Skip to content

GHSA-hgv7-v322-mmgr: add CVSS v3.1 score and fix commit reference#7817

Open
anandmt wants to merge 1 commit into
github:anandmt/advisory-improvement-7817from
anandmt:improve-ghsa-hgv7
Open

GHSA-hgv7-v322-mmgr: add CVSS v3.1 score and fix commit reference#7817
anandmt wants to merge 1 commit into
github:anandmt/advisory-improvement-7817from
anandmt:improve-ghsa-hgv7

Conversation

@anandmt
Copy link
Copy Markdown

@anandmt anandmt commented May 27, 2026

Reason for change

This advisory for the @sveltejs/kit query.batch cross-talk vulnerability (cross-user data disclosure) includes a CVSS v4.0 score but is missing a CVSS v3.1 score, which many downstream vulnerability scanners and compliance tools still require. It is also missing a reference to the fix commit.

Changes

  • Added CVSS v3.1 score: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:L/A:N (5.9 — Medium). Rationale: Network-accessible (AV:N), but requires rare timing conditions for exploitation (AC:H), low-privileged attacker (PR:L), and some user interaction (UI:R). High confidentiality impact due to cross-user data disclosure (C:H), low integrity impact (I:L), no availability impact (A:N).
  • Added fix commit reference: sveltejs/kit@dadaefc2e647 — "fix: prevent query.batch cross-talk", merged May 14, 2026.

Supporting evidence

@github-actions github-actions Bot changed the base branch from main to anandmt/advisory-improvement-7817 May 27, 2026 10:24
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@anandmt