Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 24 Feb 2026 07:28:15 +0000
From:      Bernard Spil <brnrd@FreeBSD.org>
To:        ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org
Subject:   git: dbdb672386ab - main - security/vuxml: Document Vaultwarden vulnerabilities
Message-ID:  <699d530f.470c7.15ab1fa5@gitrepo.freebsd.org>
index | next in thread | raw e-mail 

The branch main has been updated by brnrd:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dbdb672386abb66e0b58028314dd10637198741d

commit dbdb672386abb66e0b58028314dd10637198741d
Author:     Bernard Spil <brnrd@FreeBSD.org>
AuthorDate: 2026-02-24 07:28:13 +0000
Commit:     Bernard Spil <brnrd@FreeBSD.org>
CommitDate: 2026-02-24 07:28:13 +0000

    security/vuxml: Document Vaultwarden vulnerabilities
---
 security/vuxml/vuln/2026.xml | 29 +++++++++++++++++++++++++++++
 1 file changed, 29 insertions(+)

diff --git a/security/vuxml/vuln/2026.xml b/security/vuxml/vuln/2026.xml
index 9d3a1d3c3276..8b7a629aa872 100644
--- a/security/vuxml/vuln/2026.xml
+++ b/security/vuxml/vuln/2026.xml
@@ -1,3 +1,32 @@
+  <vuln vid="4594110e-1151-11f1-b3f8-8447094a420f">
+    <topic>Vaultwarden -- Multiple vulnerabilities</topic>
+    <affects>
+      <package>
+	<name>vaultwarden</name>
+	<range><lt>1.35.4</lt></range>
+      </package>
+    </affects>
+    <description>
+	<body xmlns="http://www.w3.org/1999/xhtml">;
+	<p>The Vaultwarden project reports:</p>
+	<blockquote cite="https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4">;
+	  <ul>
+	    <li>GHSA-w9f8-m526-h7fh. This vulnerability would allow an attacker to access a cipher from a different user (fully encrypted) if they already know its internal UUID.</li>
+	    <li>GHSA-h4hq-rgvh-wh27. This vulnerability allows an attacker with manager-level access within an organization to modify collections they can access, even if they do not have management permissions for them.</li>
+	    <li>GHSA-r32r-j5jq-3w4m. This vulnerability allows an attacker with manager-level access within an organization to modify collections they are not assigned.</li>
+	  </ul>
+	</blockquote>
+	</body>
+    </description>
+    <references>
+      <url>https://github.com/dani-garcia/vaultwarden/releases/tag/1.35.4</url>;
+    </references>
+    <dates>
+      <discovery>2026-02-23</discovery>
+      <entry>2026-02-24</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="716d25a6-0fdc-11f1-bfdf-ff9355aecb00">
     <topic>openexr -- buffer overflow in istream_nonparallel_read on invalid input data</topic>
     <affects>
home | help

Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?699d530f.470c7.15ab1fa5>