PatchSiren

ash-project CVE debriefs

These pages are published after PatchSiren validates generated defensive summaries against stored public CVE and source evidence.

MEDIUM ash-project CVE published 2026-06-23

CVE-2026-55736

CVE-2026-55736 is an Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in ash-project ash. The issue allows a user to set the value of a private action argument intended to be controlled only by trusted server-side code. This occurs because Ash filters out private arguments incompletely when building a changeset from a parameter map. Specifically, private argumen [truncated]