Publish Advisories

GHSA-fj3w-jwp8-x2g3
GHSA-6865-qjcf-286f
GHSA-xpqw-6gx7-v673

Author: advisory-database[bot]

advisories/github-reviewed/2026/02/GHSA-fj3w-jwp8-x2g3/GHSA-fj3w-jwp8-x2g3.json

@@ -1,13 +1,13 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-fj3w-jwp8-x2g3",
-  "modified": "2026-03-02T15:10:03Z",
+  "modified": "2026-03-06T22:00:11Z",
   "published": "2026-02-26T22:33:10Z",
   "aliases": [
     "CVE-2026-27942"
   ],
   "summary": "fast-xml-parser has stack overflow in XMLBuilder with preserveOrder",
-  "details": "### Impact\nApplication crashes with stack overflow when user use XML builder with `prserveOrder:true` for following or similar input:\n\n```\n[{\n    'foo': [\n        { 'bar': [{ '@_V': 'baz' }] }\n    ]\n}]\n```\n\nCause: `arrToStr` was not validating if the input is an array or a string and treating all non-array values as text content.\n_What kind of vulnerability is it? Who is impacted?_\n\n### Patches\nYes, in 5.3.8 and 4.5.4.\n\n### Workarounds\nUse XML builder with `preserveOrder:false` or check the input data before passing to builder.",
+  "details": "### Impact\nApplication crashes with stack overflow when user use XML builder with `prserveOrder:true` for following or similar input \n\n```\n[{\n    'foo': [\n        { 'bar': [{ '@_V': 'baz' }] }\n    ]\n}]\n```\n\nCause: `arrToStr` was not validating if the input is an array or a string and treating all non-array values as text content.\n_What kind of vulnerability is it? Who is impacted?_\n\n### Patches\nYes in 5.3.8\n\n### Workarounds\nUse XML builder with `preserveOrder:false` or check the input data before passing to builder.\n\n### References\n[_Are there any links users can visit to find out more?_](https://github.com/NaturalIntelligence/fast-xml-parser/pull/791)",
   "severity": [
     {
       "type": "CVSS_V4",
@@ -44,7 +44,7 @@
           "type": "ECOSYSTEM",
           "events": [
             {
-              "introduced": "0"
+              "introduced": "4.0.0-beta.0"
             },
             {
               "fixed": "4.5.4"

advisories/github-reviewed/2026/03/GHSA-6865-qjcf-286f/GHSA-6865-qjcf-286f.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6865-qjcf-286f",
-  "modified": "2026-03-04T21:45:10Z",
+  "modified": "2026-03-06T21:58:04Z",
   "published": "2026-03-04T21:45:10Z",
   "aliases": [
     "CVE-2026-29183"
@@ -40,6 +40,10 @@
       "type": "WEB",
       "url": "https://github.com/siyuan-note/siyuan/security/advisories/GHSA-6865-qjcf-286f"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29183"
+    },
     {
       "type": "WEB",
       "url": "https://github.com/siyuan-note/siyuan/commit/d68bd5a79391742b3cb2e14d892bdd9997064927"
@@ -56,6 +60,6 @@
     "severity": "CRITICAL",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-04T21:45:10Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-06T08:16:27Z"
   }
 }

advisories/github-reviewed/2026/03/GHSA-xpqw-6gx7-v673/GHSA-xpqw-6gx7-v673.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-xpqw-6gx7-v673",
-  "modified": "2026-03-04T22:59:28Z",
+  "modified": "2026-03-06T21:58:08Z",
   "published": "2026-03-04T22:59:28Z",
   "aliases": [
     "CVE-2026-29074"
@@ -81,6 +81,10 @@
       "type": "WEB",
       "url": "https://github.com/svg/svgo/security/advisories/GHSA-xpqw-6gx7-v673"
     },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29074"
+    },
     {
       "type": "PACKAGE",
       "url": "https://github.com/svg/svgo"
@@ -93,6 +97,6 @@
     "severity": "HIGH",
     "github_reviewed": true,
     "github_reviewed_at": "2026-03-04T22:59:28Z",
-    "nvd_published_at": null
+    "nvd_published_at": "2026-03-06T08:16:26Z"
   }
 }