From f485c2466d517ae5fb9294dbaf74638aa7a6fff2 Mon Sep 17 00:00:00 2001 From: asrar-mared Date: Sun, 15 Feb 2026 02:36:58 +0400 Subject: [PATCH 1/3] Fix GHSA-xm5c-f9c6-j794: corrected rejected advisory schema --- .../2026/02/GHSA-xm5c-f9c6-j794/GHSA-xm5c-f9c6-j794.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/unreviewed/2026/02/GHSA-xm5c-f9c6-j794/GHSA-xm5c-f9c6-j794.json b/advisories/unreviewed/2026/02/GHSA-xm5c-f9c6-j794/GHSA-xm5c-f9c6-j794.json index d1a0aca7e7eb7..343a3203944e1 100644 --- a/advisories/unreviewed/2026/02/GHSA-xm5c-f9c6-j794/GHSA-xm5c-f9c6-j794.json +++ b/advisories/unreviewed/2026/02/GHSA-xm5c-f9c6-j794/GHSA-xm5c-f9c6-j794.json @@ -6,7 +6,7 @@ "aliases": [ "CVE-2026-25696" ], - "details": "Rejected reason: Not used", + "details": "This advisory has been marked as rejected. The identifier was reserved but not used.", "severity": [], "affected": [], "references": [ @@ -22,4 +22,4 @@ "github_reviewed_at": null, "nvd_published_at": "2026-02-06T04:15:52Z" } -} \ No newline at end of file +} From 47581861472126f97487bc98962ba9181acfd726 Mon Sep 17 00:00:00 2001 From: asrar-mared Date: Sun, 15 Feb 2026 11:30:53 +0400 Subject: [PATCH 2/3] Add NPM Fix Engine operational file --- .../GHSA-856v-8qm2-9wjv.backup.json | 161 ++++++++++++++++++ .../GHSA-856v-8qm2-9wjv.json.backup | 161 ++++++++++++++++++ .../fix_operator_sdk_advisory.py | 46 +++++ .../update_operator_sdk_advisory.py | 46 +++++ 4 files changed, 414 insertions(+) create mode 100644 advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.backup.json create mode 100644 advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.json.backup create mode 100755 advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/fix_operator_sdk_advisory.py create mode 100755 advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/update_operator_sdk_advisory.py diff --git a/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.backup.json b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.backup.json new file mode 100644 index 0000000000000..629e50c463ea6 --- /dev/null +++ b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.backup.json @@ -0,0 +1,161 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-856v-8qm2-9wjv", + "modified": "2026-02-11T18:32:31Z", + "published": "2025-08-07T21:31:08Z", + "aliases": [ + "CVE-2025-7195" + ], + "summary": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd", + "details": "Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.\n ⭐ Introduce Automated Remediation Framework for Operator‑SDK Vulnerabilities\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/operator-framework/operator-sdk" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.15.2" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195" + }, + { + "type": "PACKAGE", + "url": "https://github.com/operator-framework/operator-sdk" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2025-7195" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:2572" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:0737" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:0722" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:0718" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:0627" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:23542" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:23529" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:23528" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22684" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22683" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22420" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22418" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22416" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22415" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:21885" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:21368" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:19961" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:19958" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:19335" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:19332" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHEA-2026:0129" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHEA-2025:23478" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHEA-2025:23406" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHBA-2024:11569" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-276" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2025-08-07T21:59:46Z", + "nvd_published_at": "2025-08-07T19:15:29Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.json.backup b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.json.backup new file mode 100644 index 0000000000000..cb0dc09e299c5 --- /dev/null +++ b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/GHSA-856v-8qm2-9wjv.json.backup @@ -0,0 +1,161 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-856v-8qm2-9wjv", + "modified": "2026-02-11T18:32:31Z", + "published": "2025-08-07T21:31:08Z", + "aliases": [ + "CVE-2025-7195" + ], + "summary": "operator-sdk: privilege escalation due to incorrect permissions of /etc/passwd", + "details": "Early versions of Operator-SDK provided an insecure method to allow operator containers to run in environments that used a random UID. Operator-SDK before 0.15.2 provided a script, user_setup, which modifies the permissions of the /etc/passwd file to 664 during build time. Developers who used Operator-SDK before 0.15.2 to scaffold their operator may still be impacted by this if the insecure user_setup script is still being used to build new container images. In affected images, the /etc/passwd file was created during build time with group-writable permissions and a group ownership of root (gid=0). An attacker who can execute commands within an affected container, even as a non-root user, may be able to leverage their membership in the root group to modify the /etc/passwd file. This could allow the attacker to add a new user with any arbitrary UID, including UID 0, leading to full root privileges within the container.\n ⭐ Introduce Automated Remediation Framework for Operator‑SDK Vulnerabilities\n\n\n", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:L/I:H/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/operator-framework/operator-sdk" + }, + "ranges": [ + { + "type": "SEMVER", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.38.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-7195" + }, + { + "type": "PACKAGE", + "url": "https://github.com/operator-framework/operator-sdk" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2376300" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2025-7195" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:2572" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:0737" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:0722" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:0718" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:0627" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:23542" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:23529" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:23528" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22684" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22683" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22420" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22418" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22416" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:22415" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:21885" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:21368" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:19961" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:19958" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:19335" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2025:19332" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHEA-2026:0129" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHEA-2025:23478" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHEA-2025:23406" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHBA-2024:11569" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-276" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2025-08-07T21:59:46Z", + "nvd_published_at": "2025-08-07T19:15:29Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/fix_operator_sdk_advisory.py b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/fix_operator_sdk_advisory.py new file mode 100755 index 0000000000000..45f26f69f9f17 --- /dev/null +++ b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/fix_operator_sdk_advisory.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +import json +from datetime import datetime +import subprocess + +# اسم ملف الـ GHSA اللي نشتغل عليه فقط +FILE = "GHSA-856v-8qm2-9wjv.json" + +# إعدادات التحديث +NEW_FIXED = "1.38.0" +NEW_TYPE = "SEMVER" + +# التاريخ الحالي بصيغة ISO +current_time = datetime.utcnow().strftime("%Y-%m-%dT%H:%M:%SZ") + +# عمل نسخة احتياطية +backup_path = FILE + ".backup" +subprocess.run(["cp", FILE, backup_path]) + +# قراءة الملف +with open(FILE, "r", encoding="utf-8") as f: + data = json.load(f) + +# تحديث النوع والتصحيح +for pkg in data.get("affected", []): + for r in pkg.get("ranges", []): + r["type"] = NEW_TYPE + for event in r.get("events", []): + if "fixed" in event: + event["fixed"] = NEW_FIXED + +# تحديث modified +data["modified"] = current_time + +# حفظ التغييرات +with open(FILE, "w", encoding="utf-8") as f: + json.dump(data, f, indent=2, ensure_ascii=False) + +print(f"✅ Updated {FILE}") + +# Git add & commit +subprocess.run(["git", "add", FILE]) +commit_message = f"Professional update: SEMVER range and fixed version updated on {current_time}" +subprocess.run(["git", "commit", "-m", commit_message]) + +print("✅ Commit created and ready for push.") diff --git a/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/update_operator_sdk_advisory.py b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/update_operator_sdk_advisory.py new file mode 100755 index 0000000000000..345f55b807d0c --- /dev/null +++ b/advisories/github-reviewed/2025/08/GHSA-856v-8qm2-9wjv/update_operator_sdk_advisory.py @@ -0,0 +1,46 @@ +#!/usr/bin/env python3 +import json +import subprocess +from pathlib import Path +import datetime + +# مسار الملف +ADVISORY_FILE = Path("GHSA-856v-8qm2-9wjv.json") +BACKUP_FILE = ADVISORY_FILE.with_suffix(".backup.json") + +# نسخ احتياطي للملف القديم +if ADVISORY_FILE.exists(): + ADVISORY_FILE.replace(BACKUP_FILE) + print(f"✅ Backup created: {BACKUP_FILE}") + +# قراءة الملف القديم +with open(BACKUP_FILE, "r", encoding="utf-8") as f: + data = json.load(f) + +# تحديثات رئيسية +for rng in data.get("affected", []): + for r in rng.get("ranges", []): + r["type"] = "SEMVER" # تغيير النوع + for event in r.get("events", []): + if "fixed" in event: + event["fixed"] = "1.38.0" # تحديث النسخة الثابتة + +# حفظ الملف الجديد +with open(ADVISORY_FILE, "w", encoding="utf-8") as f: + json.dump(data, f, indent=2, ensure_ascii=False) +print(f"✅ Advisory updated: {ADVISORY_FILE}") + +# التحقق من صحة JSON (اختياري) +try: + subprocess.run(["jq", ".", str(ADVISORY_FILE)], check=True) +except FileNotFoundError: + print("⚠ jq not installed: skipping JSON formatting check") + +# عمل commit جاهز للرفع +commit_message = f"Update Operator-SDK advisory: type→SEMVER, fixed→1.38.0 ({datetime.date.today()})" +subprocess.run(["git", "add", str(ADVISORY_FILE)]) +subprocess.run(["git", "commit", "-m", commit_message]) +print(f"✅ Commit prepared: {commit_message}") + +print("\n🔥 جاهز الآن لدفع التغييرات على الفرع الشخصي:") +print(f"git push origin {subprocess.getoutput('git branch --show-current')}") From b6c5c521bd7037ac043dfa5e065a82e2d85dcc43 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 24 Feb 2026 00:33:02 +0000 Subject: [PATCH 3/3] Advisory Database Sync --- .../GHSA-279c-6crv-5wxc.json | 11 +++- .../GHSA-2v7m-mcj3-m7h7.json | 11 +++- .../GHSA-2whc-3gm8-r8v3.json | 11 +++- .../GHSA-33jq-j95r-2gpj.json | 33 ++++++++++ .../GHSA-34rh-x3gg-rqg4.json | 60 +++++++++++++++++++ .../GHSA-3m9c-j7xc-gc2c.json | 56 +++++++++++++++++ .../GHSA-3r56-xx7r-cr9c.json | 11 +++- .../GHSA-43rm-rg7w-7rjf.json | 11 +++- .../GHSA-4fwr-9c58-jg7x.json | 11 +++- .../GHSA-4pmr-jmj5-4gwv.json | 11 +++- .../GHSA-5284-5qqc-v2w8.json | 11 +++- .../GHSA-57vf-72qj-2828.json | 11 +++- .../GHSA-5j3p-mg5x-539j.json | 11 +++- .../GHSA-63v8-38hf-jrfm.json | 11 +++- .../GHSA-6hhh-7cj8-7mp2.json | 47 +++++++++++++++ .../GHSA-76g3-wv5g-g883.json | 11 +++- .../GHSA-877x-j2fm-2mw5.json | 11 +++- .../GHSA-8p6j-8fq8-23rr.json | 11 +++- .../GHSA-972x-fv77-xf59.json | 56 +++++++++++++++++ .../GHSA-97g7-x3h6-6ccc.json | 11 +++- .../GHSA-9mr9-pcmg-4xr7.json | 11 +++- .../GHSA-9w4h-qf26-hvrv.json | 11 +++- .../GHSA-9xx2-jmjv-w5vp.json | 52 ++++++++++++++++ .../GHSA-cvm5-m63f-8wmv.json | 11 +++- .../GHSA-f6pr-2mv6-45fq.json | 11 +++- .../GHSA-fc39-6hhj-gr5p.json | 11 +++- .../GHSA-g3qj-5j85-8w2c.json | 11 +++- .../GHSA-gv3f-578r-jhf3.json | 11 +++- .../GHSA-h68v-wm52-cjcj.json | 34 +++++++++++ .../GHSA-hc97-m5vw-hgpf.json | 11 +++- .../GHSA-j69g-gh5p-j2j3.json | 11 +++- .../GHSA-jxq5-ggfq-q36w.json | 11 +++- .../GHSA-m78j-wv7w-r94w.json | 11 +++- .../GHSA-mhvh-7hfw-2pcj.json | 11 +++- .../GHSA-mq7f-f783-pc94.json | 11 +++- .../GHSA-mqj4-m7cg-hx46.json | 11 +++- .../GHSA-mvmh-gv2w-6hrm.json | 11 +++- .../GHSA-mvp7-2m2r-2548.json | 11 +++- .../GHSA-pf6r-4hv7-pr4f.json | 11 +++- .../GHSA-pj5w-7j3v-9wwv.json | 11 +++- .../GHSA-pjx3-8fqj-x6hr.json | 11 +++- .../GHSA-pq2q-m7vr-7342.json | 11 +++- .../GHSA-pqpv-94jx-68vg.json | 52 ++++++++++++++++ .../GHSA-qvmx-rqmx-pvfg.json | 35 +++++++++++ .../GHSA-r8fr-76pj-5h7j.json | 11 +++- .../GHSA-rg2h-mq39-66pf.json | 56 +++++++++++++++++ .../GHSA-rv4c-25xc-4f6g.json | 11 +++- .../GHSA-rw5q-r997-qm48.json | 11 +++- .../GHSA-v534-r4rj-rcvf.json | 11 +++- .../GHSA-vjvc-9fxm-2xw8.json | 11 +++- .../GHSA-vmmw-c3hw-gvm3.json | 33 ++++++++++ .../GHSA-vph5-6p6f-8xpf.json | 11 +++- .../GHSA-w7wv-fvvq-ppfp.json | 11 +++- .../GHSA-wf36-8q2p-m2xg.json | 11 +++- .../GHSA-wg93-hp69-vv5w.json | 44 ++++++++++++++ .../GHSA-x6m2-4qvv-ghf6.json | 11 +++- .../GHSA-xg7c-7v8p-8ww8.json | 11 +++- .../GHSA-xw6c-ffpm-fgcm.json | 44 ++++++++++++++ 58 files changed, 962 insertions(+), 135 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-33jq-j95r-2gpj/GHSA-33jq-j95r-2gpj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-34rh-x3gg-rqg4/GHSA-34rh-x3gg-rqg4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3m9c-j7xc-gc2c/GHSA-3m9c-j7xc-gc2c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6hhh-7cj8-7mp2/GHSA-6hhh-7cj8-7mp2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-972x-fv77-xf59/GHSA-972x-fv77-xf59.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9xx2-jmjv-w5vp/GHSA-9xx2-jmjv-w5vp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h68v-wm52-cjcj/GHSA-h68v-wm52-cjcj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pqpv-94jx-68vg/GHSA-pqpv-94jx-68vg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qvmx-rqmx-pvfg/GHSA-qvmx-rqmx-pvfg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rg2h-mq39-66pf/GHSA-rg2h-mq39-66pf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vmmw-c3hw-gvm3/GHSA-vmmw-c3hw-gvm3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wg93-hp69-vv5w/GHSA-wg93-hp69-vv5w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xw6c-ffpm-fgcm/GHSA-xw6c-ffpm-fgcm.json diff --git a/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json b/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json index 936fd65d0151c..f556811c9af31 100644 --- a/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json +++ b/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-279c-6crv-5wxc", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69390" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Business Template Blocks for WPBakery (Visual Composer) Page Builder templates-and-addons-for-wpbakery-page-builder allows Reflected XSS.This issue affects Business Template Blocks for WPBakery (Visual Composer) Page Builder: from n/a through <= 1.3.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json b/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json index 5dfb584412d72..0e2ea26fb1574 100644 --- a/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json +++ b/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2v7m-mcj3-m7h7", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68842" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in totalbounty Widget Logic Visual widget-logic-visual allows Reflected XSS.This issue affects Widget Logic Visual: from n/a through <= 1.52.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:12Z" diff --git a/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json b/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json index 247b941cc007e..6b7983db0eb42 100644 --- a/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json +++ b/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2whc-3gm8-r8v3", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68844" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DaleAB Membee Login membees-member-login-widget allows Reflected XSS.This issue affects Membee Login: from n/a through <= 2.3.6.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-33jq-j95r-2gpj/GHSA-33jq-j95r-2gpj.json b/advisories/unreviewed/2026/02/GHSA-33jq-j95r-2gpj/GHSA-33jq-j95r-2gpj.json new file mode 100644 index 0000000000000..aff1e3b7028c3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-33jq-j95r-2gpj/GHSA-33jq-j95r-2gpj.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-33jq-j95r-2gpj", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3063" + ], + "details": "Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3063" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/485287859" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T23:16:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-34rh-x3gg-rqg4/GHSA-34rh-x3gg-rqg4.json b/advisories/unreviewed/2026/02/GHSA-34rh-x3gg-rqg4/GHSA-34rh-x3gg-rqg4.json new file mode 100644 index 0000000000000..6c7ba2fa97c7b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-34rh-x3gg-rqg4/GHSA-34rh-x3gg-rqg4.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-34rh-x3gg-rqg4", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-3041" + ], + "details": "A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3041" + }, + { + "type": "WEB", + "url": "https://github.com/xingfuggz/baykeShop/issues/1" + }, + { + "type": "WEB", + "url": "https://github.com/xingfuggz/baykeShop/issues/1#issue-3931488211" + }, + { + "type": "WEB", + "url": "https://github.com/xingfuggz/baykeShop" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347397" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347397" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757165" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:26Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3m9c-j7xc-gc2c/GHSA-3m9c-j7xc-gc2c.json b/advisories/unreviewed/2026/02/GHSA-3m9c-j7xc-gc2c/GHSA-3m9c-j7xc-gc2c.json new file mode 100644 index 0000000000000..9835dc7c9b4fc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3m9c-j7xc-gc2c/GHSA-3m9c-j7xc-gc2c.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3m9c-j7xc-gc2c", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3044" + ], + "details": "A vulnerability has been found in Tenda AC8 16.03.34.06. This affects the function webCgiGetUploadFile of the file /cgi-bin/UploadCfg of the component Httpd Service. The manipulation of the argument boundary leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3044" + }, + { + "type": "WEB", + "url": "https://github.com/master-abc/cve/issues/43" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347400" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347400" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757240" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T00:16:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json b/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json index 6e09c9e1285cf..7061cbba02884 100644 --- a/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json +++ b/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-3r56-xx7r-cr9c", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69388" ], "details": "Missing Authorization vulnerability in cliengo Cliengo – Chatbot cliengo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cliengo – Chatbot: from n/a through <= 3.0.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json b/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json index 5d71126f9afd7..7f923978eeeba 100644 --- a/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json +++ b/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-43rm-rg7w-7rjf", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68863" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zack Katz iContact for Gravity Forms gravity-forms-icontact allows Reflected XSS.This issue affects iContact for Gravity Forms: from n/a through <= 1.3.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json b/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json index c9d372c9ff3e2..ac5c3eb067186 100644 --- a/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json +++ b/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-4fwr-9c58-jg7x", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68856" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in keeswolters Mopinion Feedback Form mopinion-feedback-form allows DOM-Based XSS.This issue affects Mopinion Feedback Form: from n/a through <= 1.1.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json b/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json index 485a654633815..af5bd74f8d307 100644 --- a/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json +++ b/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-4pmr-jmj5-4gwv", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-68495" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.8.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:09Z" diff --git a/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json b/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json index ceee3bff547c1..979e39f99714c 100644 --- a/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json +++ b/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-5284-5qqc-v2w8", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-68037" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atlas Gondal Export Media URLs export-media-urls allows Reflected XSS.This issue affects Export Media URLs: from n/a through <= 2.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:08Z" diff --git a/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json b/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json index cb83f3759f068..5ffed1cb9e4f6 100644 --- a/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json +++ b/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-57vf-72qj-2828", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69330" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Prestige prestige allows Reflected XSS.This issue affects Prestige: from n/a through < 1.4.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:20Z" diff --git a/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json b/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json index 0913f69239cb2..b77c607dc49f2 100644 --- a/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json +++ b/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-5j3p-mg5x-539j", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68847" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iSape isape allows Reflected XSS.This issue affects iSape: from n/a through <= 0.72.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json b/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json index 09c5bcebbaacf..74eed527406ab 100644 --- a/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json +++ b/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-63v8-38hf-jrfm", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69392" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.This issue affects iMoney: from n/a through <= 0.36.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-6hhh-7cj8-7mp2/GHSA-6hhh-7cj8-7mp2.json b/advisories/unreviewed/2026/02/GHSA-6hhh-7cj8-7mp2/GHSA-6hhh-7cj8-7mp2.json new file mode 100644 index 0000000000000..2234915accd2a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6hhh-7cj8-7mp2/GHSA-6hhh-7cj8-7mp2.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6hhh-7cj8-7mp2", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2024-58041" + ], + "details": "Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.\n\nSmolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58041" + }, + { + "type": "WEB", + "url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537" + }, + { + "type": "WEB", + "url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L221" + }, + { + "type": "WEB", + "url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L5" + }, + { + "type": "WEB", + "url": "https://perldoc.perl.org/functions/rand" + }, + { + "type": "WEB", + "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-338" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T00:16:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json b/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json index 302d95675b37d..dfceae67dc926 100644 --- a/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json +++ b/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-76g3-wv5g-g883", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22352" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PersianScript Persian Woocommerce SMS persian-woocommerce-sms allows Reflected XSS.This issue affects Persian Woocommerce SMS: from n/a through <= 7.1.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:34Z" diff --git a/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json b/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json index 9822ee51db2cf..615fd23954b78 100644 --- a/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json +++ b/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-877x-j2fm-2mw5", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69384" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.This issue affects Timeline Event History: from n/a through <= 3.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:23Z" diff --git a/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json b/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json index 1e15d52fce9f8..bb415c1393c60 100644 --- a/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json +++ b/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8p6j-8fq8-23rr", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68880" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Reflected XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:15Z" diff --git a/advisories/unreviewed/2026/02/GHSA-972x-fv77-xf59/GHSA-972x-fv77-xf59.json b/advisories/unreviewed/2026/02/GHSA-972x-fv77-xf59/GHSA-972x-fv77-xf59.json new file mode 100644 index 0000000000000..6073652a622d4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-972x-fv77-xf59/GHSA-972x-fv77-xf59.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-972x-fv77-xf59", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3042" + ], + "details": "A vulnerability was detected in itsourcecode Event Management System 1.0. The affected element is an unknown function of the file /admin/index.php. Performing a manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3042" + }, + { + "type": "WEB", + "url": "https://github.com/ltranquility/cve_submit/issues/1" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347398" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347398" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757226" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T00:16:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json b/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json index 269016f3e5da1..5aaae199b54c3 100644 --- a/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json +++ b/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-97g7-x3h6-6ccc", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-24943" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference grandconference allows Reflected XSS.This issue affects Grand Conference: from n/a through <= 5.3.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:38Z" diff --git a/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json b/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json index 9544e750c3d97..23f161b7ee06f 100644 --- a/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json +++ b/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-9mr9-pcmg-4xr7", - "modified": "2026-02-20T18:31:33Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:33Z", "aliases": [ "CVE-2025-53237" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:02Z" diff --git a/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json b/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json index 10798f0533acb..10b4b1f62ed27 100644 --- a/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json +++ b/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-9w4h-qf26-hvrv", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69326" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:19Z" diff --git a/advisories/unreviewed/2026/02/GHSA-9xx2-jmjv-w5vp/GHSA-9xx2-jmjv-w5vp.json b/advisories/unreviewed/2026/02/GHSA-9xx2-jmjv-w5vp/GHSA-9xx2-jmjv-w5vp.json new file mode 100644 index 0000000000000..09dd9bf9dc907 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9xx2-jmjv-w5vp/GHSA-9xx2-jmjv-w5vp.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9xx2-jmjv-w5vp", + "modified": "2026-02-24T00:31:33Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-3040" + ], + "details": "A vulnerability was identified in DrayTek Vigor 300B up to 1.5.1.6. This affects the function cgiGetFile of the file /cgi-bin/mainfunction.cgi/uploadlangs of the component Web Management Interface. The manipulation of the argument File leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor confirms that \"300B is EoL, and this is an authenticated vulnerability. We don't plan to fix it.\" This vulnerability only affects products that are no longer supported by the maintainer.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3040" + }, + { + "type": "WEB", + "url": "https://github.com/master-abc/cve/issues/42" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347394" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347394" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757126" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json b/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json index 0c2b2327fbe4e..219034d3b1db9 100644 --- a/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json +++ b/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-cvm5-m63f-8wmv", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68843" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Schuiling FeedWordPress Advanced Filters faf allows Reflected XSS.This issue affects FeedWordPress Advanced Filters: from n/a through <= 0.6.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json b/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json index eb47df052da3f..0f30c4eb31af6 100644 --- a/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json +++ b/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-f6pr-2mv6-45fq", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68846" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paris Holley Asynchronous Javascript asynchronous-javascript allows Reflected XSS.This issue affects Asynchronous Javascript: from n/a through <= 1.3.5.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json b/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json index fe2cdcbe77e28..6ba514a498948 100644 --- a/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json +++ b/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-fc39-6hhj-gr5p", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67971" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja FluentCart fluent-cart allows Reflected XSS.This issue affects FluentCart: from n/a through < 1.3.