From 365aee4f1ae371c92bc4f5d05721a7059a8689c7 Mon Sep 17 00:00:00 2001
From: Vibhav Bobade <vibhav.bobde@gmail.com>
Date: Wed, 6 May 2026 20:13:18 +0530
Subject: [PATCH] [GHSA-rx35-6rhx-7858] Add multi-branch patch ranges for
 Tekton Pipelines

VolumeMount path restriction bypass via missing filepath.Clean (CVE-2026-40923) was patched across five maintained LTS branches on
April 21, 2026, but the OSV entry here collapses the fix into a single
range. Users on patched LTS releases (v1.0.2, v1.3.4, v1.6.2, v1.9.3)
are incorrectly flagged as vulnerable by dependency tooling.

Updated to use one OSV range per branch so each patched version is
recognized as fixed: v1.0.2, v1.3.4, v1.6.2, v1.9.3, v1.11.1.

Source: https://github.com/tektoncd/pipeline/security/advisories/GHSA-rx35-6rhx-7858
---
 .../GHSA-rx35-6rhx-7858.json                  | 85 +++++++++++++++++--
 1 file changed, 79 insertions(+), 6 deletions(-)

diff --git a/advisories/github-reviewed/2026/04/GHSA-rx35-6rhx-7858/GHSA-rx35-6rhx-7858.json b/advisories/github-reviewed/2026/04/GHSA-rx35-6rhx-7858/GHSA-rx35-6rhx-7858.json
index da0f1df847aaf..69a4bb0b696a3 100644
--- a/advisories/github-reviewed/2026/04/GHSA-rx35-6rhx-7858/GHSA-rx35-6rhx-7858.json
+++ b/advisories/github-reviewed/2026/04/GHSA-rx35-6rhx-7858/GHSA-rx35-6rhx-7858.json
@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rx35-6rhx-7858",
-  "modified": "2026-04-27T18:10:05Z",
+  "modified": "2026-05-05T10:00:00Z",
   "published": "2026-04-21T20:26:41Z",
   "aliases": [
     "CVE-2026-40923"
@@ -27,15 +27,88 @@
             {
               "introduced": "0"
             },
+            {
+              "fixed": "1.0.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/tektoncd/pipeline"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.1.0"
+            },
+            {
+              "fixed": "1.3.4"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/tektoncd/pipeline"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.4.0"
+            },
+            {
+              "fixed": "1.6.2"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/tektoncd/pipeline"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.7.0"
+            },
+            {
+              "fixed": "1.9.3"
+            }
+          ]
+        }
+      ]
+    },
+    {
+      "package": {
+        "ecosystem": "Go",
+        "name": "github.com/tektoncd/pipeline"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "1.10.0"
+            },
             {
               "fixed": "1.11.1"
             }
           ]
         }
-      ],
-      "database_specific": {
-        "last_known_affected_version_range": "<= 1.11.0"
-      }
+      ]
     }
   ],
   "references": [
@@ -65,4 +138,4 @@
     "github_reviewed_at": "2026-04-21T20:26:41Z",
     "nvd_published_at": "2026-04-21T21:16:45Z"
   }
-}
\ No newline at end of file
+}