Publish Advisories

GHSA-6477-wvjj-47v6
GHSA-rxmx-g7hr-8mx4
GHSA-q57j-rwwx-7rwp
GHSA-vf35-8m4j-gm8v
GHSA-6477-wvjj-47v6

Author: advisory-database[bot]

advisories/github-reviewed/2026/04/GHSA-6477-wvjj-47v6/GHSA-6477-wvjj-47v6.json

@@ -0,0 +1,72 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6477-wvjj-47v6",
+  "modified": "2026-05-07T16:44:07Z",
+  "published": "2026-04-24T00:31:52Z",
+  "withdrawn": "2026-05-07T16:44:07Z",
+  "aliases": [],
+  "summary": "Duplicate Advisory: OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders",
+  "details": "### Duplicate Advisory\nThis advisory has been withdrawn because it is a duplicate of GHSA-rxmx-g7hr-8mx4. This link is maintained to preserve external references.\n\n### Original Description\nOpenClaw before 2026.4.2 contains an insufficient scope vulnerability in Zalo webhook replay dedupe keys that allows legitimate events from different conversations or senders to collide. Attackers can exploit weak deduplication scoping to cause silent message suppression and disrupt bot workflows across chat sessions.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "openclaw"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2026.4.2"
+            }
+          ]
+        }
+      ]
+    }
+  ],
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41354"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-706"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-07T16:44:07Z",
+    "nvd_published_at": "2026-04-23T22:16:42Z"
+  }
+}

advisories/github-reviewed/2026/04/GHSA-rxmx-g7hr-8mx4/GHSA-rxmx-g7hr-8mx4.json

@@ -1,9 +1,11 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rxmx-g7hr-8mx4",
-  "modified": "2026-04-07T18:15:59Z",
+  "modified": "2026-05-07T16:44:15Z",
   "published": "2026-04-07T18:15:59Z",
-  "aliases": [],
+  "aliases": [
+    "CVE-2026-41354"
+  ],
   "summary": "OpenClaw: Zalo replay dedupe keys could suppress messages across chats or senders",
   "details": "## Summary\n\nBefore OpenClaw 2026.4.2, Zalo webhook replay dedupe keys were not scoped strongly enough across chat and sender dimensions. Legitimate events from different conversations or senders could collide and be dropped as duplicates.\n\n## Impact\n\nCross-conversation or cross-sender collisions could cause silent message suppression and break bot workflows. This was an availability issue in webhook event processing.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.4.1`\n- Patched versions: `>= 2026.4.2`\n- Latest published npm version: `2026.4.1`\n\n## Fix Commit(s)\n\n- `ef7c553dd16ee579f1d1a363f5881a99726c1412` — scope Zalo webhook replay dedupe across the missing event dimensions\n\n## Release Process Note\n\nThe fix is present on `main` and is staged for OpenClaw `2026.4.2`. Publish this advisory after the `2026.4.2` npm release is live.\n\nThanks @D0ub1e-D for reporting.",
   "severity": [
@@ -41,13 +43,21 @@
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-rxmx-g7hr-8mx4"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-41354"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/openclaw/openclaw/commit/ef7c553dd16ee579f1d1a363f5881a99726c1412"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/openclaw/openclaw"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/openclaw-insufficient-scope-in-zalo-webhook-replay-dedupe-keys"
     }
   ],
   "database_specific": {

…-q57j-rwwx-7rwp/GHSA-q57j-rwwx-7rwp.json …-q57j-rwwx-7rwp/GHSA-q57j-rwwx-7rwp.jsonadvisories/unreviewed/2026/05/GHSA-q57j-rwwx-7rwp/GHSA-q57j-rwwx-7rwp.json renamed to advisories/github-reviewed/2026/05/GHSA-q57j-rwwx-7rwp/GHSA-q57j-rwwx-7rwp.json advisories/unreviewed/2026/05/GHSA-q57j-rwwx-7rwp/GHSA-q57j-rwwx-7rwp.json renamed to advisories/github-reviewed/2026/05/GHSA-q57j-rwwx-7rwp/GHSA-q57j-rwwx-7rwp.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q57j-rwwx-7rwp",
-  "modified": "2026-05-01T21:31:20Z",
+  "modified": "2026-05-07T16:45:30Z",
   "published": "2026-05-01T18:31:24Z",
   "aliases": [
     "CVE-2026-42474"
   ],
+  "summary": "MixPHP Framework has an SQL injection vulnerability via crafted `data` array",
   "details": "SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `data` array to the data function in BuildHelper.php.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "mix/mix"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "last_affected": "2.2.17"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -24,7 +45,7 @@
       "url": "https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/mix-php/mix"
     },
     {
@@ -37,8 +58,8 @@
       "CWE-89"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-07T16:45:30Z",
     "nvd_published_at": "2026-05-01T16:16:31Z"
   }
 }

…-vf35-8m4j-gm8v/GHSA-vf35-8m4j-gm8v.json …-vf35-8m4j-gm8v/GHSA-vf35-8m4j-gm8v.jsonadvisories/unreviewed/2026/05/GHSA-vf35-8m4j-gm8v/GHSA-vf35-8m4j-gm8v.json renamed to advisories/github-reviewed/2026/05/GHSA-vf35-8m4j-gm8v/GHSA-vf35-8m4j-gm8v.json advisories/unreviewed/2026/05/GHSA-vf35-8m4j-gm8v/GHSA-vf35-8m4j-gm8v.json renamed to advisories/github-reviewed/2026/05/GHSA-vf35-8m4j-gm8v/GHSA-vf35-8m4j-gm8v.json

@@ -1,19 +1,40 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vf35-8m4j-gm8v",
-  "modified": "2026-05-01T21:31:20Z",
+  "modified": "2026-05-07T16:44:56Z",
   "published": "2026-05-01T18:31:24Z",
   "aliases": [
     "CVE-2026-42475"
   ],
+  "summary": "MixPHP Framework has an SQL injection vulnerability",
   "details": "SQL injection vulnerability in MixPHP Framework 2.x thru 2.2.17 via crafted `on` array to the joinOn function in BuildHelper.php.",
   "severity": [
     {
       "type": "CVSS_V3",
       "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N"
     }
   ],
-  "affected": [],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "Packagist",
+        "name": "mix/mix"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "2.0.0"
+            },
+            {
+              "last_affected": "2.2.17"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
       "type": "ADVISORY",
@@ -24,7 +45,7 @@
       "url": "https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975"
     },
     {
-      "type": "WEB",
+      "type": "PACKAGE",
       "url": "https://github.com/mix-php/mix"
     },
     {
@@ -37,8 +58,8 @@
       "CWE-89"
     ],
     "severity": "MODERATE",
-    "github_reviewed": false,
-    "github_reviewed_at": null,
+    "github_reviewed": true,
+    "github_reviewed_at": "2026-05-07T16:44:56Z",
     "nvd_published_at": "2026-05-01T16:16:31Z"
   }
 }