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:03Z" diff --git a/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json b/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json index df9d8756a17e9..49364c356264d 100644 --- a/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json +++ b/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-g3qj-5j85-8w2c", - "modified": "2026-02-20T18:31:33Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:33Z", "aliases": [ "CVE-2025-53228" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jezza101 bbpress Simple Advert Units bbpress-simple-advert-units allows Reflected XSS.This issue affects bbpress Simple Advert Units: from n/a through <= 0.41.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:01Z" diff --git a/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json b/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json index 6bf8778540ce5..4a2d549665e29 100644 --- a/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json +++ b/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-gv3f-578r-jhf3", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67990" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 GMap Targeting gmap-targeting allows Reflected XSS.This issue affects GMap Targeting: from n/a through <= 1.1.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:05Z" diff --git a/advisories/unreviewed/2026/02/GHSA-h68v-wm52-cjcj/GHSA-h68v-wm52-cjcj.json b/advisories/unreviewed/2026/02/GHSA-h68v-wm52-cjcj/GHSA-h68v-wm52-cjcj.json new file mode 100644 index 0000000000000..20ca40487093c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h68v-wm52-cjcj/GHSA-h68v-wm52-cjcj.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h68v-wm52-cjcj", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-21665" + ], + "details": "The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries.\n\nThis CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21665" + }, + { + "type": "WEB", + "url": "https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/remoting-apis-obsolete" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json b/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json index 59f259e688502..026ac783fcb0f 100644 --- a/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json +++ b/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-hc97-m5vw-hgpf", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69385" ], "details": "Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:23Z" diff --git a/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json b/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json index 05508e3ee2c20..4be02a4da1f82 100644 --- a/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json +++ b/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-j69g-gh5p-j2j3", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67978" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FixBD Educare educare allows Reflected XSS.This issue affects Educare: from n/a through <= 1.6.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:04Z" diff --git a/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json b/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json index 80b8de848cb63..353aefc87743d 100644 --- a/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json +++ b/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-jxq5-ggfq-q36w", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69386" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce allows Reflected XSS.This issue affects RVCFDI para Woocommerce: from n/a through <= 8.1.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:23Z" diff --git a/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json b/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json index 58423c0a7cd28..f14ea4e1a69d3 100644 --- a/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json +++ b/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-m78j-wv7w-r94w", - "modified": "2026-02-20T18:31:33Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:33Z", "aliases": [ "CVE-2025-53233" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RylanH Storyform storyform allows Reflected XSS.This issue affects Storyform: from n/a through <= 0.6.14.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:02Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json b/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json index 100d5087ba629..b2d7a7aaef484 100644 --- a/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json +++ b/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mhvh-7hfw-2pcj", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67984" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in calliko NPS computy nps-computy allows DOM-Based XSS.This issue affects NPS computy: from n/a through <= 2.8.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:04Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json b/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json index 5bba14e15ed13..7bd1602891ced 100644 --- a/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json +++ b/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mq7f-f783-pc94", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-24949" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods PhotoMe photome allows DOM-Based XSS.This issue affects PhotoMe: from n/a through <= 5.7.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:39Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json b/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json index d505c54d8ccaf..4871d66a695e5 100644 --- a/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json +++ b/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mqj4-m7cg-hx46", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68501" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce allows Reflected XSS.This issue affects Mollie Payments for WooCommerce: from n/a through <= 8.1.