From 102fc6d2762abd3bb1a22d34c5bb7c08ca102ba2 Mon Sep 17 00:00:00 2001
From: sampion88 <sammaertens@gmail.com>
Date: Wed, 4 Mar 2026 14:25:27 +0100
Subject: [PATCH 1/3] new vulnerability in node-catbox

---
 input/new.json | 33 +++++++++++++++++++++------------
 1 file changed, 21 insertions(+), 12 deletions(-)

diff --git a/input/new.json b/input/new.json
index 87646b9a..a035b950 100644
--- a/input/new.json
+++ b/input/new.json
@@ -1,15 +1,24 @@
 {
-  "package_name": "",
-  "patch_versions": [],
-  "vulnerable_ranges": [],
-  "cwe": [],
-  "tldr": "",
-  "doest_this_affect_me": "",
-  "how_to_fix": "",
-  "vulnerable_to": "",
+  "package_name": "node-catbox",
+  "patch_versions": [
+    "4.2.0"
+  ],
+  "vulnerable_ranges": [
+    [
+      "0.0.1",
+      "4.1.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-20"
+  ],
+  "tldr": "Affected versions of this package are vulnerable to improper input validation. The `uploadURL` function does not sufficiently validate the user-supplied URL parameter and forwards it directly to the Catbox API. This allows malformed URLs or URLs with unsupported schemes to be processed, which can lead to unintended behavior in applications relying on the library. The issue is fixed by adding validation to ensure that only valid `http` or `https` URLs are accepted.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `node-catbox` library to the patch version.",
+  "vulnerable_to": "Improper Input Validation",
   "related_cve_id": "",
-  "language": "",
-  "severity_class": "",
-  "aikido_score": 0,
-  "changelog": ""
+  "language": "JS",
+  "severity_class": "LOW",
+  "aikido_score": 30,
+  "changelog": "https://github.com/depthbomb/node-catbox/releases/tag/4.2.0"
 }

From 7e092a20a2c4953cc4a72434c144dc3ca703de43 Mon Sep 17 00:00:00 2001
From: sampion88 <36301168+sampion88@users.noreply.github.com>
Date: Thu, 5 Mar 2026 10:25:42 +0100
Subject: [PATCH 2/3] Update new.json

---
 input/new.json | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/input/new.json b/input/new.json
index a035b950..7096ce16 100644
--- a/input/new.json
+++ b/input/new.json
@@ -5,7 +5,7 @@
   ],
   "vulnerable_ranges": [
     [
-      "0.0.1",
+      "0.1.0",
       "4.1.0"
     ]
   ],

From 1ac24e1f01210c03801c312cf3bd5593e47ee97a Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 5 Mar 2026 15:39:26 +0000
Subject: [PATCH 3/3] Move new vulnerability to
 vulnerabilities/AIKIDO-2026-10296.json and reset new.json template

---
 input/new.json                         | 33 ++++++++++----------------
 vulnerabilities/AIKIDO-2026-10296.json | 26 ++++++++++++++++++++
 2 files changed, 38 insertions(+), 21 deletions(-)
 create mode 100644 vulnerabilities/AIKIDO-2026-10296.json

diff --git a/input/new.json b/input/new.json
index 7096ce16..87646b9a 100644
--- a/input/new.json
+++ b/input/new.json
@@ -1,24 +1,15 @@
 {
-  "package_name": "node-catbox",
-  "patch_versions": [
-    "4.2.0"
-  ],
-  "vulnerable_ranges": [
-    [
-      "0.1.0",
-      "4.1.0"
-    ]
-  ],
-  "cwe": [
-    "CWE-20"
-  ],
-  "tldr": "Affected versions of this package are vulnerable to improper input validation. The `uploadURL` function does not sufficiently validate the user-supplied URL parameter and forwards it directly to the Catbox API. This allows malformed URLs or URLs with unsupported schemes to be processed, which can lead to unintended behavior in applications relying on the library. The issue is fixed by adding validation to ensure that only valid `http` or `https` URLs are accepted.",
-  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
-  "how_to_fix": "Upgrade the `node-catbox` library to the patch version.",
-  "vulnerable_to": "Improper Input Validation",
+  "package_name": "",
+  "patch_versions": [],
+  "vulnerable_ranges": [],
+  "cwe": [],
+  "tldr": "",
+  "doest_this_affect_me": "",
+  "how_to_fix": "",
+  "vulnerable_to": "",
   "related_cve_id": "",
-  "language": "JS",
-  "severity_class": "LOW",
-  "aikido_score": 30,
-  "changelog": "https://github.com/depthbomb/node-catbox/releases/tag/4.2.0"
+  "language": "",
+  "severity_class": "",
+  "aikido_score": 0,
+  "changelog": ""
 }
diff --git a/vulnerabilities/AIKIDO-2026-10296.json b/vulnerabilities/AIKIDO-2026-10296.json
new file mode 100644
index 00000000..38403c8b
--- /dev/null
+++ b/vulnerabilities/AIKIDO-2026-10296.json
@@ -0,0 +1,26 @@
+{
+  "package_name": "node-catbox",
+  "patch_versions": [
+    "4.2.0"
+  ],
+  "vulnerable_ranges": [
+    [
+      "0.1.0",
+      "4.1.0"
+    ]
+  ],
+  "cwe": [
+    "CWE-20"
+  ],
+  "tldr": "Affected versions of this package are vulnerable to improper input validation. The `uploadURL` function does not sufficiently validate the user-supplied URL parameter and forwards it directly to the Catbox API. This allows malformed URLs or URLs with unsupported schemes to be processed, which can lead to unintended behavior in applications relying on the library. The issue is fixed by adding validation to ensure that only valid `http` or `https` URLs are accepted.",
+  "doest_this_affect_me": "You are affected if you are using a version that falls within the vulnerable range.",
+  "how_to_fix": "Upgrade the `node-catbox` library to the patch version.",
+  "vulnerable_to": "Improper Input Validation",
+  "related_cve_id": "",
+  "language": "JS",
+  "severity_class": "LOW",
+  "aikido_score": 30,
+  "changelog": "https://github.com/depthbomb/node-catbox/releases/tag/4.2.0",
+  "last_modified": "2026-03-05",
+  "published": "2026-03-05"
+}