GHSA SYNC: Added cvss_v3 field/value to 4 existing advisories (#1043)

jasnow · web-flow · commit 6177cf507836 · 2026-05-19T03:30:26.000-04:00
* GHSA SYNC: Added cvss_v3 field/value to 4 existing advisories * Add CVSS v4 score and related URLs for CVE-2026-33658 * Update CVE-2026-23891.yml with CVSS v4 and URL Added CVSS v4 score and related URL for CVE-2026-23891. * Update CVE-2025-61594.yml with CVSS v4 and URL Added CVSS v4 score and related URL for CVE-2025-61594. * Update CVE-2025-61594 URL to GitHub advisory
diff --git a/gems/activestorage/CVE-2026-33658.yml b/gems/activestorage/CVE-2026-33658.yml
@@ -14,12 +14,15 @@ description: |
   ranges in an HTTP Range header. A request with thousands of small
   ranges causes disproportionate CPU usage compared to a normal
   request for the same file, possibly resulting in a DoS vulnerability.
+cvss_v3: 6.5
+cvss_v4: 2.3
 patched_versions:
   - "~> 7.2.3, >= 7.2.3.1"
   - "~> 8.0.4, >= 8.0.4.1"
   - ">= 8.1.2.1"
 related:
   url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-33658
     - https://discuss.rubyonrails.org/t/cve-2026-33658-possible-dos-vulnerability-in-active-storage-proxy-mode-via-multi-range-requests/90906
     - https://rubyonrails.org/2026/3/23/Rails-Versions-7-2-3-1-8-0-4-1-and-8-1-2-1-have-been-released
     - https://github.com/rails/rails/commit/85ec5b1e00d3197d8c69a5e622e1b398a1b10b06.patch
diff --git a/gems/camaleon_cms/CVE-2026-1776.yml b/gems/camaleon_cms/CVE-2026-1776.yml
@@ -20,6 +20,7 @@ description: |
   access sensitive files such as /etc/passwd. This issue represents a
   bypass of the incomplete fix for CVE-2024-46987 and affects
   deployments using the AWS S3 storage backend.
+cvss_v3: 6.5
 cvss_v4: 6.0
 unaffected_versions:
   - "< 2.4.5.0"
diff --git a/gems/decidim-core/CVE-2026-23891.yml b/gems/decidim-core/CVE-2026-23891.yml
@@ -31,11 +31,14 @@ description: |
   [octree](https://octree.ch/) and made by
   [Secu Labs](https://seculabs.ch/) against Decidim financed
   by the city of Lausanne (Switzerland).
+cvss_v3: 8.7
+cvss_v4: 9.3
 patched_versions:
   - "~> 0.30.5"
   - ">= 0.31.1"
 related:
   url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-23891
     - https://github.com/decidim/decidim/releases/tag/v0.31.1
     - https://github.com/decidim/decidim/releases/tag/v0.30.5
     - https://github.com/decidim/decidim/security/advisories/GHSA-fc46-r95f-hq7g
diff --git a/gems/uri/CVE-2025-61594.yml b/gems/uri/CVE-2025-61594.yml
@@ -2,7 +2,7 @@
 gem: uri
 cve: 2025-61594
 ghsa: j4pr-3wm6-xx2r
-url: https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594
+url: https://github.com/advisories/GHSA-j4pr-3wm6-xx2r
 title: CVE-2025-61594 - URI Credential Leakage Bypass over CVE-2025-27221
 date: 2025-10-07
 description: |
@@ -29,14 +29,18 @@ description: |
 
   Thanks to junfuchong (chongfujun) for discovering this issue.
   Also thanks to nobu for additional fixes of this vulnerability.
+cvss_v3: 7.5
+cvss_v4: 2.1
 patched_versions:
   - "~> 0.12.5"
   - "~> 0.13.3"
   - ">= 1.0.4"
 related:
   url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-61594
     - https://www.ruby-lang.org/en/news/2025/10/07/uri-cve-2025-61594
     - https://rubygems.org/gems/uri/versions/1.0.4
     - https://rubygems.org/gems/uri/versions/0.13.3
     - https://rubygems.org/gems/uri/versions/0.12.5
     - https://github.com/ruby/uri
+    - https://github.com/advisories/GHSA-j4pr-3wm6-xx2r