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:10Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json b/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json index d9dbefe94ac9d..2a337f5f8d8c5 100644 --- a/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json +++ b/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mvmh-gv2w-6hrm", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69323" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:19Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json b/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json index e122c38294277..c7dc55cf19c12 100644 --- a/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json +++ b/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mvp7-2m2r-2548", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-69296" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through <= 4.6.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:16Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json b/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json index 7c8bdd909df0a..b5fecb2639d8d 100644 --- a/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json +++ b/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pf6r-4hv7-pr4f", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67991" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Reflected XSS.This issue affects User Extra Fields: from n/a through <= 16.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:05Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json b/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json index 90471ced8be2b..f5ede98af9cdb 100644 --- a/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json +++ b/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pj5w-7j3v-9wwv", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68854" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in harman79 ID Arrays id-arrays allows DOM-Based XSS.This issue affects ID Arrays: from n/a through <= 2.1.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json b/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json index cb1f59587984f..c83a3184a4fac 100644 --- a/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json +++ b/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pjx3-8fqj-x6hr", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67972" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through <= 2.2.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:03Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json b/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json index e7cfd796fb0c4..e41fbd68931b8 100644 --- a/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json +++ b/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pq2q-m7vr-7342", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69391" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Diamond diamond allows Reflected XSS.This issue affects Diamond: from n/a through <= 2.4.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pqpv-94jx-68vg/GHSA-pqpv-94jx-68vg.json b/advisories/unreviewed/2026/02/GHSA-pqpv-94jx-68vg/GHSA-pqpv-94jx-68vg.json new file mode 100644 index 0000000000000..18126d284b5b1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pqpv-94jx-68vg/GHSA-pqpv-94jx-68vg.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pqpv-94jx-68vg", + "modified": "2026-02-24T00:31:33Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-3028" + ], + "details": "A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3028" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347384" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347384" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756527" + }, + { + "type": "WEB", + "url": "https://www.notion.so/JEEWMS-Stored-Cross-Site-Scripting-XSS-in-SysModule-304ea92a3c418099bed7f1e0bca12d83" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qvmx-rqmx-pvfg/GHSA-qvmx-rqmx-pvfg.json b/advisories/unreviewed/2026/02/GHSA-qvmx-rqmx-pvfg/GHSA-qvmx-rqmx-pvfg.json new file mode 100644 index 0000000000000..9ee27e51bca3e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qvmx-rqmx-pvfg/GHSA-qvmx-rqmx-pvfg.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qvmx-rqmx-pvfg", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3061" + ], + "details": "Out of bounds read in Media in Google Chrome prior to 145.0.7632.116 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3061" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/482862710" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json b/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json index bbe7a802209ed..ed5eb046ed33e 100644 --- a/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json +++ b/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-r8fr-76pj-5h7j", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69324" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Stored XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:19Z" diff --git a/advisories/unreviewed/2026/02/GHSA-rg2h-mq39-66pf/GHSA-rg2h-mq39-66pf.json b/advisories/unreviewed/2026/02/GHSA-rg2h-mq39-66pf/GHSA-rg2h-mq39-66pf.json new file mode 100644 index 0000000000000..c4b31b84e91cc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rg2h-mq39-66pf/GHSA-rg2h-mq39-66pf.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rg2h-mq39-66pf", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3043" + ], + "details": "A flaw has been found in itsourcecode Event Management System 1.0. The impacted element is an unknown function of the file /admin/navbar.php. Executing a manipulation of the argument page can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3043" + }, + { + "type": "WEB", + "url": "https://github.com/ltranquility/cve_submit/issues/2" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347399" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347399" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757227" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T00:16:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json b/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json index 497b1d0b4d452..90c74fab6a7e7 100644 --- a/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json +++ b/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-rv4c-25xc-4f6g", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68848" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anmari amr cron manager amr-cron-manager allows Reflected XSS.This issue affects amr cron manager: from n/a through <= 2.