Update OSV rules (2026-05-08 18:07 UTC)

github-actions[bot] · github-actions[bot] · commit e23c551b4828 · 2026-05-08T18:07:45.000Z
diff --git a/.github/badges/last-updated.json b/.github/badges/last-updated.json
@@ -1 +1 @@
-{"schemaVersion":1,"label":"last updated","message":"2026-05-08 17:07 UTC","color":"green"}
+{"schemaVersion":1,"label":"last updated","message":"2026-05-08 18:07 UTC","color":"green"}
diff --git a/.github/badges/npm.json b/.github/badges/npm.json
@@ -1 +1 @@
-{"schemaVersion":1,"label":"rules","message":"217744","color":"blue"}
+{"schemaVersion":1,"label":"rules","message":"217749","color":"blue"}
diff --git a/.github/badges/pypi.json b/.github/badges/pypi.json
@@ -1 +1 @@
-{"schemaVersion":1,"label":"rules","message":"16098","color":"blue"}
+{"schemaVersion":1,"label":"rules","message":"16099","color":"blue"}
diff --git a/rulesets/npm/all.yaml b/rulesets/npm/all.yaml
@@ -1,7 +1,7 @@
 id: osv-npm
 title: OSV vulnerabilities for npm
 description: Auto-generated by osv-rulegen 0.3.0 from https://osv.dev data dump for the npm ecosystem.
-date: "2026-05-08T17:07:34Z"
+date: "2026-05-08T18:07:27Z"
 rules:
   - id: GHSA-2234-fmw7-43wr
     aliases:
@@ -9179,6 +9179,14 @@ rules:
         version: vers:npm/>=0.3.0|<=0.11.0
     severity: 6.5
     reason: files.photo.gallery command injection
+  - id: GHSA-5wm8-gmm8-39j9
+    aliases:
+      - CVE-2026-44665
+    match:
+      - purl: pkg:npm/fast-xml-builder
+        version: vers:npm/<1.1.7
+    severity: 8.7
+    reason: fast-xml-builder allows attribute values with unwanted quotes to bypass malicious or unwanted attributes
   - id: GHSA-5wmg-9cvh-qw25
     aliases:
       - CVE-2024-51752
@@ -14946,6 +14954,12 @@ rules:
         version: vers:npm/<=3.0.0
     severity: 8.9
     reason: Prototype Pollution Vulnerability in parse-git-config
+  - id: GHSA-8g7g-hmwm-6rv2
+    match:
+      - purl: pkg:npm/n8n-mcp
+        version: vers:npm/<2.50.1
+    severity: 8.3
+    reason: n8n-mcp affected by path traversal, redirect-following SSRF, and telemetry payload exposure
   - id: GHSA-8g7p-74h8-hg48
     aliases:
       - CVE-2018-3739
@@ -19887,6 +19901,14 @@ rules:
         version: vers:npm/>=0.4.0|<0.5.3
     severity: 7.5
     reason: Fastly Compute@Edge JS Runtime has fixed random number seed during compilation
+  - id: GHSA-cmrh-wvq6-wm9r
+    aliases:
+      - CVE-2026-44694
+    match:
+      - purl: pkg:npm/n8n-mcp
+        version: vers:npm/>=2.18.7|<2.50.2
+    severity: 7.2
+    reason: n8n-mcp webhook and API client paths has an authenticated SSRF
   - id: GHSA-cp47-r258-q626
     match:
       - purl: pkg:npm/vega
@@ -23696,6 +23718,14 @@ rules:
         version: vers:npm/<1.3.0
     severity: 9.6
     reason: Cross-site Scripting (XSS) in Eclipse Theia
+  - id: GHSA-gcmm-c94j-j47x
+    aliases:
+      - CVE-2026-7738
+    match:
+      - purl: pkg:npm/%40puchunjie/doc-tools-mcp
+        version: vers:npm/<=1.0.18
+    severity: 2.1
+    reason: '@puchunjie/doc-tools-mcp has a Path Traversal Issue'
   - id: GHSA-gcv8-gh4r-25x6
     aliases:
       - CVE-2022-0613
@@ -35646,6 +35676,14 @@ rules:
         version: vers:npm/<2026.3.28
     severity: 2.3
     reason: OpenClaw affected by SSRF via unguarded image download in fal provider
+  - id: GHSA-qxhc-wx3p-2wmg
+    aliases:
+      - CVE-2026-7768
+    match:
+      - purl: pkg:npm/%40fastify/accepts-serializer
+        version: vers:npm/<6.0.4
+    severity: 7.5
+    reason: '@fastify/accepts-serializer Vulnerable to Denial of Service via Unbounded Accept Header Cache Growth'
   - id: GHSA-qxrj-hx23-xp82
     aliases:
       - CVE-2023-49803
@@ -1154409,6 +1154447,7 @@ rules:
   - id: MAL-2026-3397
     match:
       - purl: pkg:npm/tecken@0.1.2
+      - purl: pkg:npm/tecken@0.1.13
     severity: 10
     reason: Malicious code in tecken (npm)
   - id: MAL-2026-34
diff --git a/rulesets/nuget/all.yaml b/rulesets/nuget/all.yaml
@@ -1,7 +1,7 @@
 id: osv-nuget
 title: OSV vulnerabilities for NuGet
 description: Auto-generated by osv-rulegen 0.3.0 from https://osv.dev data dump for the NuGet ecosystem.
-date: "2026-05-08T17:07:29Z"
+date: "2026-05-08T18:07:15Z"
 rules:
   - id: GHSA-223g-8w3x-98wr
     aliases:
diff --git a/rulesets/pypi/all.yaml b/rulesets/pypi/all.yaml
@@ -1,7 +1,7 @@
 id: osv-pypi
 title: OSV vulnerabilities for PyPI
 description: Auto-generated by osv-rulegen 0.3.0 from https://osv.dev data dump for the PyPI ecosystem.
-date: "2026-05-08T17:07:30Z"
+date: "2026-05-08T18:07:23Z"
 rules:
   - id: GHSA-227r-w5j2-6243
     aliases:
@@ -34248,6 +34248,12 @@ rules:
         version: vers:pypi/<1.0.2
     severity: 5.5
     reason: Matrix Sydent mishandles emails
+  - id: GHSA-q9m2-fhv9-3jcf
+    match:
+      - purl: pkg:pypi/potato-annotation
+        version: vers:pypi/>=2.0.0|<2.4.5
+    severity: 5.1
+    reason: '`potato-annotation` has a Project-Boundary Bypass'
   - id: GHSA-q9pw-vmhh-384g
     aliases:
       - CVE-2026-44335

Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"schemaVersion":1,"label":"last updated","message":"2026-05-08 17:07 UTC","color":"green"}`
	`1`	`+{"schemaVersion":1,"label":"last updated","message":"2026-05-08 18:07 UTC","color":"green"}`
Original file line number	Diff line number	Diff line change
`@@ -1 +1 @@`
`1`		`-{"schemaVersion":1,"label":"rules","message":"217744","color":"blue"}`
	`1`	`+{"schemaVersion":1,"label":"rules","message":"217749","color":"blue"}`