Skip to content

[GHSA-f38f-5xpm-9r7c] Add missing reporter credit#7172

Closed
SnailSploit wants to merge 1 commit intogithub:SnailSploit/advisory-improvement-7172from
SnailSploit:fix/GHSA-f38f-5xpm-9r7c-add-credits
Closed

[GHSA-f38f-5xpm-9r7c] Add missing reporter credit#7172
SnailSploit wants to merge 1 commit intogithub:SnailSploit/advisory-improvement-7172from
SnailSploit:fix/GHSA-f38f-5xpm-9r7c-add-credits

Conversation

@SnailSploit
Copy link

@SnailSploit SnailSploit commented Mar 15, 2026

Summary

The repository security advisory (GHSA-f38f-5xpm-9r7c) correctly credits @SnailSploit as the reporter of CVE-2026-31899 (CairoSVG exponential DoS via recursive <use> element amplification).

However, the published CVE record on cve.org does not include researcher credit.

This PR adds the missing credits array to the advisory JSON so that attribution propagates to the CVE record and downstream databases (NVD, cve.org, etc).

Evidence

  • GHSA credits section: Lists @SnailSploit as Reporter — link
  • Advisory body: Explicitly states "Credit: Kai Aizen (SnailSploit) — Adversarial AI & Security Research"
  • CVE record: No credit listed — link

Change

Added credits array with type: FINDER per OSV schema.

@SnailSploit
Add missing reporter credit to GHSA-f38f-5xpm-9r7c (CVE-2026-31899)
7814c3f 
The repository security advisory correctly credits @SnailSploit as Reporter,
but the CVE record does not include the credits field.
@github-actions github-actions bot changed the base branch from main to SnailSploit/advisory-improvement-7172 March 15, 2026 04:49
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SnailSploit