Skip to content

Public repository advisory with CVE not propagated to GHSA (CVE-2026-13149) #8634

Description

@sealbenb

A vulnerability I reported has been made public as a repo-advisory GHSA-3jxr-9vmj-r5cp.
However, it is not available in the global GHSA despite having a CVE and being public on other lists.

Seems like osv.dev relies on GHSA for package attribution (google/osv.dev#4490 (comment)) and in this example the package has a TYPE value of git, so most scanners won't pick it up

Do repo-advisories enter a review queue for the global GHSA automatically? Do reporters/maintainers need to do something for that to happen?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions