[GHSA-5hr4-253g-cpx2] web3.py: SSRF via CCIP Read (EIP-3668) OffchainLookup URL handling#7346
Conversation
|
Hi there @fselmo! A community member has suggested an improvement to your security advisory. If approved, this change will affect the global advisory listed at github.com/advisories. It will not affect the version listed in your project repository. This change will be reviewed by our Security Curation Team. If you have thoughts or feedback, please share them in a comment here! If this PR has already been closed, you can start a new community contribution for this advisory |
github-actions
Bot
changed the base branch from
main
to
Nadav0077/advisory-improvement-7346
|
I didn’t intend to change the advisory content materially. I only made a minimal edit (added a '.' in the description) so I could surface the issue: the repository advisory shows CVE-2026-40072, while the public advisory database page still says “No known CVE.” I’m mainly trying to confirm whether the CVE publication/sync is stuck. |
advisory-database
Bot
merged commit 49698ce
into
Nadav0077/advisory-improvement-7346
|
Hi @Nadav0077! Thank you so much for contributing to the GitHub Advisory Database. This database is free, open, and accessible to all, and it's people like you who make it great. Thanks for choosing to help others. We hope you send in more contributions in the future! |
|
Hi @Nadav0077, GHSA-5hr4-253g-cpx2 should correctly show CVE-2026-40072 now. |
3 participants
Updates
Comments
Hi, I noticed the repository advisory for GHSA-5hr4-253g-cpx2 shows CVE-2026-40072, but the public GitHub Advisory Database page for the same GHSA still says “No known CVE.” Could you please check whether the CVE sync/publication is stuck?