Skip to content

CVE-2026-40180: executable affected-version certificate for GHSA #8378

Open
Open
CVE-2026-40180: executable affected-version certificate for GHSA#8378

Description

@hypergalois
hypergalois
opened on Jun 30, 2026

CVE-2026-40180: executable affected-version certificate for GHSA

Requested Check

Please review the executable affected-version evidence below and decide whether the affected-version data or package namespace should be updated or explicitly documented.

Grouped Route

  • candidate: CVE-2026-40180
  • route URL: https://github.com/github/advisory-database
  • targets: GHSA
  • route kinds: claim-source
  • priority: P1
  • grouped queue rows: 1
  • P0 rows in group: 0

Evidence Summary

  • projection-loss versions: 3
  • source-disagreement versions: 0
  • report paths: external_validation_reports/CVE-2026-40180_external_validation_report.md

Target-Specific Packets

Target Route kind Priority Reason Body SHA-256
GHSA claim-source P1 claim-source projection excludes witness-vulnerable versions external_validation_submissions/CVE-2026-40180__GHSA.md 0809d436d6857494ed902d860f91d896d0944b12f59eb201555610d6bbdc08ea

Reproduction

make cve-2026-40180
make interval-certificates topology-theorem order-sensitivity version-dags
make case-certificates verify-certificates validate-artifact

Evidence Details

Only the maintainer-facing certificate sections are included here. Tool-level matrices remain in the research artifact and are not part of this advisory-owner request.

Packet: GHSA / claim-source

  • target-specific body SHA-256: 0809d436d6857494ed902d860f91d896d0944b12f59eb201555610d6bbdc08ea
  • target-specific report: external_validation_reports/CVE-2026-40180_external_validation_report.md

Executable Certificate

  • candidate: CVE-2026-40180
  • bitstring: 11100000
  • minimum interval cover: 1
  • V-S-V witnesses: 0
  • zero-error single intervals: 1
  • full-recall false-positive lower bound: 0
  • zero-false-positive false-negative lower bound: 0

Projection-Loss Coordinates

  • io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0
    • version: 2.14.0
    • claim projection decisions: OSV:package_excluded;GHSA:package_excluded
    • excluding sources: OSV;GHSA
    • detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate
  • io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.14.0-lts
    • version: 2.14.0-lts
    • claim projection decisions: OSV:package_excluded;GHSA:package_excluded
    • excluding sources: OSV;GHSA
    • detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate
  • io.quarkiverse.openapi.generator:quarkus-openapi-generator-server-deployment:2.15.0
    • version: 2.15.0
    • claim projection decisions: OSV:package_excluded;GHSA:package_excluded
    • excluding sources: OSV;GHSA
    • detail: OSV: no GHSA vulnerability row for tested Maven coordinate; GHSA: no GHSA vulnerability row for tested Maven coordinate

Source Disagreements

  • none recorded for this case

Public Evidence Bundle

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions