github · asrar-mared · Feb 9, 2026 · Feb 9, 2026 · Feb 9, 2026 · Feb 10, 2026
diff --git a/.github/workflows/create_staging_branch.yaml b/.github/workflows/create_staging_branch.yaml
@@ -8,6 +8,10 @@ on:
       - "advisories/**"
   workflow_dispatch:
 
+permissions:
+  contents: write        # Required to create and push branches
+  pull-requests: write   # Required to edit PR base branch
+
 jobs:
   ensure-base-is-staging:
     runs-on: ubuntu-latest

diff --git a/.github/workflows/delete_staging_and_head_branches.yaml b/.github/workflows/delete_staging_and_head_branches.yaml
@@ -8,6 +8,9 @@ on:
       - "advisories/**"
   workflow_dispatch:
 
+permissions:
+  contents: write   # Required to delete branches
+
 jobs:
   delete-staging-and-head-branches:
     if: ${{ !github.event.pull_request.head.repo.fork }}

diff --git a/.github/workflows/stale.yaml b/.github/workflows/stale.yaml
@@ -4,6 +4,9 @@ on:
   schedule:
   - cron: "00 0 * * *" # runs at 00:00 daily
 
+permissions:
+  pull-requests: write   # Required to comment on, label, and close PRs
+
 jobs:
   stale:
 

diff --git a/advisories/github-reviewed/2017/10/GHSA-4whc-pp4x-9pf3/GHSA-4whc-pp4x-9pf3.json b/advisories/github-reviewed/2017/10/GHSA-4whc-pp4x-9pf3/GHSA-4whc-pp4x-9pf3.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4whc-pp4x-9pf3",
-  "modified": "2023-01-20T22:28:49Z",
+  "modified": "2026-01-14T21:44:14Z",
   "published": "2017-10-24T18:33:36Z",
   "aliases": [
     "CVE-2015-1840"
@@ -89,6 +89,10 @@
       "type": "WEB",
       "url": "https://github.com/rails/jquery-ujs/blob/master/CHANGELOG.md"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-rails/CVE-2015-1840.yml"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/jquery-ujs/CVE-2015-1840.yml"
@@ -129,6 +133,6 @@
     "severity": "MODERATE",
     "github_reviewed": true,
     "github_reviewed_at": "2020-06-16T20:59:28Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2015-07-26T22:59:00Z"
   }
 }
diff --git a/advisories/github-reviewed/2017/10/GHSA-6x85-j5j2-27jx/GHSA-6x85-j5j2-27jx.json b/advisories/github-reviewed/2017/10/GHSA-6x85-j5j2-27jx/GHSA-6x85-j5j2-27jx.json
@@ -1,14 +1,19 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6x85-j5j2-27jx",
-  "modified": "2023-02-15T22:22:18Z",
+  "modified": "2025-10-24T19:28:04Z",
   "published": "2017-10-24T18:33:36Z",
   "aliases": [
     "CVE-2014-0130"
   ],
   "summary": "actionpack Path Traversal vulnerability",
   "details": "Directory traversal vulnerability in `actionpack/lib/abstract_controller/base.rb` in the implicit-render implementation in Ruby on Rails before 3.2.18, 4.0.x before 4.0.5, and 4.1.x before 4.1.1, when certain route globbing configurations are enabled, allows remote attackers to read arbitrary files via a crafted request.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"
+    }
+  ],
   "affected": [
     {
       "package": {
@@ -101,6 +106,10 @@
       "type": "WEB",
       "url": "https://groups.google.com/forum/#!topic/rubyonrails-security/NkKc7vTW70o"
     },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"
+    },
     {
       "type": "WEB",
       "url": "https://web.archive.org/web/20140518192004/http://www.securityfocus.com/bid/67244"
@@ -113,6 +122,14 @@
       "type": "WEB",
       "url": "https://web.archive.org/web/20210411041816/https://groups.google.com/forum/message/raw?msg=rubyonrails-security/NkKc7vTW70o/NxW_PDBSG3AJ"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2014-0130"
+    },
+    {
+      "type": "WEB",
+      "url": "http://matasano.com/research/AnatomyOfRailsVuln-CVE-2014-0130.pdf"
+    },
     {
       "type": "WEB",
       "url": "http://rhn.redhat.com/errata/RHSA-2014-1863.html"
@@ -122,7 +139,7 @@
     "cwe_ids": [
       "CWE-22"
     ],
-    "severity": "MODERATE",
+    "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2020-06-16T21:20:36Z",
     "nvd_published_at": "2014-05-07T10:55:00Z"

diff --git a/advisories/github-reviewed/2017/10/GHSA-f522-ffg8-j8r6/GHSA-f522-ffg8-j8r6.json b/advisories/github-reviewed/2017/10/GHSA-f522-ffg8-j8r6/GHSA-f522-ffg8-j8r6.json
@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-f522-ffg8-j8r6",
-  "modified": "2024-10-02T17:16:12Z",
+  "modified": "2025-10-17T17:50:27Z",
   "published": "2017-10-24T18:33:35Z",
   "aliases": [
     "CVE-2016-2537"
   ],
   "summary": "Regular Expression Denial of Service in is-my-json-valid",
-  "details": "Version of `is-my-json-valid` before 1.4.1 or 2.17.2 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.\n\n\n## Recommendation\n\nUpdate to version 1.4.1, 2.17.2 or later.",
+  "details": "Version of `is-my-json-valid` before 2.12.4 are vulnerable to regular expression denial of service (ReDoS) via the email validation function.\n\n\n## Recommendation\n\nUpdate to version 2.12.4 or later.",
   "severity": [
     {
       "type": "CVSS_V3",
@@ -28,7 +28,7 @@
               "introduced": "0"
             },
             {
-              "fixed": "2.17.2"
+              "fixed": "2.12.4"
             }
           ]
         }
@@ -84,6 +84,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2020-06-16T21:33:36Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2016-02-23T05:59:01Z"
   }
 }
diff --git a/advisories/github-reviewed/2017/10/GHSA-h6w6-xmqv-7q78/GHSA-h6w6-xmqv-7q78.json b/advisories/github-reviewed/2017/10/GHSA-h6w6-xmqv-7q78/GHSA-h6w6-xmqv-7q78.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h6w6-xmqv-7q78",
-  "modified": "2023-05-12T17:14:49Z",
+  "modified": "2025-11-03T13:56:05Z",
   "published": "2017-10-24T18:33:38Z",
   "aliases": [
     "CVE-2011-2930"
@@ -39,14 +39,33 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "3.0.0"
+              "introduced": "3.0.0.beta"
             },
             {
               "fixed": "3.0.10"
             }
           ]
         }
       ]
+    },
+    {
+      "package": {
+        "ecosystem": "RubyGems",
+        "name": "activerecord"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "3.1.0.beta1"
+            },
+            {
+              "fixed": "3.1.0.rc5"
+            }
+          ]
+        }
+      ]
     }
   ],
   "references": [

diff --git a/advisories/github-reviewed/2017/10/GHSA-vxvp-4xwc-jpp6/GHSA-vxvp-4xwc-jpp6.json b/advisories/github-reviewed/2017/10/GHSA-vxvp-4xwc-jpp6/GHSA-vxvp-4xwc-jpp6.json
@@ -1,37 +1,15 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vxvp-4xwc-jpp6",
-  "modified": "2023-01-23T18:04:55Z",
+  "modified": "2025-11-04T20:42:18Z",
   "published": "2017-10-24T18:33:36Z",
   "aliases": [
     "CVE-2015-3226"
   ],
   "summary": "activesupport Cross-site Scripting vulnerability",
-  "details": "Cross-site scripting (XSS) vulnerability in `json/encoding.rb` in Active Support in Ruby on Rails 3.x and 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.",
+  "details": "Cross-site scripting (XSS) vulnerability in `json/encoding.rb` in Active Support in Ruby on Rails 4.1.x before 4.1.11 and 4.2.x before 4.2.2 allows remote attackers to inject arbitrary web script or HTML via a crafted Hash that is mishandled during JSON encoding.",
   "severity": [],
   "affected": [
-    {
-      "package": {
-        "ecosystem": "RubyGems",
-        "name": "activesupport"
-      },
-      "ranges": [
-        {
-          "type": "ECOSYSTEM",
-          "events": [
-            {
-              "introduced": "3.0.0"
-            },
-            {
-              "fixed": "3.2.22.5"
-            }
-          ]
-        }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 3.2.22.4"
-      }
-    },
     {
       "package": {
         "ecosystem": "RubyGems",
@@ -76,10 +54,18 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2015-3226"
     },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/rails/rails"
+    },
     {
       "type": "WEB",
       "url": "https://groups.google.com/forum/message/raw?msg=rubyonrails-security/7VlB_pck3hU/3QZrGIaQW6cJ"
     },
+    {
+      "type": "WEB",
+      "url": "https://groups.google.com/g/rubyonrails-core/c/qBUqVlXERag/m/kuH3wQk1kxUJ"
+    },
     {
       "type": "WEB",
       "url": "https://web.archive.org/web/20200228033946/http://www.securityfocus.com/bid/75231"

diff --git a/advisories/github-reviewed/2017/10/GHSA-xrr4-p6fq-hjg7/GHSA-xrr4-p6fq-hjg7.json b/advisories/github-reviewed/2017/10/GHSA-xrr4-p6fq-hjg7/GHSA-xrr4-p6fq-hjg7.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xrr4-p6fq-hjg7",
-  "modified": "2024-07-16T20:12:47Z",
+  "modified": "2025-10-22T17:35:03Z",
   "published": "2017-10-24T18:33:35Z",
   "aliases": [
     "CVE-2016-0752"
@@ -11,7 +11,7 @@
   "severity": [
     {
       "type": "CVSS_V3",
-      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N/E:H"
     }
   ],
   "affected": [
@@ -160,6 +160,10 @@
       "type": "WEB",
       "url": "https://web.archive.org/web/20210723192420/http://www.securitytracker.com/id/1034816"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2016-0752"
+    },
     {
       "type": "WEB",
       "url": "https://www.exploit-db.com/exploits/40561"

