From 9d2aab2a648b5d562c1e570f270081dc209a88b7 Mon Sep 17 00:00:00 2001
From: Vijay Sarvepalli <vss@cert.org>
Date: Tue, 20 Jan 2026 18:10:19 -0500
Subject: [PATCH] Improve GHSA-m39p-34qh-rh3w

---
 .../GHSA-m39p-34qh-rh3w.json                  | 51 +++++++++++++++----
 1 file changed, 42 insertions(+), 9 deletions(-)

diff --git a/advisories/unreviewed/2026/01/GHSA-m39p-34qh-rh3w/GHSA-m39p-34qh-rh3w.json b/advisories/unreviewed/2026/01/GHSA-m39p-34qh-rh3w/GHSA-m39p-34qh-rh3w.json
index d99daca7a8f43..b5276f2dfccd3 100644
--- a/advisories/unreviewed/2026/01/GHSA-m39p-34qh-rh3w/GHSA-m39p-34qh-rh3w.json
+++ b/advisories/unreviewed/2026/01/GHSA-m39p-34qh-rh3w/GHSA-m39p-34qh-rh3w.json
@@ -1,31 +1,64 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-m39p-34qh-rh3w",
-  "modified": "2026-01-20T21:31:34Z",
+  "modified": "2026-01-20T21:31:41Z",
   "published": "2026-01-20T21:31:34Z",
   "aliases": [
     "CVE-2026-1245"
   ],
+  "summary": "A code injection vulnerability in the binary-parser library prior to version 2.3.0",
   "details": "A code injection vulnerability in the binary-parser library prior to version 2.3.0 allows arbitrary JavaScript code execution when untrusted values are used in parser field names or encoding parameters. The library directly interpolates these values into dynamically generated code without sanitization, enabling attackers to execute arbitrary code in the context of the Node.js process.",
-  "severity": [],
-  "affected": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:N"
+    }
+  ],
+  "affected": [
+    {
+      "package": {
+        "ecosystem": "npm",
+        "name": "binary-parser"
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            },
+            {
+              "fixed": "2.3.0"
+            }
+          ]
+        }
+      ]
+    }
+  ],
   "references": [
     {
-      "type": "ADVISORY",
-      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1245"
+      "type": "WEB",
+      "url": "https://github.com/keichi/binary-parser/pull/283"
+    },
+    {
+      "type": "PACKAGE",
+      "url": "https://github.com/keichi/binary-parser"
     },
     {
       "type": "WEB",
-      "url": "https://github.com/keichi/binary-parser/pull/283"
+      "url": "https://kb.cert.org/vuls/id/102648"
     },
     {
       "type": "WEB",
-      "url": "https://www.kb.cert.org/vuls/id/102648"
+      "url": "https://www.cve.org/CVERecord?id=CVE-2026-1245"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-94",
+      "CWE-95"
+    ],
+    "severity": "LOW",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-20T19:15:50Z"