Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit dbcd13ab3da5 · 2026-02-26T22:34:57.000Z
GHSA-62cr-6wp5-q43h GHSA-fj3w-jwp8-x2g3
diff --git a/advisories/github-reviewed/2026/02/GHSA-62cr-6wp5-q43h/GHSA-62cr-6wp5-q43h.json b/advisories/github-reviewed/2026/02/GHSA-62cr-6wp5-q43h/GHSA-62cr-6wp5-q43h.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-62cr-6wp5-q43h",
+  "modified": "2026-02-26T22:33:46Z",
+  "published": "2026-02-26T22:33:46Z",
+  "aliases": [
+    "CVE-2026-27948"
+  ],
+  "summary": "Copyparty vulnerable to reflected XSS via setck parameter",
+  "details": "### Summary\nAn XSS allows for reflected cross-site scripting via URL-parameter `?setck=...`\n\n### Details\nA reflected cross-site scripting (XSS) vulnerability could allow an attacker to execute malicious javascript by tricking users into accessing a malicious link.\n\nThe worst-case outcome of this is being able to move or delete existing files on the server, or upload new files, using the account of the person who clicks the malicious link.\n\n### Indicators of Compromise\nAll attempted attacks (successful or not) would be logged to both the copyparty serverlog and the accesslog of the reverseproxy, and are detected by `grep -E '[?&]setck=[^&\"]*%'` (the text `setck=` eventually followed by the `%` character).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "PyPI",
+        "name": "copyparty"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "1.20.9"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/9001/copyparty/security/advisories/GHSA-62cr-6wp5-q43h"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27948"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/9001/copyparty/commit/31b2801fd041f803f4a3d5c12c7d7cb5419048bc"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/9001/copyparty"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/9001/copyparty/releases/tag/v1.20.9"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T22:33:46Z",
+    "nvd_published_at": "2026-02-26T02:16:22Z"
+  }
+}
diff --git a/advisories/github-reviewed/2026/02/GHSA-fj3w-jwp8-x2g3/GHSA-fj3w-jwp8-x2g3.json b/advisories/github-reviewed/2026/02/GHSA-fj3w-jwp8-x2g3/GHSA-fj3w-jwp8-x2g3.json
@@ -0,0 +1,69 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fj3w-jwp8-x2g3",
+  "modified": "2026-02-26T22:33:10Z",
+  "published": "2026-02-26T22:33:10Z",
+  "aliases": [
+    "CVE-2026-27942"
+  ],
+  "summary": "fast-xml-parser has stack overflow in XMLBuilder with preserveOrder",
+  "details": "### Impact\nApplication crashes with stack overflow when user use XML builder with `prserveOrder:true` for following or similar input:\n\n```\n[{\n    'foo': [\n        { 'bar': [{ '@_V': 'baz' }] }\n    ]\n}]\n```\n\nCause: `arrToStr` was not validating if the input is an array or a string and treating all non-array values as text content.\n_What kind of vulnerability is it? Who is impacted?_\n\n### Patches\nYes, in 5.3.8.\n\n### Workarounds\nUse XML builder with `preserveOrder:false` or check the input data before passing to builder.\n\n### References\n[_Are there any links users can visit to find out more?_](https://github.com/NaturalIntelligence/fast-xml-parser/pull/791)",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:U"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "fast-xml-parser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "5.3.8"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-fj3w-jwp8-x2g3"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27942"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/pull/791"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/c13a961910f14986295dd28484eee830fa1a0e8a"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/NaturalIntelligence/fast-xml-parser"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-120"
+    ],
+    "severity": "LOW",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-02-26T22:33:10Z",
+    "nvd_published_at": "2026-02-26T02:16:22Z"
+  }
+}
