From 6dde160d6ec6f7cc23d57c32bd904c19429a6833 Mon Sep 17 00:00:00 2001
From: Al Snow <43523+jasnow@users.noreply.github.com>
Date: Sun, 17 May 2026 12:34:50 -0400
Subject: [PATCH] GHSA/SYNC: 3 new advisories

---
 gems/katalyst-koi/CVE-2026-44511.yml | 47 ++++++++++++++++++++++++++++
 gems/sidekiq-cron/CVE-2025-67202.yml | 23 ++++++++++++++
 gems/yard/CVE-2026-41493.yml         | 42 +++++++++++++++++++++++++
 3 files changed, 112 insertions(+)
 create mode 100644 gems/katalyst-koi/CVE-2026-44511.yml
 create mode 100644 gems/sidekiq-cron/CVE-2025-67202.yml
 create mode 100644 gems/yard/CVE-2026-41493.yml

diff --git a/gems/katalyst-koi/CVE-2026-44511.yml b/gems/katalyst-koi/CVE-2026-44511.yml
new file mode 100644
index 0000000000..f8fdab0da6
--- /dev/null
+++ b/gems/katalyst-koi/CVE-2026-44511.yml
@@ -0,0 +1,47 @@
+---
+gem: katalyst-koi
+cve: 2026-44511
+ghsa: 4cx3-3c38-j9vv
+url: https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv
+title: Session cookies can be replayed after user logout
+date: 2026-05-07
+description: |
+  ### Impact
+
+  Admin session cookies were not invalidated when an admin user logged
+  out. An attacker with access to a valid admin session cookie could
+  continue to access admin functionality after logout, until the
+  cookie expired or session secrets were rotated.
+
+  This affects applications using Koi admin authentication where an
+  admin session cookie may have been exposed, cached, intercepted, or
+  otherwise retained after logout.
+
+  ### Patches
+
+  The issue has been patched by recording admin logout time and
+  rejecting any admin session cookie created before the user’s
+  most recent logout.
+
+  Users should upgrade to the patched Koi releases once available.
+
+  ### Workarounds
+
+  Katalyst Koi recommends upgrading to the latest available version,
+  or back porting the changes released in 5.6.0/4.20.0
+
+  ### Resources
+
+  This is an application of https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions .
+cvss_v3: 7.4
+patched_versions:
+  - "~> 4.20.0"
+  - ">= 5.6.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-44511
+    - https://github.com/katalyst/koi/commit/606b33c140a61b1a2b37878ca7504741ec68df33
+    - https://github.com/katalyst/koi/commit/fdbfb404a9500f7fed33e03ab2eb7c2578f9652c
+    - https://github.com/katalyst/koi/security/advisories/GHSA-4cx3-3c38-j9vv
+    - https://guides.rubyonrails.org/v5.2.0/security.html#replay-attacks-for-cookiestore-sessions
+    - https://github.com/advisories/GHSA-4cx3-3c38-j9vv
diff --git a/gems/sidekiq-cron/CVE-2025-67202.yml b/gems/sidekiq-cron/CVE-2025-67202.yml
new file mode 100644
index 0000000000..4c8854d329
--- /dev/null
+++ b/gems/sidekiq-cron/CVE-2025-67202.yml
@@ -0,0 +1,23 @@
+---
+gem: sidekiq-cron
+cve: 2025-67202
+ghsa: xv9c-mjw8-79gf
+url: https://github.com/advisories/GHSA-xv9c-mjw8-79gf
+title: Sidekiq-cron is vulnerable to a cross-site scripting (xss)
+  vulnerability via crafted URL
+date: 2026-05-07
+description: |
+  Sidekiq-cron thru 2.3.1, an open-source scheduling add-on for Sidekiq,
+  is vulnerable to a cross-site scripting (xss) vulnerability via
+  crafted URL being rended from cron.erb.
+cvss_v3: 6.1
+patched_versions:
+  - ">= 2.4.0"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2025-67202
+    - https://github.com/sidekiq-cron/sidekiq-cron/releases/tag/v2.4.0
+    - https://github.com/sidekiq-cron/sidekiq-cron/pull/568
+    - https://github.com/sidekiq-cron/sidekiq-cron/commit/7b4ae4822f93ef4646f5cb55500ca4e25662db7c
+    - https://github.com/sidekiq-cron/sidekiq-cron/issues/569
+    - https://github.com/advisories/GHSA-xv9c-mjw8-79gf
diff --git a/gems/yard/CVE-2026-41493.yml b/gems/yard/CVE-2026-41493.yml
new file mode 100644
index 0000000000..e22a42d015
--- /dev/null
+++ b/gems/yard/CVE-2026-41493.yml
@@ -0,0 +1,42 @@
+---
+gem: yard
+cve: 2026-41493
+ghsa: 3jfp-46x4-xgfj
+url: https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
+title: Possible arbitrary path traversal and file access via yard server
+date: 2026-04-17
+description: |
+  ### Impact
+
+  A path traversal vulnerability was discovered in YARD <= 0.9.41 when
+  using yard server to serve documentation. This bug would allow
+  unsanitized HTTP requests to access arbitrary files on the machine
+  of a yard server host under certain conditions.
+
+  The original patch in [GHSA-xfhh-rx56-rxcr](https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr)
+  was incorrectly applied.
+
+  ### Patches
+
+  Please upgrade to YARD v0.9.42 immediately if you are relying on
+  yard server to host documentation in any untrusted environments
+  without WEBrick and rely on `--docroot`.
+
+  ### Workarounds
+
+  For users who cannot upgrade, it is possible to perform path
+  sanitization of HTTP requests at your webserver level. WEBrick,
+  for example, can perform such sanitization by default (which
+  you can use via yard server -s webrick), as can certain rules
+  in your webserver configuration.
+cvss_v3: 7.5
+cvss_v4: 6.9
+patched_versions:
+  - ">= 0.9.42"
+related:
+  url:
+    - https://nvd.nist.gov/vuln/detail/CVE-2026-41493
+    - https://github.com/lsegal/yard/releases/tag/v0.9.42
+    - https://github.com/lsegal/yard/security/advisories/GHSA-3jfp-46x4-xgfj
+    - https://github.com/lsegal/yard/security/advisories/GHSA-xfhh-rx56-rxcr
+    - https://github.com/advisories/GHSA-3jfp-46x4-xgfj