rubysec · jasnow · May 24, 2026 · May 27, 2026 · May 27, 2026 · May 27, 2026
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -9,7 +9,8 @@
 * Please see the [README](README.md#schema) for more documentation on the
   YAML Schema.
 * Prior to submitting a pull request, run the tests:
-
+* Advisory filename and the root of the `url:` field must
+  be equal `(as of 5/10/2026).`
 ```
 bundle install
 bundle exec rspec

diff --git a/gems/faraday/CVE-2026-33637.yml b/gems/faraday/CVE-2026-33637.yml
@@ -2,7 +2,7 @@
 gem: faraday
 cve: 2026-33637
 ghsa: 5rv5-xj5j-3484
-url: https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
+url: https://nvd.nist.gov/vuln/detail/CVE-2026-33637
 title: Faraday has a possible incomplete fix for GHSA-33mh-2634-fwr2 -
   protocol-relative URI objects still bypass host scoping
 date: 2026-05-18
@@ -31,7 +31,7 @@ description: |
   that believe they are constrained to a fixed base URL. If the
   connection carries default headers or query parameters, those
   values are forwarded to the attacker-selected host.
-cvss_v3: 0.0
+cvss_v3: 6.5
 unaffected_versions:
   - "< 2.0.0"
 patched_versions:
@@ -43,5 +43,3 @@ related:
     - https://github.com/lostisland/faraday/security/advisories/GHSA-5rv5-xj5j-3484
     - https://github.com/advisories/GHSA-33mh-2634-fwr2
     - https://github.com/advisories/GHSA-5rv5-xj5j-3484
-notes: |
-  - ZERO CVSS value in GHSA and NVD
diff --git a/gems/jwt/CVE-2026-45363.yml b/gems/jwt/CVE-2026-45363.yml
@@ -51,6 +51,7 @@ patched_versions:
   - ">= 3.2.0"
 related:
   url:
+    - https://www.cve.org/CVERecord?id=CVE-2026-45363
     - https://github.com/jwt/ruby-jwt/security/advisories/GHSA-c32j-vqhx-rx3x
     - https://github.com/jwt/ruby-jwt/commit/db560b769a07bd9724e77ff505011ac01872106f
     - https://github.com/jwt/ruby-jwt/releases/tag/v3.2.0

diff --git a/spec/advisory_example.rb b/spec/advisory_example.rb
@@ -106,6 +106,21 @@
       it { expect(subject).to be_kind_of(String) }
       it { expect(subject).to_not match(%r{\Ahttp(s)?://osvdb\.org}) }
       it { expect(subject).not_to be_empty }
+
+      it "has a filename that matches the root of the url field" do
+        url = advisory["url"]
+
+        # Extract filename without extension
+        filename_root = File.basename(path, ".yml")
+
+        # 5/24/2026: May 9, 2026 is earliest start date with no failed checks.
+        start_date = Date.new(2026, 5, 9)
+        # Skip advisories older than start_date and old OSVDB advisories.
+        if advisory["date"] >= start_date and !filename_root.start_with?("OSVDB")
+          expect(url).to include(filename_root),
+            "Expected base filename DOES NOT include URL"
+        end
+      end
     end
 
     describe "title" do