",
|
|
"summary": "Buffer Overflow in gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-06-04T15:19:21Z",
|
|
"updated_at": "2026-03-03T04:55:15.307648Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-9f8c-pfvv-p4gm",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-3382",
|
|
"https://github.com/go-gitea/gitea/pull/14390"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2021-3382",
|
|
"CVE-2021-3382",
|
|
"GHSA-9f8c-pfvv-p4gm",
|
|
"GO-2024-2757"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-3382-20260318035201/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2021-45327": {
|
|
"canonical_id": "gitea--CVE-2021-45327",
|
|
"title": "Capture-replay in Gitea in code.gitea.io/gitea",
|
|
"summary": "Capture-replay in Gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T14:30:26Z",
|
|
"updated_at": "2026-03-03T04:52:07.840324Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-jrpg-35hw-m4p9",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-45327",
|
|
"https://blog.gitea.io/2020/03/gitea-1.11.2-is-released",
|
|
"https://github.com/go-gitea/gitea/commit/4cb18601ff33dda5edb47d5b452cc8f2dc39dd67",
|
|
"https://github.com/go-gitea/gitea/commit/6f5656ab0ebec03fe63898208dabc802c4be46ab",
|
|
"https://github.com/go-gitea/gitea/commit/ed664a9e1dae4d4660e60c981173bbc5102e69ea",
|
|
"https://github.com/go-gitea/gitea/pull/10462",
|
|
"https://github.com/go-gitea/gitea/pull/10465",
|
|
"https://github.com/go-gitea/gitea/pull/10582"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2021-45327",
|
|
"CVE-2021-45327",
|
|
"GHSA-jrpg-35hw-m4p9",
|
|
"GO-2022-0310"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45327-20260318035207/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2021-45330": {
|
|
"canonical_id": "gitea--CVE-2021-45330",
|
|
"title": "Improper Privilege Management in Gitea in code.gitea.io/gitea",
|
|
"summary": "Improper Privilege Management in Gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T16:03:21Z",
|
|
"updated_at": "2026-03-03T04:52:33.136607Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-pg38-r834-g45j",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-45330",
|
|
"https://github.com/go-gitea/gitea/issues/4336",
|
|
"https://github.com/go-gitea/gitea/pull/4840"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2021-45330",
|
|
"CVE-2021-45330",
|
|
"GHSA-pg38-r834-g45j",
|
|
"GO-2022-0982"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45330-20260318035214/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2021-45331": {
|
|
"canonical_id": "gitea--CVE-2021-45331",
|
|
"title": "Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea",
|
|
"summary": "Reuse of one time passwords allowed in Gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T14:30:29Z",
|
|
"updated_at": "2026-03-03T04:52:07.604662Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-hfmf-q69j-6m5p",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-45331",
|
|
"https://blog.gitea.io/2018/08/gitea-1.5.0-is-released",
|
|
"https://github.com/go-gitea/gitea/pull/3878"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2021-45331",
|
|
"CVE-2021-45331",
|
|
"GHSA-hfmf-q69j-6m5p",
|
|
"GO-2022-0315"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2021-45331-20260318035220/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2022-0905": {
|
|
"canonical_id": "gitea--CVE-2022-0905",
|
|
"title": "Gitea Missing Authorization vulnerability in code.gitea.io/gitea",
|
|
"summary": "Gitea Missing Authorization vulnerability in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T15:11:40Z",
|
|
"updated_at": "2026-03-03T04:50:45.472605Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-jr9c-h74f-2v28",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-0905",
|
|
"https://github.com/go-gitea/gitea/commit/1314f38b59748397b3429fb9bc9f9d6bac85d2f2",
|
|
"https://github.com/go-gitea/gitea/commit/3e5c844a7758fa29126d201f4f98bf21bca6d314",
|
|
"https://huntr.dev/bounties/8d221f92-b2b1-4878-bc31-66ff272e5ceb"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2022-0905",
|
|
"CVE-2022-0905",
|
|
"GHSA-jr9c-h74f-2v28",
|
|
"GO-2022-0609"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-0905-20260318035226/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2022-1058": {
|
|
"canonical_id": "gitea--CVE-2022-1058",
|
|
"title": "Gitea Open Redirect in code.gitea.io/gitea",
|
|
"summary": "Gitea Open Redirect in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-06-04T15:19:21Z",
|
|
"updated_at": "2026-03-03T04:51:49.844240Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-4rqq-rxvc-v2rc",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-1058",
|
|
"https://github.com/go-gitea/gitea/commit/e3d8e92bdc67562783de9a76b5b7842b68daeb48",
|
|
"https://github.com/go-gitea/gitea/pull/19175",
|
|
"https://github.com/go-gitea/gitea/pull/19186",
|
|
"https://huntr.dev/bounties/4fb42144-ac70-4f76-a5e1-ef6b5e55dc0d"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2022-1058",
|
|
"CVE-2022-1058",
|
|
"GHSA-4rqq-rxvc-v2rc",
|
|
"GO-2024-2752"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1058-20260318035233/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2022-1928": {
|
|
"canonical_id": "gitea--CVE-2022-1928",
|
|
"title": "Stored Cross-site Scripting in gitea in code.gitea.io/gitea",
|
|
"summary": "Stored Cross-site Scripting in gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T15:11:40Z",
|
|
"updated_at": "2026-03-03T04:50:45.577318Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-ph3w-2843-72mx",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-1928",
|
|
"https://github.com/go-gitea/gitea",
|
|
"https://github.com/go-gitea/gitea/commit/65e0688a5c9dacad50e71024b7529fdf0e3c2e9c",
|
|
"https://github.com/go-gitea/gitea/pull/19825",
|
|
"https://huntr.dev/bounties/6336ec42-5c4d-4f61-ae38-2bb539f433d2",
|
|
"https://security.gentoo.org/glsa/202210-14"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2022-1928",
|
|
"CVE-2022-1928",
|
|
"GHSA-ph3w-2843-72mx",
|
|
"GO-2022-0612"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"xss-output-encoding"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-1928-20260318035239/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2022-27313": {
|
|
"canonical_id": "gitea--CVE-2022-27313",
|
|
"title": "Arbitrary file deletion in gitea in code.gitea.io/gitea",
|
|
"summary": "Arbitrary file deletion in gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T15:11:31Z",
|
|
"updated_at": "2026-03-03T04:50:19.647131Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-g7p7-x6w7-w6qg",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-27313",
|
|
"https://github.com/go-gitea/gitea/pull/19072",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.16.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2022-27313",
|
|
"CVE-2022-27313",
|
|
"GHSA-g7p7-x6w7-w6qg",
|
|
"GO-2022-0442"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-27313-20260318035245/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2022-30781": {
|
|
"canonical_id": "gitea--CVE-2022-30781",
|
|
"title": "Shell command injection in gitea in code.gitea.io/gitea",
|
|
"summary": "Shell command injection in gitea in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T15:11:31Z",
|
|
"updated_at": "2026-03-03T04:50:23.949796Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-p5f9-c9j9-g8qx",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-30781",
|
|
"http://packetstormsecurity.com/files/168400/Gitea-1.16.6-Remote-Code-Execution.html",
|
|
"http://packetstormsecurity.com/files/169928/Gitea-Git-Fetch-Remote-Code-Execution.html",
|
|
"https://blog.gitea.io/2022/05/gitea-1.16.7-is-released",
|
|
"https://github.com/go-gitea/gitea/pull/19487",
|
|
"https://github.com/go-gitea/gitea/pull/19490"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2022-30781",
|
|
"CVE-2022-30781",
|
|
"GHSA-p5f9-c9j9-g8qx",
|
|
"GO-2022-0450"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-30781-20260318035252/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2022-38183": {
|
|
"canonical_id": "gitea--CVE-2022-38183",
|
|
"title": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
|
|
"summary": "Gitea allowed assignment of private issues in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-06-10T16:38:54Z",
|
|
"updated_at": "2026-03-03T04:55:04.505871Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-fhv8-m4j4-cww2",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-38183",
|
|
"https://blog.gitea.io/2022/07/gitea-1.16.9-is-released",
|
|
"https://github.com/go-gitea/gitea/pull/20133",
|
|
"https://github.com/go-gitea/gitea/pull/20196",
|
|
"https://herolab.usd.de/security-advisories/usd-2022-0015"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2022-38183",
|
|
"CVE-2022-38183",
|
|
"GHSA-fhv8-m4j4-cww2",
|
|
"GO-2024-2769"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38183-20260318035258/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2022-38795": {
|
|
"canonical_id": "gitea--CVE-2022-38795",
|
|
"title": "Gitea erroneous repo clones in code.gitea.io/gitea",
|
|
"summary": "Gitea erroneous repo clones in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T14:17:52Z",
|
|
"updated_at": "2026-03-03T04:54:07.076900Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-8j3v-68w3-3848",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-38795",
|
|
"https://blog.gitea.com/release-of-1.17.2",
|
|
"https://github.com/go-gitea/gitea/pull/20869",
|
|
"https://github.com/go-gitea/gitea/pull/20892"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2022-38795",
|
|
"CVE-2022-38795",
|
|
"GHSA-8j3v-68w3-3848",
|
|
"GO-2023-1999"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-38795-20260318035304/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2022-42968": {
|
|
"canonical_id": "gitea--CVE-2022-42968",
|
|
"title": "Gitea vulnerable to Argument Injection in code.gitea.io/gitea",
|
|
"summary": "Gitea vulnerable to Argument Injection in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-08-21T16:03:24Z",
|
|
"updated_at": "2026-03-03T04:52:41.181693Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-w8xw-7crf-h23x",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-42968",
|
|
"https://github.com/go-gitea/gitea/pull/21463",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.17.3",
|
|
"https://security.gentoo.org/glsa/202210-14"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2022-42968",
|
|
"CVE-2022-42968",
|
|
"GHSA-w8xw-7crf-h23x",
|
|
"GO-2022-1065"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2022-42968-20260318035311/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2025-68938": {
|
|
"canonical_id": "gitea--CVE-2025-68938",
|
|
"title": "Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea",
|
|
"summary": "Gitea mishandles authorization for deletion of releases in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-30T01:49:57Z",
|
|
"updated_at": "2026-03-03T04:57:49.095775Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-cm54-pfmc-xrwx",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-68938",
|
|
"https://blog.gitea.com/release-of-1.25.2",
|
|
"https://github.com/go-gitea/gitea/pull/36002/commits/d4262131b39899d9e9ee5caa2635c810d476e43f#diff-8962bac89952027d50fa51f31f59d65bedb4c02bde0265eced5cf256cbed306d",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.2"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-68938",
|
|
"CVE-2025-68938",
|
|
"GHSA-cm54-pfmc-xrwx",
|
|
"GO-2025-4258"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68938-20260318035317/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2025-68939": {
|
|
"canonical_id": "gitea--CVE-2025-68939",
|
|
"title": "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea",
|
|
"summary": "Gitea allows attackers to add attachments with forbidden file extensions in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-30T01:49:57Z",
|
|
"updated_at": "2026-03-03T04:57:48.777563Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-263q-5cv3-xq9g",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-68939",
|
|
"https://blog.gitea.com/release-of-1.23.0",
|
|
"https://github.com/go-gitea/gitea/pull/32151",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.23.0"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-68939",
|
|
"CVE-2025-68939",
|
|
"GHSA-263q-5cv3-xq9g",
|
|
"GO-2025-4261"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"plugin-extension-trust-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68939-20260318035323/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2025-68940": {
|
|
"canonical_id": "gitea--CVE-2025-68940",
|
|
"title": "Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea",
|
|
"summary": "Gitea doesn't adequately enforce branch deletion permissions after merging a pull request. in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-30T01:49:57Z",
|
|
"updated_at": "2026-03-03T04:57:50.087298Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-rrcw-5rjv-vj26",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-68940",
|
|
"https://blog.gitea.com/release-of-1.22.5",
|
|
"https://github.com/go-gitea/gitea/pull/32654",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.22.5"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-68940",
|
|
"CVE-2025-68940",
|
|
"GHSA-rrcw-5rjv-vj26",
|
|
"GO-2025-4267"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"gitea--CVE-2025-68941": {
|
|
"canonical_id": "gitea--CVE-2025-68941",
|
|
"title": "Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea",
|
|
"summary": "Gitea mishandles access to a private resource upon receiving an API token with scope limited to public resources in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-30T01:49:57Z",
|
|
"updated_at": "2026-03-03T04:57:50.339953Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-xfq3-qj7j-4565",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-68941",
|
|
"https://blog.gitea.com/release-of-1.22.3",
|
|
"https://github.com/go-gitea/gitea/pull/32218",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.22.3"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-68941",
|
|
"CVE-2025-68941",
|
|
"GHSA-xfq3-qj7j-4565",
|
|
"GO-2025-4268"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68941-20260318035334/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2025-68942": {
|
|
"canonical_id": "gitea--CVE-2025-68942",
|
|
"title": "Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea",
|
|
"summary": "Gitea allows XSS because the search input box (for creating tags and branches) is v-html instead of v-text in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-30T01:49:57Z",
|
|
"updated_at": "2026-03-03T04:57:49.781753Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-898p-hh3p-hf9r",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-68942",
|
|
"https://blog.gitea.com/release-of-1.22.2",
|
|
"https://github.com/go-gitea/gitea/pull/31966",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-68942",
|
|
"CVE-2025-68942",
|
|
"GHSA-898p-hh3p-hf9r",
|
|
"GO-2025-4263"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"xss-output-encoding"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68942-20260318035340/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2025-68943": {
|
|
"canonical_id": "gitea--CVE-2025-68943",
|
|
"title": "Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea",
|
|
"summary": "Gitea inadvertently discloses users' login times by allowing (for example) the lastlogintime explore/users sort order in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-30T01:49:57Z",
|
|
"updated_at": "2026-03-03T04:57:49.213758Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-jhx5-4vr4-f327",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-68943",
|
|
"https://blog.gitea.com/release-of-1.21.8-and-1.21.9-and-1.21.10",
|
|
"https://github.com/go-gitea/gitea/pull/29430",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.21.8"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-68943",
|
|
"CVE-2025-68943",
|
|
"GHSA-jhx5-4vr4-f327",
|
|
"GO-2025-4266"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68943-20260318035347/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2025-68944": {
|
|
"canonical_id": "gitea--CVE-2025-68944",
|
|
"title": "Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea",
|
|
"summary": "Gitea sometimes mishandles propagation of token scope for access control within one of its own package registries in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-30T01:49:57Z",
|
|
"updated_at": "2026-03-03T04:57:50.526913Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-f85h-c7m6-cfpm",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-68944",
|
|
"https://blog.gitea.com/release-of-1.22.2",
|
|
"https://github.com/go-gitea/gitea/pull/31967",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.22.2"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-68944",
|
|
"CVE-2025-68944",
|
|
"GHSA-f85h-c7m6-cfpm",
|
|
"GO-2025-4264"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"dependency-upgrade-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"gitea--CVE-2025-68945": {
|
|
"canonical_id": "gitea--CVE-2025-68945",
|
|
"title": "Gitea: anonymous user can visit private user's project in code.gitea.io/gitea",
|
|
"summary": "Gitea: anonymous user can visit private user's project in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-30T01:49:57Z",
|
|
"updated_at": "2026-03-03T04:57:51.457970Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-7xq4-mwcp-q8fx",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-68945",
|
|
"https://blog.gitea.com/release-of-1.21.2",
|
|
"https://github.com/go-gitea/gitea/pull/28423",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.21.2"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-68945",
|
|
"CVE-2025-68945",
|
|
"GHSA-7xq4-mwcp-q8fx",
|
|
"GO-2025-4262"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68945-20260318035358/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2025-68946": {
|
|
"canonical_id": "gitea--CVE-2025-68946",
|
|
"title": "Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea",
|
|
"summary": "Gitea vulnerable to Cross-site Scripting in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-30T01:49:57Z",
|
|
"updated_at": "2026-03-03T04:57:50.473303Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-hq57-c72x-4774",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-68946",
|
|
"https://blog.gitea.com/release-of-1.20.1",
|
|
"https://github.com/go-gitea/gitea/pull/25960",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.20.1"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-68946",
|
|
"CVE-2025-68946",
|
|
"GHSA-hq57-c72x-4774",
|
|
"GO-2025-4265"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"xss-output-encoding"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-68946-20260318035404/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2025-69413": {
|
|
"canonical_id": "gitea--CVE-2025-69413",
|
|
"title": "Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea",
|
|
"summary": "Gitea's /api/v1/user endpoint has different responses for failed authentication depending on whether a username exists in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-01-12T17:39:39Z",
|
|
"updated_at": "2026-03-03T04:57:49.801641Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-pc73-rj2c-wvf9",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-69413",
|
|
"https://blog.gitea.com/release-of-1.25.2",
|
|
"https://github.com/go-gitea/gitea/issues/35984",
|
|
"https://github.com/go-gitea/gitea/pull/36002",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.2"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2025-69413",
|
|
"CVE-2025-69413",
|
|
"GHSA-pc73-rj2c-wvf9",
|
|
"GO-2026-4274"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2025-69413-20260318035410/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2026-0798": {
|
|
"canonical_id": "gitea--CVE-2026-0798",
|
|
"title": "Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea",
|
|
"summary": "Gitea may send release notification emails for private repositories to users whose access has been revoked in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-02-02T21:05:55Z",
|
|
"updated_at": "2026-03-03T04:57:54.518308Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-8fwc-qjw5-rvgp",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-0798",
|
|
"https://blog.gitea.com/release-of-1.25.4",
|
|
"https://github.com/go-gitea/gitea/pull/36319",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2026-0798",
|
|
"CVE-2026-0798",
|
|
"GHSA-8fwc-qjw5-rvgp",
|
|
"GHSA-f4wq-6ww5-m56p",
|
|
"GO-2026-4365"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-0798-20260318035416/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2026-20736": {
|
|
"canonical_id": "gitea--CVE-2026-20736",
|
|
"title": "Gitea has improper access control for uploaded attachments in code.gitea.io/gitea",
|
|
"summary": "Gitea has improper access control for uploaded attachments in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-02-02T21:05:55Z",
|
|
"updated_at": "2026-03-03T04:57:53.977351Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-hgr3-x44x-33hx",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-20736",
|
|
"https://blog.gitea.com/release-of-1.25.4",
|
|
"https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30",
|
|
"https://github.com/go-gitea/gitea/pull/36320",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2026-20736",
|
|
"CVE-2026-20736",
|
|
"GHSA-hgr3-x44x-33hx",
|
|
"GHSA-jr6h-pwwp-c8g6",
|
|
"GO-2026-4367"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary",
|
|
"file-upload-validation"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"gitea--CVE-2026-20750": {
|
|
"canonical_id": "gitea--CVE-2026-20750",
|
|
"title": "Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea",
|
|
"summary": "Gitea does not properly validate project ownership in organization project operations in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-02-02T21:05:55Z",
|
|
"updated_at": "2026-03-03T04:57:57.697708Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-rw22-5hhq-pfpf",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-20750",
|
|
"https://blog.gitea.com/release-of-1.25.4",
|
|
"https://github.com/go-gitea/gitea/commit/7b5de594cd92e30b9c3d40ffda119acad794cc64",
|
|
"https://github.com/go-gitea/gitea/pull/36318",
|
|
"https://github.com/go-gitea/gitea/pull/36373",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2026-20750",
|
|
"CVE-2026-20750",
|
|
"GHSA-h4fh-pc4w-8w27",
|
|
"GHSA-rw22-5hhq-pfpf",
|
|
"GO-2026-4370"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20750-20260318035428/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2026-20800": {
|
|
"canonical_id": "gitea--CVE-2026-20800",
|
|
"title": "Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea",
|
|
"summary": "Gitea improperly exposes issue and pull request titles in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-02-02T21:05:55Z",
|
|
"updated_at": "2026-03-03T04:57:54.012782Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-2vgv-hgv4-22mh",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-20800",
|
|
"https://blog.gitea.com/release-of-1.25.4",
|
|
"https://github.com/go-gitea/gitea/commit/67e75f30a83d2523cedc37ad7b03bcba66947833",
|
|
"https://github.com/go-gitea/gitea/pull/36339",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2026-20800",
|
|
"CVE-2026-20800",
|
|
"GHSA-2vgv-hgv4-22mh",
|
|
"GHSA-g54m-9f6g-wj7q",
|
|
"GO-2026-4362"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20800-20260318035434/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2026-20883": {
|
|
"canonical_id": "gitea--CVE-2026-20883",
|
|
"title": "Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea",
|
|
"summary": "Gitea improperly exposes issue titles and repository names through previously started stopwatches in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-02-02T21:05:55Z",
|
|
"updated_at": "2026-03-03T04:57:54.692700Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-j8xr-c56q-m8jj",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-20883",
|
|
"https://blog.gitea.com/release-of-1.25.4",
|
|
"https://github.com/go-gitea/gitea/commit/95ea2df00a70176c516b12f3cfee8c84a310280f",
|
|
"https://github.com/go-gitea/gitea/pull/36340",
|
|
"https://github.com/go-gitea/gitea/pull/36368",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2026-20883",
|
|
"CVE-2026-20883",
|
|
"GHSA-644v-xv3j-xgqg",
|
|
"GHSA-j8xr-c56q-m8jj",
|
|
"GO-2026-4368"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20883-20260318035441/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2026-20888": {
|
|
"canonical_id": "gitea--CVE-2026-20888",
|
|
"title": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea",
|
|
"summary": "Gitea does not properly verify authorization when canceling scheduled auto-merges via the web interface in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-02-02T21:05:55Z",
|
|
"updated_at": "2026-03-03T04:57:56.025932Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-9cgq-wp42-4rpq",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-20888",
|
|
"https://blog.gitea.com/release-of-1.25.4",
|
|
"https://github.com/go-gitea/gitea/pull/36341",
|
|
"https://github.com/go-gitea/gitea/pull/36356",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2026-20888",
|
|
"CVE-2026-20888",
|
|
"GHSA-9cgq-wp42-4rpq",
|
|
"GHSA-ccq9-c5hv-cf64",
|
|
"GO-2026-4366"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20888-20260318035447/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2026-20897": {
|
|
"canonical_id": "gitea--CVE-2026-20897",
|
|
"title": "Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea",
|
|
"summary": "Gitea does not properly validate repository ownership when deleting Git LFS locks in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-02-02T21:05:55Z",
|
|
"updated_at": "2026-03-03T04:57:55.339967Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-393c-qgvj-3xph",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-20897",
|
|
"https://blog.gitea.com/release-of-1.25.4",
|
|
"https://github.com/go-gitea/gitea/commit/da036f3f35ca830b22cf4480912ed261303b798f",
|
|
"https://github.com/go-gitea/gitea/pull/36344",
|
|
"https://github.com/go-gitea/gitea/pull/36349",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2026-20897",
|
|
"CVE-2026-20897",
|
|
"GHSA-393c-qgvj-3xph",
|
|
"GHSA-rrq5-r9h5-pc7c",
|
|
"GO-2026-4363"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20897-20260318035454/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2026-20904": {
|
|
"canonical_id": "gitea--CVE-2026-20904",
|
|
"title": "Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea",
|
|
"summary": "Gitea does not properly validate ownership when toggling OpenID URI visibility in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-02-02T21:05:55Z",
|
|
"updated_at": "2026-03-03T04:57:54.244003Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-qqgv-v353-cv8p",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-20904",
|
|
"https://blog.gitea.com/release-of-1.25.4",
|
|
"https://github.com/go-gitea/gitea/commit/ed5720af2ac94d74f822721c05b42b6148ff9c22",
|
|
"https://github.com/go-gitea/gitea/pull/36346",
|
|
"https://github.com/go-gitea/gitea/pull/36361",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2026-20904",
|
|
"CVE-2026-20904",
|
|
"GHSA-jrpc-w85r-hgqx",
|
|
"GHSA-qqgv-v353-cv8p",
|
|
"GO-2026-4369"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20904-20260318035500/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"gitea--CVE-2026-20912": {
|
|
"canonical_id": "gitea--CVE-2026-20912",
|
|
"title": "Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea",
|
|
"summary": "Gitea does not properly validate repository ownership when linking attachments to releases in code.gitea.io/gitea",
|
|
"display_name": "Gitea",
|
|
"system_id": "gitea",
|
|
"category": "platforms",
|
|
"severity": "unknown",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-02-02T21:05:55Z",
|
|
"updated_at": "2026-03-03T04:57:55.747880Z",
|
|
"official_source_url": "https://github.com/advisories/GHSA-4xx9-vc8v-87hv",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-20912",
|
|
"https://blog.gitea.com/release-of-1.25.4",
|
|
"https://github.com/go-gitea/gitea/commit/fbea2c68e8df11cfa94e8ead913b79946780ed30",
|
|
"https://github.com/go-gitea/gitea/pull/36320",
|
|
"https://github.com/go-gitea/gitea/pull/36355",
|
|
"https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
|
|
],
|
|
"aliases": [
|
|
"BIT-gitea-2026-20912",
|
|
"CVE-2026-20912",
|
|
"GHSA-4xx9-vc8v-87hv",
|
|
"GHSA-vfmv-f93v-37mw",
|
|
"GO-2026-4364"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"token-cookie-storage",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/gitea-gitea--CVE-2026-20912-20260318035506/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2020-15242": {
|
|
"canonical_id": "nextjs--CVE-2020-15242",
|
|
"title": "Open Redirect in Next.js versions",
|
|
"summary": "Open Redirect in Next.js versions",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2020-10-08T19:28:07Z",
|
|
"updated_at": "2026-03-13T22:14:13.665535Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-x56p-c8cg-q435",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2020-15242",
|
|
"https://github.com/vercel/next.js",
|
|
"https://github.com/zeit/next.js/releases/tag/v9.5.4"
|
|
],
|
|
"aliases": [
|
|
"CVE-2020-15242",
|
|
"GHSA-x56p-c8cg-q435"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-15242-20260318035615/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2020-5284": {
|
|
"canonical_id": "nextjs--CVE-2020-5284",
|
|
"title": "Directory Traversal in Next.js",
|
|
"summary": "Directory Traversal in Next.js",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2020-03-30T20:40:50Z",
|
|
"updated_at": "2025-09-26T17:49:56Z",
|
|
"official_source_url": "https://github.com/zeit/next.js/security/advisories/GHSA-fq77-7p7r-83rj",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2020-5284",
|
|
"https://github.com/zeit/next.js/releases/tag/v9.3.2",
|
|
"https://www.npmjs.com/advisories/1503"
|
|
],
|
|
"aliases": [
|
|
"CVE-2020-5284",
|
|
"GHSA-fq77-7p7r-83rj"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"path-traversal-guard"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2020-5284-20260318035622/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2021-37699": {
|
|
"canonical_id": "nextjs--CVE-2021-37699",
|
|
"title": "Open Redirect in Next.js",
|
|
"summary": "Open Redirect in Next.js",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2021-08-12T14:51:14Z",
|
|
"updated_at": "2026-03-13T22:00:08.038285Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-vxf5-wxwp-m7g9",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-37699",
|
|
"https://github.com/vercel/next.js",
|
|
"https://github.com/vercel/next.js/releases/tag/v11.1.0"
|
|
],
|
|
"aliases": [
|
|
"CVE-2021-37699",
|
|
"GHSA-vxf5-wxwp-m7g9"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"dependency-upgrade-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-37699-20260318035628/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2021-39178": {
|
|
"canonical_id": "nextjs--CVE-2021-39178",
|
|
"title": "XSS in Image Optimization API for Next.js",
|
|
"summary": "XSS in Image Optimization API for Next.js",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2021-09-01T18:24:22Z",
|
|
"updated_at": "2026-03-13T22:00:20.154452Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-9gr3-7897-pp7m",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-39178",
|
|
"https://github.com/vercel/next.js/pull/28620",
|
|
"https://github.com/vercel/next.js/commit/7afc97c5744b38bdf36aa7f87625f438224688aa",
|
|
"https://github.com/vercel/next.js",
|
|
"https://github.com/vercel/next.js/releases/tag/v11.1.1"
|
|
],
|
|
"aliases": [
|
|
"CVE-2021-39178",
|
|
"GHSA-9gr3-7897-pp7m"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"xss-output-encoding"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-39178-20260318035635/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2021-43803": {
|
|
"canonical_id": "nextjs--CVE-2021-43803",
|
|
"title": "Unexpected server crash in Next.js.",
|
|
"summary": "Unexpected server crash in Next.js.",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2021-12-07T21:12:09Z",
|
|
"updated_at": "2026-03-13T22:00:36.554552Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-25mp-g6fv-mqxx",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2021-43803",
|
|
"https://github.com/vercel/next.js/pull/32080",
|
|
"https://github.com/vercel/next.js/commit/6d98b4fb4315dec1badecf0e9bdc212a4272b264",
|
|
"https://github.com/vercel/next.js",
|
|
"https://github.com/vercel/next.js/releases/tag/v11.1.3",
|
|
"https://github.com/vercel/next.js/releases/v12.0.5"
|
|
],
|
|
"aliases": [
|
|
"CVE-2021-43803",
|
|
"GHSA-25mp-g6fv-mqxx"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"dependency-upgrade-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2021-43803-20260318035642/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2024-34351": {
|
|
"canonical_id": "nextjs--CVE-2024-34351",
|
|
"title": "Next.js Server-Side Request Forgery in Server Actions",
|
|
"summary": "Next.js Server-Side Request Forgery in Server Actions",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-05-09T21:18:57Z",
|
|
"updated_at": "2026-02-04T03:32:36.434669Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-fr5h-rqp8-mj6g",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-34351",
|
|
"https://github.com/vercel/next.js/pull/62561",
|
|
"https://github.com/vercel/next.js/commit/8f7a6ca7d21a97bc9f7a1bbe10427b5ad74b9085",
|
|
"https://github.com/vercel/next.js"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-34351",
|
|
"GHSA-fr5h-rqp8-mj6g"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"ssrf-url-validation"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"nextjs--CVE-2024-46982": {
|
|
"canonical_id": "nextjs--CVE-2024-46982",
|
|
"title": "Next.js Cache Poisoning",
|
|
"summary": "Next.js Cache Poisoning",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-09-17T21:58:09Z",
|
|
"updated_at": "2026-02-04T03:45:33.402195Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-gp8f-8m3g-qvj9",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-46982",
|
|
"https://github.com/vercel/next.js/commit/7ed7f125e07ef0517a331009ed7e32691ba403d3",
|
|
"https://github.com/vercel/next.js/commit/bd164d53af259c05f1ab434004bcfdd3837d7cda",
|
|
"https://github.com/vercel/next.js"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-46982",
|
|
"GHSA-gp8f-8m3g-qvj9"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-46982-20260318035653/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2024-47831": {
|
|
"canonical_id": "nextjs--CVE-2024-47831",
|
|
"title": "Denial of Service condition in Next.js image optimization",
|
|
"summary": "Denial of Service condition in Next.js image optimization",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-10-14T19:45:21Z",
|
|
"updated_at": "2026-02-04T03:25:43.295558Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-g77x-44xx-532m",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-47831",
|
|
"https://github.com/vercel/next.js/commit/d11cbc9ff0b1aaefabcba9afe1e562e0b1fde65a",
|
|
"https://github.com/vercel/next.js"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-47831",
|
|
"GHSA-g77x-44xx-532m"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-47831-20260318035659/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2024-51479": {
|
|
"canonical_id": "nextjs--CVE-2024-51479",
|
|
"title": "Next.js authorization bypass vulnerability",
|
|
"summary": "Next.js authorization bypass vulnerability",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-12-17T15:09:06Z",
|
|
"updated_at": "2025-09-10T21:12:24Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-7gfc-8cq8-jh5f",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-51479",
|
|
"https://github.com/vercel/next.js/commit/1c8234eb20bc8afd396b89999a00f06b61d72d7b",
|
|
"https://github.com/vercel/next.js",
|
|
"https://github.com/vercel/next.js/releases/tag/v14.2.15"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-51479",
|
|
"GHSA-7gfc-8cq8-jh5f"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"nextjs--CVE-2024-56332": {
|
|
"canonical_id": "nextjs--CVE-2024-56332",
|
|
"title": "Next.js Allows a Denial of Service (DoS) with Server Actions",
|
|
"summary": "Next.js Allows a Denial of Service (DoS) with Server Actions",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-01-03T20:19:29Z",
|
|
"updated_at": "2026-02-04T04:36:04.252972Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-7m27-7ghc-44w9",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-56332",
|
|
"https://github.com/vercel/next.js"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-56332",
|
|
"GHSA-7m27-7ghc-44w9"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2024-56332-20260318035710/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-29927": {
|
|
"canonical_id": "nextjs--CVE-2025-29927",
|
|
"title": "Authorization Bypass in Next.js Middleware",
|
|
"summary": "Authorization Bypass in Next.js Middleware",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-03-21T15:20:12Z",
|
|
"updated_at": "2026-03-04T15:06:29.993197Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-f82v-jwr5-mffw",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-29927",
|
|
"https://github.com/vercel/next.js/commit/52a078da3884efe6501613c7834a3d02a91676d2",
|
|
"https://github.com/vercel/next.js/commit/5fd3ae8f8542677c6294f32d18022731eab6fe48",
|
|
"https://github.com/vercel/next.js",
|
|
"https://github.com/vercel/next.js/releases/tag/v12.3.5",
|
|
"https://github.com/vercel/next.js/releases/tag/v13.5.9",
|
|
"https://security.netapp.com/advisory/ntap-20250328-0002",
|
|
"https://vercel.com/changelog/vercel-firewall-proactively-protects-against-vulnerability-with-middleware",
|
|
"http://www.openwall.com/lists/oss-security/2025/03/23/3",
|
|
"http://www.openwall.com/lists/oss-security/2025/03/23/4"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-29927",
|
|
"GHSA-f82v-jwr5-mffw"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-30218": {
|
|
"canonical_id": "nextjs--CVE-2025-30218",
|
|
"title": "Next.js may leak x-middleware-subrequest-id to external hosts",
|
|
"summary": "Next.js may leak x-middleware-subrequest-id to external hosts",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "medium",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-04-02T22:35:37Z",
|
|
"updated_at": "2025-10-13T15:35:50Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-223j-4rm8-mrmf",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-30218",
|
|
"https://github.com/vercel/next.js",
|
|
"https://vercel.com/changelog/cve-2025-30218-5DREmEH765PoeAsrNNQj3O"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-30218",
|
|
"GHSA-223j-4rm8-mrmf"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-30218-20260318035721/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-32421": {
|
|
"canonical_id": "nextjs--CVE-2025-32421",
|
|
"title": "Next.js Race Condition to Cache Poisoning",
|
|
"summary": "Next.js Race Condition to Cache Poisoning",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-05-15T14:12:26Z",
|
|
"updated_at": "2025-09-26T17:48:29Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-qpjv-v59x-3qc4",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-32421",
|
|
"https://github.com/vercel/next.js",
|
|
"https://vercel.com/changelog/cve-2025-32421"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-32421",
|
|
"GHSA-qpjv-v59x-3qc4"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-32421-20260318035727/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-48068": {
|
|
"canonical_id": "nextjs--CVE-2025-48068",
|
|
"title": "Information exposure in Next.js dev server due to lack of origin verification",
|
|
"summary": "Information exposure in Next.js dev server due to lack of origin verification",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "medium",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-05-28T21:52:13Z",
|
|
"updated_at": "2025-06-13T14:41:21Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-3h52-269p-cp9r",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-48068",
|
|
"https://github.com/vercel/next.js",
|
|
"https://vercel.com/changelog/cve-2025-48068"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-48068",
|
|
"GHSA-3h52-269p-cp9r"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-48068-20260318035734/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-49005": {
|
|
"canonical_id": "nextjs--CVE-2025-49005",
|
|
"title": "Next.js has a Cache poisoning vulnerability due to omission of the Vary header",
|
|
"summary": "Next.js has a Cache poisoning vulnerability due to omission of the Vary header",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-07-03T20:30:18Z",
|
|
"updated_at": "2026-02-04T02:37:18.974477Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-r2fc-ccr8-96c4",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-49005",
|
|
"https://github.com/vercel/next.js/issues/79346",
|
|
"https://github.com/vercel/next.js/pull/79939",
|
|
"https://github.com/vercel/next.js/commit/ec202eccf05820b60c6126d6411fe16766ecc066",
|
|
"https://github.com/vercel/next.js",
|
|
"https://github.com/vercel/next.js/releases/tag/v15.3.3",
|
|
"https://vercel.com/changelog/cve-2025-49005"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-49005",
|
|
"GHSA-r2fc-ccr8-96c4"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49005-20260318035740/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-49826": {
|
|
"canonical_id": "nextjs--CVE-2025-49826",
|
|
"title": "Next.JS vulnerability can lead to DoS via cache poisoning ",
|
|
"summary": "Next.JS vulnerability can lead to DoS via cache poisoning ",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-07-03T21:14:48Z",
|
|
"updated_at": "2025-07-03T21:49:52Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-67rr-84xm-4c7r",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-49826",
|
|
"https://github.com/vercel/next.js/commit/16bfce64ef2157f2c1dfedcfdb7771bc63103fd2",
|
|
"https://github.com/vercel/next.js/commit/a15b974ed707d63ad4da5b74c1441f5b7b120e93",
|
|
"https://github.com/vercel/next.js",
|
|
"https://github.com/vercel/next.js/releases/tag/v15.1.8",
|
|
"https://vercel.com/changelog/cve-2025-49826"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-49826",
|
|
"GHSA-67rr-84xm-4c7r"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-49826-20260318035747/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-55173": {
|
|
"canonical_id": "nextjs--CVE-2025-55173",
|
|
"title": "Next.js Content Injection Vulnerability for Image Optimization",
|
|
"summary": "Next.js Content Injection Vulnerability for Image Optimization",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-08-29T21:59:55Z",
|
|
"updated_at": "2026-02-04T04:35:34.538107Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-xv57-4mr9-wg8v",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-55173",
|
|
"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd",
|
|
"https://github.com/vercel/next.js",
|
|
"https://vercel.com/changelog/cve-2025-55173",
|
|
"http://vercel.com/changelog/cve-2025-55173"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-55173",
|
|
"GHSA-xv57-4mr9-wg8v"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-55173-20260318035753/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-57752": {
|
|
"canonical_id": "nextjs--CVE-2025-57752",
|
|
"title": "Next.js Affected by Cache Key Confusion for Image Optimization API Routes",
|
|
"summary": "Next.js Affected by Cache Key Confusion for Image Optimization API Routes",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-08-29T22:06:22Z",
|
|
"updated_at": "2026-02-04T02:50:08.291668Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-g5qg-72qw-gw5v",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-57752",
|
|
"https://github.com/vercel/next.js/pull/82114",
|
|
"https://github.com/vercel/next.js/commit/6b12c60c61ee80cb0443ccd20de82ca9b4422ddd",
|
|
"https://github.com/vercel/next.js",
|
|
"https://vercel.com/changelog/cve-2025-57752"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-57752",
|
|
"GHSA-g5qg-72qw-gw5v"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-57752-20260318035800/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-57822": {
|
|
"canonical_id": "nextjs--CVE-2025-57822",
|
|
"title": "Next.js Improper Middleware Redirect Handling Leads to SSRF",
|
|
"summary": "Next.js Improper Middleware Redirect Handling Leads to SSRF",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-08-29T21:33:09Z",
|
|
"updated_at": "2026-02-04T04:20:45.658010Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-4342-x723-ch2f",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-57822",
|
|
"https://github.com/vercel/next.js/commit/9c9aaed5bb9338ef31b0517ccf0ab4414f2093d8",
|
|
"https://github.com/vercel/next.js",
|
|
"https://vercel.com/changelog/cve-2025-57822"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-57822",
|
|
"GHSA-4342-x723-ch2f"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"ssrf-url-validation"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-59471": {
|
|
"canonical_id": "nextjs--CVE-2025-59471",
|
|
"title": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",
|
|
"summary": "Next.js self-hosted applications vulnerable to DoS via Image Optimizer remotePatterns configuration",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-01-27T19:18:25Z",
|
|
"updated_at": "2026-02-10T01:28:46.973023Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-59471",
|
|
"https://github.com/vercel/next.js/commit/500ec83743639addceaede95e95913398975156c",
|
|
"https://github.com/vercel/next.js/commit/e5b834d208fe0edf64aa26b5d76dcf6a176500ec",
|
|
"https://github.com/vercel/next.js",
|
|
"https://github.com/vercel/next.js/releases/tag/v15.5.10",
|
|
"https://github.com/vercel/next.js/releases/tag/v16.1.5"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-59471",
|
|
"GHSA-9g9p-9gw9-jx7f"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59471-20260318035811/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--CVE-2025-59472": {
|
|
"canonical_id": "nextjs--CVE-2025-59472",
|
|
"title": "Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",
|
|
"summary": "Next.js has Unbounded Memory Consumption via PPR Resume Endpoint ",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-01-28T15:20:55Z",
|
|
"updated_at": "2026-02-06T13:13:43.709252Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-59472",
|
|
"https://github.com/vercel/next.js",
|
|
"https://vercel.com/changelog/summaries-of-cve-2025-59471-and-cve-2025-59472"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-59472",
|
|
"GHSA-5f7q-jpqc-wp7h"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--CVE-2025-59472-20260318035817/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--GHSA-5j59-xgg2-r9c4": {
|
|
"canonical_id": "nextjs--GHSA-5j59-xgg2-r9c4",
|
|
"title": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up",
|
|
"summary": "Next has a Denial of Service with Server Components - Incomplete Fix Follow-Up",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-12T17:21:57Z",
|
|
"updated_at": "2026-02-04T02:46:38.768104Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-5j59-xgg2-r9c4",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-67779",
|
|
"https://github.com/vercel/next.js",
|
|
"https://nextjs.org/blog/security-update-2025-12-11",
|
|
"https://react.dev/blog/2025/12/11/denial-of-service-and-source-code-exposure-in-react-server-components",
|
|
"https://www.cve.org/CVERecord?id=CVE-2025-55184",
|
|
"https://www.facebook.com/security/advisories/cve-2025-67779"
|
|
],
|
|
"aliases": [
|
|
"GHSA-5j59-xgg2-r9c4"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-5j59-xgg2-r9c4-20260318035824/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--GHSA-9qr9-h5gf-34mp": {
|
|
"canonical_id": "nextjs--GHSA-9qr9-h5gf-34mp",
|
|
"title": "Next.js is vulnerable to RCE in React flight protocol",
|
|
"summary": "Next.js is vulnerable to RCE in React flight protocol",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-03T19:07:11Z",
|
|
"updated_at": "2026-02-04T03:45:15.823345Z",
|
|
"official_source_url": "https://github.com/facebook/react/security/advisories/GHSA-fv66-9v8q-g76r",
|
|
"secondary_source_urls": [
|
|
"https://github.com/vercel/next.js/security/advisories/GHSA-9qr9-h5gf-34mp",
|
|
"https://github.com/vitejs/vite-plugin-react/security/advisories/GHSA-fmh4-wr37-44fp",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-55182",
|
|
"https://github.com/vercel/next.js"
|
|
],
|
|
"aliases": [
|
|
"GHSA-9qr9-h5gf-34mp"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"dependency-upgrade-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-9qr9-h5gf-34mp-20260318035830/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--GHSA-h25m-26qc-wcjf": {
|
|
"canonical_id": "nextjs--GHSA-h25m-26qc-wcjf",
|
|
"title": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components",
|
|
"summary": "Next.js HTTP request deserialization can lead to DoS when using insecure React Server Components",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-01-28T15:38:01Z",
|
|
"updated_at": "2026-02-13T00:43:52.836085Z",
|
|
"official_source_url": "https://github.com/facebook/react/security/advisories/GHSA-83fc-fqcc-2hmg",
|
|
"secondary_source_urls": [
|
|
"https://github.com/vercel/next.js/security/advisories/GHSA-h25m-26qc-wcjf",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-23864",
|
|
"https://github.com/vercel/next.js",
|
|
"https://vercel.com/changelog/summary-of-cve-2026-23864"
|
|
],
|
|
"aliases": [
|
|
"GHSA-h25m-26qc-wcjf"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"dependency-upgrade-policy",
|
|
"deserialization-safety"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"nextjs--GHSA-mwv6-3258-q52c": {
|
|
"canonical_id": "nextjs--GHSA-mwv6-3258-q52c",
|
|
"title": "Next Vulnerable to Denial of Service with Server Components",
|
|
"summary": "Next Vulnerable to Denial of Service with Server Components",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-11T22:49:27Z",
|
|
"updated_at": "2026-02-04T03:55:54.855562Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-mwv6-3258-q52c",
|
|
"secondary_source_urls": [
|
|
"https://github.com/vercel/next.js",
|
|
"https://nextjs.org/blog/security-update-2025-12-11",
|
|
"https://www.cve.org/CVERecord?id=CVE-2025-55184"
|
|
],
|
|
"aliases": [
|
|
"GHSA-mwv6-3258-q52c"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"dependency-upgrade-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-mwv6-3258-q52c-20260318035842/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"nextjs--GHSA-w37m-7fhw-fmv9": {
|
|
"canonical_id": "nextjs--GHSA-w37m-7fhw-fmv9",
|
|
"title": "Next Server Actions Source Code Exposure ",
|
|
"summary": "Next Server Actions Source Code Exposure ",
|
|
"display_name": "Next.js",
|
|
"system_id": "nextjs",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-12-11T22:49:56Z",
|
|
"updated_at": "2026-02-04T02:51:40.627151Z",
|
|
"official_source_url": "https://github.com/vercel/next.js/security/advisories/GHSA-w37m-7fhw-fmv9",
|
|
"secondary_source_urls": [
|
|
"https://github.com/vercel/next.js",
|
|
"https://nextjs.org/blog/security-update-2025-12-11",
|
|
"https://www.cve.org/CVERecord?id=CVE-2025-55183"
|
|
],
|
|
"aliases": [
|
|
"GHSA-w37m-7fhw-fmv9"
|
|
],
|
|
"secure_code_topics": [
|
|
"authz-server-side-recheck",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"dependency-upgrade-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/nextjs-nextjs--GHSA-w37m-7fhw-fmv9-20260318035848/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"undici--CVE-2022-31151": {
|
|
"canonical_id": "undici--CVE-2022-31151",
|
|
"title": "undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect",
|
|
"summary": "undici before v5.8.0 vulnerable to uncleared cookies on cross-host / cross-origin redirect",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2022-07-21T20:31:05Z",
|
|
"updated_at": "2026-02-04T03:02:08.652391Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-31151",
|
|
"https://github.com/nodejs/undici/issues/872",
|
|
"https://github.com/nodejs/undici/pull/1441",
|
|
"https://github.com/nodejs/undici/commit/0a5bee9465e627be36bac88edf7d9bbc9626126d",
|
|
"https://hackerone.com/reports/1635514",
|
|
"https://github.com/nodejs/undici",
|
|
"https://github.com/nodejs/undici/blob/main/lib/handler/redirect.js#L189",
|
|
"https://github.com/nodejs/undici/releases/tag/v5.8.0",
|
|
"https://security.netapp.com/advisory/ntap-20220909-0006"
|
|
],
|
|
"aliases": [
|
|
"CVE-2022-31151",
|
|
"GHSA-q768-x9m6-m9qp"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage",
|
|
"dependency-upgrade-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2022-32210": {
|
|
"canonical_id": "undici--CVE-2022-32210",
|
|
"title": "ProxyAgent vulnerable to MITM",
|
|
"summary": "ProxyAgent vulnerable to MITM",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2022-06-17T01:02:29Z",
|
|
"updated_at": "2026-03-13T22:15:23.541247Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-pgw7-wx7w-2w33",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2022-32210",
|
|
"https://hackerone.com/reports/1583680",
|
|
"https://github.com/nodejs/undici"
|
|
],
|
|
"aliases": [
|
|
"CVE-2022-32210",
|
|
"GHSA-pgw7-wx7w-2w33"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2023-45143": {
|
|
"canonical_id": "undici--CVE-2023-45143",
|
|
"title": "Undici's cookie header not cleared on cross-origin redirect in fetch",
|
|
"summary": "Undici's cookie header not cleared on cross-origin redirect in fetch",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2023-10-16T14:05:37Z",
|
|
"updated_at": "2026-02-04T02:35:56.289390Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-q768-x9m6-m9qp",
|
|
"secondary_source_urls": [
|
|
"https://github.com/nodejs/undici/security/advisories/GHSA-wqq4-5wpv-mx2g",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2023-45143",
|
|
"https://github.com/nodejs/undici/commit/e041de359221ebeae04c469e8aff4145764e6d76",
|
|
"https://hackerone.com/reports/2166948",
|
|
"https://github.com/nodejs/undici",
|
|
"https://github.com/nodejs/undici/releases/tag/v5.26.2",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/3N4NJ7FR4X4FPZUGNTQAPSTVB2HB2Y4A",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/E72T67UPDRXHIDLO3OROR25YAMN4GGW5",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/FNA62Q767CFAFHBCDKYNPBMZWB7TWYVU",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HT7T2R4MQKLIF4ODV4BDLPARWFPCJ5CZ",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/LKYHSZQFDNR7RSA7LHVLLIAQMVYCUGBG",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/X6QXN4ORIVF6XBW4WWFE7VNPVC74S45Y"
|
|
],
|
|
"aliases": [
|
|
"CVE-2023-45143",
|
|
"GHSA-wqq4-5wpv-mx2g"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary",
|
|
"token-cookie-storage"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2024-30260": {
|
|
"canonical_id": "undici--CVE-2024-30260",
|
|
"title": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",
|
|
"summary": "Undici's Proxy-Authorization header not cleared on cross-origin redirect for dispatch, request, stream, pipeline",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-04-04T14:20:39Z",
|
|
"updated_at": "2025-11-04T19:44:28Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-m4v8-wqvr-p9f7",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-30260",
|
|
"https://github.com/nodejs/undici/commit/64e3402da4e032e68de46acb52800c9a06aaea3f",
|
|
"https://github.com/nodejs/undici/commit/6805746680d27a5369d7fb67bc05f95a28247d75",
|
|
"https://hackerone.com/reports/2408074",
|
|
"https://github.com/nodejs/undici",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E",
|
|
"https://security.netapp.com/advisory/ntap-20240905-0008"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-30260",
|
|
"GHSA-m4v8-wqvr-p9f7"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2024-30261": {
|
|
"canonical_id": "undici--CVE-2024-30261",
|
|
"title": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",
|
|
"summary": "Undici's fetch with integrity option is too lax when algorithm is specified but hash value is in incorrect",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-04-04T14:20:54Z",
|
|
"updated_at": "2025-11-04T19:44:42Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-9qxr-qj54-h672",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-30261",
|
|
"https://github.com/nodejs/undici/commit/2b39440bd9ded841c93dd72138f3b1763ae26055",
|
|
"https://github.com/nodejs/undici/commit/d542b8cd39ec1ba303f038ea26098c3f355974f3",
|
|
"https://hackerone.com/reports/2377760",
|
|
"https://github.com/nodejs/undici",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/HQVHWAS6WDXXIU7F72XI55VZ2LTZUB33",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/NC3V3HFZ5MOJRZDY5ZELL6REIRSPFROJ",
|
|
"https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/P6Q4RGETHVYVHDIQGTJGU5AV6NJEI67E",
|
|
"https://security.netapp.com/advisory/ntap-20240905-0008"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-30261",
|
|
"GHSA-9qxr-qj54-h672"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2025-22150": {
|
|
"canonical_id": "undici--CVE-2025-22150",
|
|
"title": "Use of Insufficiently Random Values in undici",
|
|
"summary": "Use of Insufficiently Random Values in undici",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-01-21T21:10:47Z",
|
|
"updated_at": "2026-02-04T02:29:26.373390Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-c76h-2ccp-4975",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-22150",
|
|
"https://github.com/nodejs/undici/commit/711e20772764c29f6622ddc937c63b6eefdf07d0",
|
|
"https://github.com/nodejs/undici/commit/c2d78cd19fe4f4c621424491e26ce299e65e934a",
|
|
"https://github.com/nodejs/undici/commit/c3acc6050b781b827d80c86cbbab34f14458d385",
|
|
"https://hackerone.com/reports/2913312",
|
|
"https://blog.securityevaluators.com/hacking-the-javascript-lottery-80cc437e3b7f",
|
|
"https://github.com/nodejs/undici",
|
|
"https://github.com/nodejs/undici/blob/8b06b8250907d92fead664b3368f1d2aa27c1f35/lib/web/fetch/body.js#L113"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-22150",
|
|
"GHSA-c76h-2ccp-4975"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2025-47279": {
|
|
"canonical_id": "undici--CVE-2025-47279",
|
|
"title": "undici Denial of Service attack via bad certificate data",
|
|
"summary": "undici Denial of Service attack via bad certificate data",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-05-15T14:15:06Z",
|
|
"updated_at": "2026-02-06T22:08:08.311705Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-cxrh-j4jr-qwg3",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-47279",
|
|
"https://github.com/nodejs/undici/issues/3895",
|
|
"https://github.com/nodejs/undici/pull/4088",
|
|
"https://github.com/nodejs/undici/commit/f317618ec28753a4218beccea048bcf89c36db25",
|
|
"https://github.com/nodejs/undici"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-47279",
|
|
"GHSA-cxrh-j4jr-qwg3"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2026-1525": {
|
|
"canonical_id": "undici--CVE-2026-1525",
|
|
"title": "Undici has an HTTP Request/Response Smuggling issue",
|
|
"summary": "Undici has an HTTP Request/Response Smuggling issue",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-03-13T20:07:03Z",
|
|
"updated_at": "2026-03-14T09:19:54.772219Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-2mjp-6q6p-2qxm",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-1525",
|
|
"https://hackerone.com/reports/3556037",
|
|
"https://cna.openjsf.org/security-advisories.html",
|
|
"https://cwe.mitre.org/data/definitions/444.html",
|
|
"https://github.com/nodejs/undici",
|
|
"https://www.rfc-editor.org/rfc/rfc9110.html#section-8.6"
|
|
],
|
|
"aliases": [
|
|
"CVE-2026-1525",
|
|
"GHSA-2mjp-6q6p-2qxm"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary",
|
|
"request-smuggling-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2026-1526": {
|
|
"canonical_id": "undici--CVE-2026-1526",
|
|
"title": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
|
|
"summary": "Undici has Unbounded Memory Consumption in WebSocket permessage-deflate Decompression",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-03-13T20:41:56Z",
|
|
"updated_at": "2026-03-13T20:54:25.563997Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-vrm6-8vpv-qv8q",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-1526",
|
|
"https://hackerone.com/reports/3481206",
|
|
"https://cna.openjsf.org/security-advisories.html",
|
|
"https://datatracker.ietf.org/doc/html/rfc7692",
|
|
"https://github.com/nodejs/undici",
|
|
"https://owasp.org/www-community/attacks/Denial_of_Service"
|
|
],
|
|
"aliases": [
|
|
"CVE-2026-1526",
|
|
"GHSA-vrm6-8vpv-qv8q"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary",
|
|
"plugin-extension-trust-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2026-1527": {
|
|
"canonical_id": "undici--CVE-2026-1527",
|
|
"title": "Undici has CRLF Injection in undici via `upgrade` option",
|
|
"summary": "Undici has CRLF Injection in undici via `upgrade` option",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-03-13T20:41:26Z",
|
|
"updated_at": "2026-03-13T20:54:25.572106Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-4992-7rv2-5pvq",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-1527",
|
|
"https://hackerone.com/reports/3487198",
|
|
"https://cna.openjsf.org/security-advisories.html",
|
|
"https://github.com/nodejs/undici"
|
|
],
|
|
"aliases": [
|
|
"CVE-2026-1527",
|
|
"GHSA-4992-7rv2-5pvq"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2026-1528": {
|
|
"canonical_id": "undici--CVE-2026-1528",
|
|
"title": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
|
|
"summary": "Undici: Malicious WebSocket 64-bit length overflows parser and crashes the client",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-03-13T20:07:26Z",
|
|
"updated_at": "2026-03-14T09:17:45.838435Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-f269-vfmq-vjvj",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-1528",
|
|
"https://hackerone.com/reports/3537648",
|
|
"https://cna.openjsf.org/security-advisories.html",
|
|
"https://github.com/nodejs/undici"
|
|
],
|
|
"aliases": [
|
|
"CVE-2026-1528",
|
|
"GHSA-f269-vfmq-vjvj"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2026-22036": {
|
|
"canonical_id": "undici--CVE-2026-22036",
|
|
"title": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
|
|
"summary": "Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-01-14T21:06:08Z",
|
|
"updated_at": "2026-02-04T02:56:17.456091Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-g9mf-h72j-4rw9",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-22036",
|
|
"https://github.com/nodejs/undici/commit/b04e3cbb569c1596f86c108e9b52c79d8475dcb3",
|
|
"https://github.com/nodejs/undici"
|
|
],
|
|
"aliases": [
|
|
"CVE-2026-22036",
|
|
"GHSA-g9mf-h72j-4rw9"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2026-2229": {
|
|
"canonical_id": "undici--CVE-2026-2229",
|
|
"title": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
|
|
"summary": "Undici has Unhandled Exception in WebSocket Client Due to Invalid server_max_window_bits Validation",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-03-13T20:41:41Z",
|
|
"updated_at": "2026-03-13T20:54:26.149214Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-v9p9-hfj2-hcw8",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-2229",
|
|
"https://hackerone.com/reports/3487486",
|
|
"https://cna.openjsf.org/security-advisories.html",
|
|
"https://datatracker.ietf.org/doc/html/rfc7692",
|
|
"https://github.com/nodejs/undici",
|
|
"https://nodejs.org/api/zlib.html#class-zlibinflateraw"
|
|
],
|
|
"aliases": [
|
|
"CVE-2026-2229",
|
|
"GHSA-v9p9-hfj2-hcw8"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary",
|
|
"plugin-extension-trust-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"undici--CVE-2026-2581": {
|
|
"canonical_id": "undici--CVE-2026-2581",
|
|
"title": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS",
|
|
"summary": "Undici has Unbounded Memory Consumption in its DeduplicationHandler via Response Buffering that leads to DoS",
|
|
"display_name": "Undici",
|
|
"system_id": "undici",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2026-03-13T20:37:58Z",
|
|
"updated_at": "2026-03-13T20:54:25.417862Z",
|
|
"official_source_url": "https://github.com/nodejs/undici/security/advisories/GHSA-phc3-fgpg-7m6h",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2026-2581",
|
|
"https://hackerone.com/reports/3513473",
|
|
"https://cna.openjsf.org/security-advisories.html",
|
|
"https://github.com/nodejs/undici"
|
|
],
|
|
"aliases": [
|
|
"CVE-2026-2581",
|
|
"GHSA-phc3-fgpg-7m6h"
|
|
],
|
|
"secure_code_topics": [
|
|
"ssrf-url-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": false,
|
|
"refs": []
|
|
}
|
|
},
|
|
"vite--CVE-2024-23331": {
|
|
"canonical_id": "vite--CVE-2024-23331",
|
|
"title": "Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem",
|
|
"summary": "Vite dev server option `server.fs.deny` can be bypassed when hosted on case-insensitive filesystem",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-01-19T21:58:47Z",
|
|
"updated_at": "2026-02-04T04:17:01.410592Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-c24v-8rfc-w8vw",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2023-34092",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-23331",
|
|
"https://github.com/vitejs/vite/commit/0cd769c279724cf27934b1270fbdd45d68217691",
|
|
"https://github.com/vitejs/vite/commit/91641c4da0a011d4c5352e88fc68389d4e1289a5",
|
|
"https://github.com/vitejs/vite/commit/a26c87d20f9af306b5ce3ff1648be7fa5146c278",
|
|
"https://github.com/vitejs/vite/commit/eeec23bbc9d476c54a3a6d36e78455867185a7cb",
|
|
"https://github.com/vitejs/vite",
|
|
"https://vitejs.dev/config/server-options.html#server-fs-deny"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-23331",
|
|
"GHSA-c24v-8rfc-w8vw"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-23331-20260318040445/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2024-45811": {
|
|
"canonical_id": "vite--CVE-2024-45811",
|
|
"title": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
|
|
"summary": "Vite's `server.fs.deny` is bypassed when using `?import&raw`",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-09-17T18:44:12Z",
|
|
"updated_at": "2026-02-04T04:05:31.919291Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-9cwx-2883-4wfx",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-45811",
|
|
"https://github.com/vitejs/vite/commit/4573a6fd6f1b097fb7296a3e135e0646b996b249",
|
|
"https://github.com/vitejs/vite/commit/6820bb3b9a54334f3268fc5ee1e967d2e1c0db34",
|
|
"https://github.com/vitejs/vite/commit/8339d7408668686bae56eaccbfdc7b87612904bd",
|
|
"https://github.com/vitejs/vite/commit/a6da45082b6e73ddfdcdcc06bb5414f976a388d6",
|
|
"https://github.com/vitejs/vite/commit/b901438f99e667f76662840826eec91c8ab3b3e7",
|
|
"https://github.com/vitejs/vite"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-45811",
|
|
"GHSA-9cwx-2883-4wfx"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45811-20260318040452/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2024-45812": {
|
|
"canonical_id": "vite--CVE-2024-45812",
|
|
"title": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS",
|
|
"summary": "Vite DOM Clobbering gadget found in vite bundled scripts that leads to XSS",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2024-09-17T19:28:01Z",
|
|
"updated_at": "2026-02-04T04:04:22.977459Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-64vr-g452-qvp3",
|
|
"secondary_source_urls": [
|
|
"https://github.com/webpack/webpack/security/advisories/GHSA-4vvj-4cpr-p986",
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2024-45812",
|
|
"https://github.com/vitejs/vite/commit/179b17773cf35c73ddb041f9e6c703fd9f3126af",
|
|
"https://github.com/vitejs/vite/commit/2691bb3ff6b073b41fb9046909e1e03a74e36675",
|
|
"https://github.com/vitejs/vite/commit/2ddd8541ec3b2d2e5b698749e0f2362ef28056bd",
|
|
"https://github.com/vitejs/vite/commit/ade1d89660e17eedfd35652165b0c26905259fad",
|
|
"https://github.com/vitejs/vite/commit/e8127166979e7ace6eeaa2c3b733c8994caa31f3",
|
|
"https://github.com/vitejs/vite/commit/ebb94c5b3bf41950f45562595adec117a4d0ba5e",
|
|
"https://github.com/vitejs/vite",
|
|
"https://research.securitum.com/xss-in-amp4email-dom-clobbering",
|
|
"https://scnps.co/papers/sp23_domclob.pdf"
|
|
],
|
|
"aliases": [
|
|
"CVE-2024-45812",
|
|
"GHSA-64vr-g452-qvp3"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary",
|
|
"xss-output-encoding",
|
|
"plugin-extension-trust-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2024-45812-20260318040458/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2025-24010": {
|
|
"canonical_id": "vite--CVE-2025-24010",
|
|
"title": "Websites were able to send any requests to the development server and read the response in vite",
|
|
"summary": "Websites were able to send any requests to the development server and read the response in vite",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-01-21T19:52:55Z",
