{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-05-05T10:32:25.843","vulnerabilities":[{"cve":{"id":"CVE-2026-22253","sourceIdentifier":"security-advisories@github.com","published":"2026-01-08T19:15:59.950","lastModified":"2026-02-02T17:09:22.447","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"Soft Serve is a self-hostable Git server for the command line. Prior to version 0.11.2, an authorization bypass in the LFS lock deletion endpoint allows any authenticated user with repository write access to delete locks owned by other users by setting the force flag. The vulnerable code path processes force deletions before retrieving user context, bypassing ownership validation entirely. This issue has been patched in version 0.11.2."},{"lang":"es","value":"Soft Serve es un servidor Git autoalojable para la línea de comandos. Antes de la versión 0.11.2, una omisión de autorización en el endpoint de eliminación de bloqueos LFS permite a cualquier usuario autenticado con acceso de escritura al repositorio eliminar bloqueos propiedad de otros usuarios al establecer la bandera de forzado. La ruta de código vulnerable procesa las eliminaciones forzadas antes de recuperar el contexto del usuario, omitiendo completamente la validación de propiedad. Este problema ha sido parcheado en la versión 0.11.2."}],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5},{"source":"nvd@nist.gov","type":"Primary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L","baseScore":5.4,"baseSeverity":"MEDIUM","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"NONE","integrityImpact":"LOW","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":2.5}]},"weaknesses":[{"source":"security-advisories@github.com","type":"Primary","description":[{"lang":"en","value":"CWE-863"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:charm:soft_serve:*:*:*:*:*:go:*:*","versionEndExcluding":"0.11.2","matchCriteriaId":"4E11AA52-59BD-42E8-AF0F-EF9490942F6C"}]}]}],"references":[{"url":"https://github.com/charmbracelet/soft-serve/commit/000ab5164f0be68cf1ea6b6e7227f11c0e388a42","source":"security-advisories@github.com","tags":["Patch"]},{"url":"https://github.com/charmbracelet/soft-serve/security/advisories/GHSA-6jm8-x3g6-r33j","source":"security-advisories@github.com","tags":["Exploit","Vendor Advisory"]}]}}]}