google · jess-lowe · Mar 11, 2026 · Mar 12, 2026 · Mar 16, 2026 · Mar 16, 2026
diff --git a/vulnfeeds/cmd/combine-to-osv/__snapshots__/main_test.snap b/vulnfeeds/cmd/combine-to-osv/__snapshots__/main_test.snap
diff --git a/vulnfeeds/cmd/combine-to-osv/cve5/GitHub_M/CVE-2023-22466.json b/vulnfeeds/cmd/combine-to-osv/cve5/GitHub_M/CVE-2023-22466.json
@@ -0,0 +1,99 @@
+{
+  "affected": [
+    {
+      "ranges": [
+        {
+          "database_specific": {
+            "source": "AFFECTED_FIELD",
+            "versions": [
+              {
+                "introduced": "1.7.0"
+              },
+              {
+                "fixed": "1.18.4"
+              },
+              {
+                "introduced": "1.19.0"
+              },
+              {
+                "fixed": "1.20.3"
+              },
+              {
+                "introduced": "1.21.0"
+              },
+              {
+                "fixed": "1.23.1"
+              }
+            ]
+          },
+          "events": [
+            {
+              "introduced": "f64673580dfc649954eb744eb2734f2f118baa47"
+            },
+            {
+              "fixed": "9241c3eddf4a6a218681b088d71f7191513e2376"
+            },
+            {
+              "introduced": "674d77d4ef42bd99238521546b3b2cd60b26e50d"
+            },
+            {
+              "fixed": "ba81945ffc2695b71f2bbcadbfb5e46ec55aaef3"
+            },
+            {
+              "introduced": "50795e652ecb0747c8d048aeaa38a41dddb2da4b"
+            },
+            {
+              "fixed": "1a997ffbd62334af2553775234e75ede2d7d949f"
+            }
+          ],
+          "repo": "https://github.com/tokio-rs/tokio",
+          "type": "GIT"
+        }
+      ]
+    }
+  ],
+  "aliases": [
+    "GHSA-7rrj-xr53-82p7"
+  ],
+  "database_specific": {
+    "cna_assigner": "GitHub_M",
+    "cwe_ids": [
+      "CWE-665"
+    ],
+    "osv_generated_from": "unknown"
+  },
+  "details": "Tokio is a runtime for writing applications with Rust. Starting with version 1.7.0 and prior to versions 1.18.4, 1.20.3, and 1.23.1, when configuring a Windows named pipe server, setting `pipe_mode` will reset `reject_remote_clients` to `false`. If the application has previously configured `reject_remote_clients` to `true`, this effectively undoes the configuration. Remote clients may only access the named pipe if the named pipe's associated path is accessible via a publicly shared folder (SMB). Versions 1.23.1, 1.20.3, and 1.18.4 have been patched. The fix will also be present in all releases starting from version 1.24.0. Named pipes were introduced to Tokio in version 1.7.0, so releases older than 1.7.0 are not affected. As a workaround, ensure that `pipe_mode` is set first after initializing a `ServerOptions`.",
+  "id": "CVE-2023-22466",
+  "modified": "2025-03-10T21:32:32.950Z",
+  "published": "2023-01-04T21:47:09.400Z",
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://github.com/tokio-rs/tokio/pull/5336"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tokio-rs/tokio/releases/tag/tokio-1.23.1"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/tokio-rs/tokio/security/advisories/GHSA-7rrj-xr53-82p7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://learn.microsoft.com/en-us/windows/win32/api/winbase/nf-winbase-createnamedpipea#pipe_reject_remote_clients"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-22466"
+    }
+  ],
+  "schema_version": "1.7.3",
+  "severity": [
+    {
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L",
+      "type": "CVSS_V3"
+    }
+  ],
+  "summary": "Tokio's reject_remote_clients configuration may get dropped when creating a Windows named pipe"
+}
diff --git a/vulnfeeds/cmd/combine-to-osv/cve5/GitHub_M/CVE-2026-23522.json b/vulnfeeds/cmd/combine-to-osv/cve5/GitHub_M/CVE-2026-23522.json
@@ -0,0 +1,70 @@
+{
+  "affected": [
+    {
+      "ranges": [
+        {
+          "database_specific": {
+            "source": "AFFECTED_FIELD",
+            "versions": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "2.0.0-next.193"
+              }
+            ]
+          },
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "eeda4f90af57368584fa97250cbb0d5bf0a5e16e"
+            }
+          ],
+          "repo": "https://github.com/lobehub/lobehub",
+          "type": "GIT"
+        }
+      ]
+    }
+  ],
+  "aliases": [
+    "GHSA-j7xp-4mg9-x28r"
+  ],
+  "database_specific": {
+    "cna_assigner": "GitHub_M",
+    "cwe_ids": [
+      "CWE-284",
+      "CWE-639",
+      "CWE-862",
+      "CWE-915"
+    ],
+    "osv_generated_from": "unknown"
+  },
+  "details": "LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID. While the vulnerability is confirmed, practical exploitation requires knowing target's KB ID and target's file ID. These IDs are random and not easily enumerable. However, IDs may leak through shared links, logs, referrer headers and so on. Missing authorization check is a critical security flaw regardless. Users should upgrade to version 2.0.0-next.193 to receive a patch.",
+  "id": "CVE-2026-23522",
+  "modified": "2026-01-20T21:35:39.441Z",
+  "published": "2026-01-19T16:53:32.371Z",
+  "references": [
+    {
+      "type": "FIX",
+      "url": "https://github.com/lobehub/lobe-chat/commit/2c1762b85acb84467ed5e799afe1499cd2f912e6"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/lobehub/lobe-chat/security/advisories/GHSA-j7xp-4mg9-x28r"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23522"
+    }
+  ],
+  "schema_version": "1.7.3",
+  "severity": [
+    {
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N",
+      "type": "CVSS_V3"
+    }
+  ],
+  "summary": "Lobe Chat has IDOR in Knowledge Base File Removal that Allows Cross User File Deletion"
+}
diff --git a/vulnfeeds/cmd/combine-to-osv/cve5/Gitea/CVE-2026-20912.json b/vulnfeeds/cmd/combine-to-osv/cve5/Gitea/CVE-2026-20912.json
@@ -0,0 +1,80 @@
+{
+  "affected": [
+    {
+      "ranges": [
+        {
+          "database_specific": {
+            "source": "AFFECTED_FIELD",
+            "versions": [
+              {
+                "introduced": "0"
+              },
+              {
+                "last_affected": "1.25.3"
+              }
+            ]
+          },
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "last_affected": "9a7cfd8620989d9de6dc4ca0c95d9fd42c1768ed"
+            }
+          ],
+          "repo": "https://github.com/go-gitea/gitea",
+          "type": "GIT"
+        }
+      ]
+    }
+  ],
+  "aliases": [
+    "GHSA-vfmv-f93v-37mw"
+  ],
+  "database_specific": {
+    "cna_assigner": "Gitea",
+    "cwe_ids": [
+      "CWE-284",
+      "CWE-639"
+    ],
+    "osv_generated_from": "unknown"
+  },
+  "details": "Gitea does not properly validate repository ownership when linking attachments to releases. An attachment uploaded to a private repository could potentially be linked to a release in a different public repository, making it accessible to unauthorized users.",
+  "id": "CVE-2026-20912",
+  "modified": "2026-01-23T21:53:41.649Z",
+  "published": "2026-01-22T22:01:52.026Z",
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://blog.gitea.com/release-of-1.25.4/"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/go-gitea/gitea/pull/36320"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/go-gitea/gitea/pull/36355"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/go-gitea/gitea/releases/tag/v1.25.4"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://github.com/go-gitea/gitea/security/advisories/GHSA-vfmv-f93v-37mw"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20912"
+    }
+  ],
+  "schema_version": "1.7.3",
+  "severity": [
+    {
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
+      "type": "CVSS_V3"
+    }
+  ],
+  "summary": "Gitea: Cross-Repository Authorization Bypass via Release Attachment Linking Leads to Private Attachment Disclosure"
+}
diff --git a/vulnfeeds/cmd/combine-to-osv/cve5/Google/CVE-2025-4565.json b/vulnfeeds/cmd/combine-to-osv/cve5/Google/CVE-2025-4565.json
@@ -0,0 +1,80 @@
+{
+  "affected": [
+    {
+      "ranges": [
+        {
+          "database_specific": {
+            "source": "AFFECTED_FIELD",
+            "versions": [
+              {
+                "introduced": "0"
+              },
+              {
+                "fixed": "4.25.8"
+              },
+              {
+                "fixed": "5.29.5"
+              },
+              {
+                "fixed": "6.31.1"
+              }
+            ]
+          },
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "a4cbdd3ed0042e8f9b9c30e8b0634096d9532809"
+            },
+            {
+              "fixed": "f5de0a0495faa63b4186fc767324f8b9a7bf4fc4"
+            },
+            {
+              "fixed": "74211c0dfc2777318ab53c2cd2c317a2ef9012de"
+            }
+          ],
+          "repo": "https://github.com/protocolbuffers/protobuf",
+          "type": "GIT"
+        }
+      ]
+    }
+  ],
+  "database_specific": {
+    "cna_assigner": "Google",
+    "cwe_ids": [
+      "CWE-674"
+    ],
+    "osv_generated_from": "unknown"
+  },
+  "details": "Any project that uses Protobuf Pure-Python backend to parse untrusted Protocol Buffers data containing an arbitrary number of recursive groups, recursive messages or a series of SGROUP tags can be corrupted by exceeding the Python recursion limit. This can result in a Denial of service by crashing the application with a RecursionError. We recommend upgrading to version =\u003e6.31.1 or beyond commit 17838beda2943d08b8a9d4df5b68f5f04f26d901",
+  "id": "CVE-2025-4565",
+  "modified": "2025-06-16T15:39:18.263Z",
+  "published": "2025-06-16T14:50:40.906Z",
+  "references": [
+    {
+      "type": "WEB",
+      "url": "https://github.com/protocolbuffers/protobuf/"
+    },
+    {
+      "type": "FIX",
+      "url": "https://github.com/protocolbuffers/protobuf/commit/17838beda2943d08b8a9d4df5b68f5f04f26d901"
+    },
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-4565"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://pypi.org/project/protobuf/"
+    }
+  ],
+  "schema_version": "1.7.3",
+  "severity": [
+    {
+      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
+      "type": "CVSS_V4"
+    }
+  ],
+  "summary": "Unbounded recursion in Python Protobuf"
+}