|
|
"updated_at": "2026-02-04T04:37:03.076966Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-vg6x-rcgg-rjx6",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-24010",
|
|
"https://github.com/vitejs/vite"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-24010",
|
|
"GHSA-vg6x-rcgg-rjx6"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary",
|
|
"dom-sink-hardening",
|
|
"token-cookie-storage",
|
|
"plugin-extension-trust-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": true,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-24010-20260318040505/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2025-30208": {
|
|
"canonical_id": "vite--CVE-2025-30208",
|
|
"title": "Vite bypasses server.fs.deny when using ?raw??",
|
|
"summary": "Vite bypasses server.fs.deny when using ?raw??",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-03-25T14:00:02Z",
|
|
"updated_at": "2026-02-04T03:13:24.371631Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-x574-m823-4x7w",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-30208",
|
|
"https://github.com/vitejs/vite/commit/315695e9d97cc6cfa7e6d9e0229fb50cdae3d9f4",
|
|
"https://github.com/vitejs/vite/commit/80381c38d6f068b12e6e928cd3c616bd1d64803c",
|
|
"https://github.com/vitejs/vite/commit/807d7f06d33ab49c48a2a3501da3eea1906c0d41",
|
|
"https://github.com/vitejs/vite/commit/92ca12dc79118bf66f2b32ff81ed09e0d0bd07ca",
|
|
"https://github.com/vitejs/vite/commit/f234b5744d8b74c95535a7b82cc88ed2144263c1",
|
|
"https://github.com/vitejs/vite"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-30208",
|
|
"GHSA-x574-m823-4x7w"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-30208-20260318040511/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2025-31125": {
|
|
"canonical_id": "vite--CVE-2025-31125",
|
|
"title": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
|
|
"summary": "Vite has a `server.fs.deny` bypassed for `inline` and `raw` with `?import` query",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-03-31T17:31:54Z",
|
|
"updated_at": "2026-02-04T04:37:24.129476Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-4r4m-qw57-chr8",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-31125",
|
|
"https://github.com/vitejs/vite/commit/59673137c45ac2bcfad1170d954347c1a17ab949",
|
|
"https://github.com/vitejs/vite",
|
|
"https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-31125"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-31125",
|
|
"GHSA-4r4m-qw57-chr8"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31125-20260318040518/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2025-31486": {
|
|
"canonical_id": "vite--CVE-2025-31486",
|
|
"title": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
|
|
"summary": "Vite allows server.fs.deny to be bypassed with .svg or relative paths",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "low",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-04-04T14:20:05Z",
|
|
"updated_at": "2026-02-04T03:51:38.412061Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-xcj6-pq6g-qj4x",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-31486",
|
|
"https://github.com/vitejs/vite/commit/62d7e81ee189d65899bb65f3263ddbd85247b647",
|
|
"https://github.com/vitejs/vite",
|
|
"https://github.com/vitejs/vite/blob/037f801075ec35bb6e52145d659f71a23813c48f/packages/vite/src/node/plugins/asset.ts#L285-L290"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-31486",
|
|
"GHSA-xcj6-pq6g-qj4x"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary",
|
|
"plugin-extension-trust-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-31486-20260318040525/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2025-32395": {
|
|
"canonical_id": "vite--CVE-2025-32395",
|
|
"title": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
|
|
"summary": "Vite has an `server.fs.deny` bypass with an invalid `request-target`",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "medium",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-04-11T14:06:03Z",
|
|
"updated_at": "2026-02-04T04:11:44.900383Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-356w-63v5-8wf4",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-32395",
|
|
"https://github.com/vitejs/vite/commit/175a83909f02d3b554452a7bd02b9f340cdfef70",
|
|
"https://github.com/vitejs/vite"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-32395",
|
|
"GHSA-356w-63v5-8wf4"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-32395-20260318040532/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2025-46565": {
|
|
"canonical_id": "vite--CVE-2025-46565",
|
|
"title": "Vite's server.fs.deny bypassed with /. for files under project root",
|
|
"summary": "Vite's server.fs.deny bypassed with /. for files under project root",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "medium",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-04-30T17:40:27Z",
|
|
"updated_at": "2026-02-04T03:27:17.681639Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-859w-5945-r5v3",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-46565",
|
|
"https://github.com/vitejs/vite/commit/c22c43de612eebb6c182dd67850c24e4fab8cacb",
|
|
"https://github.com/vitejs/vite"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-46565",
|
|
"GHSA-859w-5945-r5v3"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-46565-20260318040538/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2025-58751": {
|
|
"canonical_id": "vite--CVE-2025-58751",
|
|
"title": "Vite middleware may serve files starting with the same name with the public directory",
|
|
"summary": "Vite middleware may serve files starting with the same name with the public directory",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "medium",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-09-09T20:55:56Z",
|
|
"updated_at": "2026-02-04T04:33:22.508417Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-g4jq-h2w9-997c",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-58751",
|
|
"https://github.com/lukeed/sirv/commit/f0113f3f8266328d804ee808f763a3c11f8997eb",
|
|
"https://github.com/vitejs/vite/commit/09f2b52e8d5907f26602653caf41b3a56692600d",
|
|
"https://github.com/vitejs/vite/commit/4f1c35bcbb5830290c694aa14b6789e07450f069",
|
|
"https://github.com/vitejs/vite/commit/63e2a5d232218f3f8d852056751e609a5367aaec",
|
|
"https://github.com/vitejs/vite/commit/e11d24008b97d4ca731ecc1a3b95260a6d12e7e0",
|
|
"https://github.com/vitejs/vite"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-58751",
|
|
"GHSA-g4jq-h2w9-997c"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58751-20260318040545/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2025-58752": {
|
|
"canonical_id": "vite--CVE-2025-58752",
|
|
"title": "Vite's `server.fs` settings were not applied to HTML files",
|
|
"summary": "Vite's `server.fs` settings were not applied to HTML files",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "medium",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-09-09T20:54:42Z",
|
|
"updated_at": "2026-02-04T04:35:16.287471Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-jqfw-vq24-v9c3",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-58752",
|
|
"https://github.com/vitejs/vite/commit/0ab19ea9fcb66f544328f442cf6e70f7c0528d5f",
|
|
"https://github.com/vitejs/vite/commit/14015d794f69accba68798bd0e15135bc51c9c1e",
|
|
"https://github.com/vitejs/vite/commit/482000f57f56fe6ff2e905305100cfe03043ddea",
|
|
"https://github.com/vitejs/vite/commit/6f01ff4fe072bcfcd4e2a84811772b818cd51fe6",
|
|
"https://github.com/vitejs/vite",
|
|
"https://github.com/vitejs/vite/blob/v7.1.5/packages/vite/CHANGELOG.md"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-58752",
|
|
"GHSA-jqfw-vq24-v9c3"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary",
|
|
"plugin-extension-trust-policy"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-58752-20260318040552/logs/proof-page.json"
|
|
]
|
|
}
|
|
},
|
|
"vite--CVE-2025-62522": {
|
|
"canonical_id": "vite--CVE-2025-62522",
|
|
"title": "vite allows server.fs.deny bypass via backslash on Windows",
|
|
"summary": "vite allows server.fs.deny bypass via backslash on Windows",
|
|
"display_name": "Vite",
|
|
"system_id": "vite",
|
|
"category": "frameworks",
|
|
"severity": "medium",
|
|
"cvss_score": null,
|
|
"exploit_status": "unknown",
|
|
"published_at": "2025-10-20T19:54:28Z",
|
|
"updated_at": "2026-02-04T04:13:38.886554Z",
|
|
"official_source_url": "https://github.com/vitejs/vite/security/advisories/GHSA-93m4-6634-74q7",
|
|
"secondary_source_urls": [
|
|
"https://nvd.nist.gov/vuln/detail/CVE-2025-62522",
|
|
"https://github.com/vitejs/vite/commit/f479cc57c425ed41ceb434fecebd63931b1ed4ed",
|
|
"https://github.com/vitejs/vite"
|
|
],
|
|
"aliases": [
|
|
"CVE-2025-62522",
|
|
"GHSA-93m4-6634-74q7"
|
|
],
|
|
"secure_code_topics": [
|
|
"dependency-upgrade-policy",
|
|
"file-upload-validation",
|
|
"proxy-trust-boundary"
|
|
],
|
|
"verification_status": "verified-real",
|
|
"verification_mode": "real",
|
|
"artifact_mode": "local-fixture",
|
|
"blocked_reason": null,
|
|
"browser_evidence": {
|
|
"required": false,
|
|
"present": true,
|
|
"refs": [
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/assets/baseline.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/assets/baseline-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/logs/baseline-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/logs/baseline-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/logs/baseline-page.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/assets/proof.png",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/assets/proof-dom.html",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/logs/proof-console.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/logs/proof-network.json",
|
|
"/Users/x/websafe/06-case-studies/generated-runs/vite-vite--CVE-2025-62522-20260318040559/logs/proof-page.json"
|
|
]
|
|
}
|
|
}
|
|
}
|