Publish Advisories

GHSA-4647-wpjq-hh7f
GHSA-g9f6-9775-hffm

Author: advisory-database[bot]

advisories/github-reviewed/2026/03/GHSA-4647-wpjq-hh7f/GHSA-4647-wpjq-hh7f.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-4647-wpjq-hh7f",
-  "modified": "2026-03-18T20:22:11Z",
+  "modified": "2026-03-25T18:15:24Z",
   "published": "2026-03-18T20:22:11Z",
   "aliases": [
     "CVE-2026-33226"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/Budibase/budibase/security/advisories/GHSA-4647-wpjq-hh7f"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33226"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/Budibase/budibase"
@@ -52,6 +56,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-18T20:22:11Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-20T23:16:46Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-g9f6-9775-hffm/GHSA-g9f6-9775-hffm.json

@@ -1,17 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g9f6-9775-hffm",
-  "modified": "2026-03-18T20:21:37Z",
+  "modified": "2026-03-25T18:15:09Z",
   "published": "2026-03-18T20:21:37Z",
   "aliases": [
     "CVE-2026-33221"
   ],
   "summary": "Nhost Storage Affected by MIME Type Spoofing via Trusted Client Content-Type Header in Storage Upload",
-  "details": "## Summary\n\nThe storage service's file upload handler trusts the client-provided `Content-Type` header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.\n\n## Affected Component\n\n- **Service**: `services/storage`\n- **File**: `services/storage/controller/upload_files.go`\n- **Function**: `getMultipartFile` (lines 48-70)\n\n## Root Cause\n\nIn `getMultipartFile`, if the client provides a non-empty `Content-Type` header that isn't `application/octet-stream`, the function returns it as-is without performing content-based detection:\n\n```go\ncontentType := file.header.Header.Get(\"Content-Type\")\nif contentType != \"\" && contentType != \"application/octet-stream\" {\n    return fileContent, contentType, nil // skip detection entirely\n}\n\n// mimetype.DetectReader only reached if client sends no Content-Type\n// or sends application/octet-stream\nmt, err := mimetype.DetectReader(fileContent)\n```\n\n## Impact\n\n**Incorrect MIME type in file metadata.** The MIME type stored in file metadata reflects what the client claims rather than what the file actually contains. Any system consuming this metadata (browsers, CDNs, applications) may handle the file incorrectly based on the spoofed type.\n\n## Suggested Fix\n\nAlways detect MIME type from file content using `mimetype.DetectReader`, ignoring the client-provided `Content-Type` header entirely.\n\n## References\n\n- CWE-345: Insufficient Verification of Data Authenticity\n- CWE-434: Unrestricted Upload of File with Dangerous Type",
+  "details": "## Summary\n\nThe storage service's file upload handler trusts the client-provided `Content-Type` header without performing server-side MIME type detection. This allows an attacker to upload files with an arbitrary MIME type, bypassing any MIME-type-based restrictions configured on storage buckets.\n\n## Affected Component\n\n- **Service**: `services/storage`\n- **File**: `services/storage/controller/upload_files.go`\n- **Function**: `getMultipartFile` (lines 48-70)\n\n## Root Cause\n\nIn `getMultipartFile`, if the client provides a non-empty `Content-Type` header that isn't `application/octet-stream`, the function returns it as-is without performing content-based detection:\n\n```go\ncontentType := file.header.Header.Get(\"Content-Type\")\nif contentType != \"\" && contentType != \"application/octet-stream\" {\n    return fileContent, contentType, nil // skip detection entirely\n}\n\n// mimetype.DetectReader only reached if client sends no Content-Type\n// or sends application/octet-stream\nmt, err := mimetype.DetectReader(fileContent)\n```\n\n## Impact\n\n**Incorrect MIME type in file metadata.** The MIME type stored in file metadata reflects what the client claims rather than what the file actually contains. Any system consuming this metadata (browsers, CDNs, applications) may handle the file incorrectly based on the spoofed type.\n\n## Suggested Fix\n\nAlways detect MIME type from file content using `mimetype.DetectReader`, ignoring the client-provided `Content-Type` header entirely.",
   "severity": [
     {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:N/A:N"
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N"
     }
   ],
   "affected": [
@@ -40,23 +40,36 @@
       "type": "WEB",
       "url": "https://github.com/nhost/nhost/security/advisories/GHSA-g9f6-9775-hffm"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33221"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nhost/nhost/pull/4018"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/nhost/nhost/commit/c4bd53f042d7f568e567e18e2665af81660fce85"
     },
     {
       "type": "PACKAGE",
       "url": "https://github.com/nhost/nhost"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/nhost/nhost/releases/tag/storage@0.12.0"
     }
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-343",
       "CWE-345",
       "CWE-434"
     ],
     "severity": "LOW",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-18T20:21:37Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-20T23:16:46Z"
   }
 }