Skip to content

CVE-2026-33672 CVE-2026-33671: Method injection in POSIX character classes causes incorrect glob matching Related glob security issue patched in the same release#970

Merged
vharseko merged 1 commit intomasterfrom
copilot/merge-pr-968-and-969
Mar 26, 2026
Merged

CVE-2026-33672 CVE-2026-33671: Method injection in POSIX character classes causes incorrect glob matching Related glob security issue patched in the same release#970
vharseko merged 1 commit intomasterfrom
copilot/merge-pr-968-and-969

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented Mar 26, 2026

Consolidates Dependabot PRs #968 and #969 into a single fix. Upgrades picomatch to 2.3.2 (security release) in both UI modules to address:

  • CVE-2026-33672 — Method injection in POSIX character classes causes incorrect glob matching
  • CVE-2026-33671 — Related glob security issue patched in the same release

Changed

  • openam-ui/openam-ui-ria/package-lock.json — picomatch 2.3.1 → 2.3.2
  • openam-ui/openam-ui-api/package-lock.json — picomatch 2.3.1 → 2.3.2

@vharseko
CVE-2026-33672: bump picomatch from 2.3.1 to 2.3.2 in openam-ui-api a…
b157869 
…nd openam-ui-ria (merges #968 and #969)

Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Agent-Logs-Url: https://github.com/OpenIdentityPlatform/OpenAM/sessions/b8ae71b3-79ab-4794-90e1-c2e1e7175bc5
@vharseko vharseko requested a review from maximthomas March 26, 2026 11:18
@vharseko vharseko marked this pull request as ready for review March 26, 2026 11:18
@vharseko vharseko changed the title CVE-2026-33672/33671: bump picomatch 2.3.1 → 2.3.2 in openam-ui-api and openam-ui-ria CVE-2026-33672 CVE-2026-33671: bump picomatch 2.3.1 → 2.3.2 in openam-ui-api and openam-ui-ria Mar 26, 2026
@vharseko vharseko changed the title CVE-2026-33672 CVE-2026-33671: bump picomatch 2.3.1 → 2.3.2 in openam-ui-api and openam-ui-ria CVE-2026-33672 CVE-2026-33671: Method injection in POSIX character classes causes incorrect glob matching Related glob security issue patched in the same release Mar 26, 2026
@vharseko vharseko merged commit 2fe1083 into master Mar 26, 2026
62 of 64 checks passed
@vharseko vharseko deleted the copilot/merge-pr-968-and-969 branch March 26, 2026 18:33
maximthomas pushed a commit to maximthomas/OpenAM that referenced this pull request Mar 30, 2026
@vharseko @maximthomas
CVE-2026-33672 CVE-2026-33671: Method injection in POSIX character cl…
6298224 
…asses causes incorrect glob matching Related glob security issue patched in the same release (OpenIdentityPlatform#970)

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: vharseko <6818498+vharseko@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@maximthomas maximthomas Awaiting requested review from maximthomas

Assignees

@vharseko vharseko

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@vharseko