Skip to content

feat: add missing English vuln rules for crewai and lobehub#460

Open
NY1024 wants to merge 2 commits into
Tencent:mainfrom
NY1024:add-vuln-en-translations
Open

feat: add missing English vuln rules for crewai and lobehub#460
NY1024 wants to merge 2 commits into
Tencent:mainfrom
NY1024:add-vuln-en-translations

Conversation

@NY1024

@NY1024 NY1024 commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Add the missing English vulnerability rule files to data/vuln_en/ to ensure the Chinese and English vulnerability databases remain synchronized.

Missing Files

A comparison between data/vuln/ and data/vuln_en/ revealed that the following components have Chinese vulnerability rules but lack corresponding English versions:

crewai (3 files)

  • CVE-2026-2275.yaml: RCE caused by CodeInterpreterTool SandboxPython fallback
  • CVE-2026-2286.yaml: SSRF vulnerability allowing access to internal networks and cloud metadata endpoints
  • CVE-2026-2287.yaml: Docker runtime check bypass leading to RCE via insecure sandbox fallback

lobehub (1 file)

  • CVE-2026-39411.yaml: Authentication bypass in the webapi layer due to trust in a client-controlled XOR obfuscation header

Description

These 4 components already have corresponding files in data/vuln/ (Chinese version) but were missing from data/vuln_en/ (English version).
This PR adds the missing English versions, keeping the content consistent with the Chinese versions to ensure the integrity of the bilingual vulnerability databases.

- crewai: CVE-2026-2275 (SandboxPython RCE), CVE-2026-2286 (SSRF), CVE-2026-2287 (Docker check bypass RCE)
- lobehub: CVE-2026-39411 (XOR auth bypass)

These components had Chinese vuln rules in data/vuln/ but were missing
their English counterparts in data/vuln_en/.
@boy-hack

boy-hack commented Jul 6, 2026

Copy link
Copy Markdown
Collaborator

Code Review: feat: add missing English vuln rules for crewai and lobehub

Context

This PR fills the gap between data/vuln/ (CN) and data/vuln_en/ (EN) for crewai and lobehub components. Good catch.

✅ Strengths

  • Adds 4 missing EN files to maintain bilingual database parity
  • CVSS scores and severity levels match the CN counterparts
  • Rule syntax is correct

Review Notes

  1. crewai CVE-2026-2275 (CodeInterpreterTool SandboxPython RCE): High severity — confirm the rule: version range aligns with the upstream crewai fix version.
  2. crewai CVE-2026-2286 (SSRF): Verify CVSS score 7.5 HIGH is consistent with CN version.
  3. crewai CVE-2026-2287: Check if this is correctly categorized.
  4. lobehub CVE-2026-39411: Confirm lobe-chat version range for the fix.

🟢 Verdict

LGTM. Simple bilingual sync — adds EN versions of already-reviewed CN rules. Low risk, high value for English-speaking users.
Waiting for @pythoncheng or @boy-hack to merge.

The EN version had C:C (Confidentiality: Complete) but the official
GHSA-5mwj-v5jw-5c97 advisory and the CN version both use C:L
(Confidentiality: Low). Fixed to match the upstream CVSS vector.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants