feat: add missing English vuln rules for crewai and lobehub#460
Open
NY1024 wants to merge 1 commit into
Open
Conversation
- crewai: CVE-2026-2275 (SandboxPython RCE), CVE-2026-2286 (SSRF), CVE-2026-2287 (Docker check bypass RCE) - lobehub: CVE-2026-39411 (XOR auth bypass) These components had Chinese vuln rules in data/vuln/ but were missing their English counterparts in data/vuln_en/.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add the missing English vulnerability rule files to
data/vuln_en/to ensure the Chinese and English vulnerability databases remain synchronized.Missing Files
A comparison between
data/vuln/anddata/vuln_en/revealed that the following components have Chinese vulnerability rules but lack corresponding English versions:crewai (3 files)
CVE-2026-2275.yaml: RCE caused byCodeInterpreterToolSandboxPython fallbackCVE-2026-2286.yaml: SSRF vulnerability allowing access to internal networks and cloud metadata endpointsCVE-2026-2287.yaml: Docker runtime check bypass leading to RCE via insecure sandbox fallbacklobehub (1 file)
CVE-2026-39411.yaml: Authentication bypass in the webapi layer due to trust in a client-controlled XOR obfuscation headerDescription
These 4 components already have corresponding files in
data/vuln/(Chinese version) but were missing fromdata/vuln_en/(English version).This PR adds the missing English versions, keeping the content consistent with the Chinese versions to ensure the integrity of the bilingual vulnerability databases.