diff --git a/advisories/github-reviewed/2018/08/GHSA-pv4c-p2j5-38j4/GHSA-pv4c-p2j5-38j4.json b/advisories/github-reviewed/2018/08/GHSA-pv4c-p2j5-38j4/GHSA-pv4c-p2j5-38j4.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pv4c-p2j5-38j4",
-  "modified": "2023-09-11T22:06:04Z",
+  "modified": "2026-01-23T20:10:56Z",
   "published": "2018-08-13T15:02:15Z",
   "aliases": [
     "CVE-2018-3774"
@@ -25,7 +25,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "1.0.0"
             },
             {
               "fixed": "1.4.3"
@@ -40,6 +40,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-3774"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/unshiftio/url-parse/commit/209c296d302317268afbe19700a70c63ecbeb2d2"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/unshiftio/url-parse/commit/53b1794e54d0711ceb52505e0f74145270570d5a"
@@ -53,12 +57,12 @@
       "url": "https://hackerone.com/reports/384029"
     },
     {
-      "type": "ADVISORY",
-      "url": "https://github.com/advisories/GHSA-pv4c-p2j5-38j4"
+      "type": "PACKAGE",
+      "url": "https://github.com/unshiftio/url-parse"
     },
     {
       "type": "WEB",
-      "url": "https://www.npmjs.com/advisories/678"
+      "url": "https://github.com/unshiftio/url-parse/compare/0.2.3...1.0.0"
     }
   ],
   "database_specific": {

diff --git a/advisories/github-reviewed/2018/09/GHSA-pj7m-g53m-7638/GHSA-pj7m-g53m-7638.json b/advisories/github-reviewed/2018/09/GHSA-pj7m-g53m-7638/GHSA-pj7m-g53m-7638.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-pj7m-g53m-7638",
-  "modified": "2024-08-01T21:03:38Z",
+  "modified": "2025-11-19T14:25:32Z",
   "published": "2018-09-13T15:49:56Z",
   "aliases": [
     "CVE-2018-14041"
@@ -259,6 +259,10 @@
       "type": "PACKAGE",
       "url": "https://github.com/twbs/bootstrap"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/rubysec/ruby-advisory-db/blob/master/gems/bootstrap/CVE-2018-14041.yml"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/FriendsOfPHP/security-advisories/blob/master/typo3/cms/CVE-2018-14041.yaml"

diff --git a/advisories/github-reviewed/2018/10/GHSA-6xq8-pvg4-3mf3/GHSA-6xq8-pvg4-3mf3.json b/advisories/github-reviewed/2018/10/GHSA-6xq8-pvg4-3mf3/GHSA-6xq8-pvg4-3mf3.json
@@ -1,12 +1,12 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6xq8-pvg4-3mf3",
-  "modified": "2022-09-14T19:17:28Z",
+  "modified": "2025-10-15T16:43:16Z",
   "published": "2018-10-19T16:54:11Z",
   "aliases": [
     "CVE-2018-1000644"
   ],
-  "summary": "Eclipse RDF4j vulnerable to XML External Entitiy",
+  "summary": "Eclipse RDF4j vulnerable to XML External Entity",
   "details": "Eclipse RDF4j version < 2.4.0 Milestone 2 contains a XML External Entity (XXE) vulnerability in RDF4j XML parser parsing RDF files that can result in the disclosure of confidential data, denial of service, server side request forgery, port scanning. This attack appear to be exploitable via Specially crafted RDF file.",
   "severity": [
     {

diff --git a/advisories/github-reviewed/2018/10/GHSA-cr6j-3jp9-rw65/GHSA-cr6j-3jp9-rw65.json b/advisories/github-reviewed/2018/10/GHSA-cr6j-3jp9-rw65/GHSA-cr6j-3jp9-rw65.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cr6j-3jp9-rw65",
-  "modified": "2024-07-25T20:16:22Z",
+  "modified": "2025-10-22T17:29:40Z",
   "published": "2018-10-18T19:24:38Z",
   "aliases": [
     "CVE-2018-11776"
@@ -11,7 +11,7 @@
   "severity": [
     {
       "type": "CVSS_V3",
-      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+      "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H"
     }
   ],
   "affected": [
@@ -89,6 +89,10 @@
       "type": "WEB",
       "url": "https://www.exploit-db.com/exploits/45260"
     },
+    {
+      "type": "WEB",
+      "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2018-11776"
+    },
     {
       "type": "WEB",
       "url": "https://web.archive.org/web/20201208145803/https://securitytracker.com/id/1041547"