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json b/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json index f4067b6fd2983..f54adcc8f9bc8 100644 --- a/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json +++ b/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-rw5q-r997-qm48", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69389" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hugh Mungus Visitor Maps Extended Referer Field visitor-maps-extended-referer-field allows Reflected XSS.This issue affects Visitor Maps Extended Referer Field: from n/a through <= 1.2.6.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json b/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json index 728988ddf6b00..15bbe99305c24 100644 --- a/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json +++ b/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-v534-r4rj-rcvf", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68845" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Reflected XSS.This issue affects eDS Responsive Menu: from n/a through <= 1.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json b/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json index e3a4eb2776bd6..7efb26e12481a 100644 --- a/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json +++ b/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vjvc-9fxm-2xw8", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69368" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes SOHO - Photography WordPress Theme soho allows DOM-Based XSS.This issue affects SOHO - Photography WordPress Theme: from n/a through <= 3.0.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:21Z" diff --git a/advisories/unreviewed/2026/02/GHSA-vmmw-c3hw-gvm3/GHSA-vmmw-c3hw-gvm3.json b/advisories/unreviewed/2026/02/GHSA-vmmw-c3hw-gvm3/GHSA-vmmw-c3hw-gvm3.json new file mode 100644 index 0000000000000..60519900350be --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vmmw-c3hw-gvm3/GHSA-vmmw-c3hw-gvm3.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vmmw-c3hw-gvm3", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3062" + ], + "details": "Out of bounds read and write in Tint in Google Chrome on Mac prior to 145.0.7632.116 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3062" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/483751167" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json b/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json index bf5b830a16403..11d880dc390d2 100644 --- a/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json +++ b/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vph5-6p6f-8xpf", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-68031" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in faraz sms افزونه پیامک حرفه ای فراز اس ام اس farazsms allows Reflected XSS.This issue affects افزونه پیامک حرفه ای فراز اس ام اس: from n/a through <= 2.7.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:08Z" diff --git a/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json b/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json index a2c559792d9ce..8079f95fec16d 100644 --- a/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json +++ b/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-w7wv-fvvq-ppfp", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68852" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmuehle Court Reservation court-reservation allows Reflected XSS.This issue affects Court Reservation: from n/a through <= 1.10.9.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json b/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json index b108256ae4364..6687d3537ab09 100644 --- a/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json +++ b/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-wf36-8q2p-m2xg", - "modified": "2026-02-20T18:31:33Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:33Z", "aliases": [ "CVE-2025-53231" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevstudio Easy Taxonomy Images easy-taxonomy-images allows Stored XSS.This issue affects Easy Taxonomy Images: from n/a through <= 1.0.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:01Z" diff --git a/advisories/unreviewed/2026/02/GHSA-wg93-hp69-vv5w/GHSA-wg93-hp69-vv5w.json b/advisories/unreviewed/2026/02/GHSA-wg93-hp69-vv5w/GHSA-wg93-hp69-vv5w.json new file mode 100644 index 0000000000000..c8606d368384d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wg93-hp69-vv5w/GHSA-wg93-hp69-vv5w.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wg93-hp69-vv5w", + "modified": "2026-02-24T00:31:33Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-27742" + ], + "details": "Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript into the content field of a post, which is stored and later rendered to other users without proper output encoding. When viewed, the injected script executes in the context of the victim’s browser, allowing session hijacking, credential theft, content manipulation, or other actions within the user’s privileges.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27742" + }, + { + "type": "WEB", + "url": "https://github.com/bludit/bludit/issues/1579" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/bludit-stored-xss-in-post-content" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json b/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json index 63ac5f6018190..1a79678c1149c 100644 --- a/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json +++ b/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-x6m2-4qvv-ghf6", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69367" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Oyster - Photography WordPress Theme oyster allows DOM-Based XSS.This issue affects Oyster - Photography WordPress Theme: from n/a through <= 4.4.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:20Z" diff --git a/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json b/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json index e723a1688579b..ac16b42635239 100644 --- a/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json +++ b/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xg7c-7v8p-8ww8", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-69302" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core Features designthemes-core-features allows Reflected XSS.This issue affects DesignThemes Core Features: from n/a through <= 2.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:18Z" diff --git a/advisories/unreviewed/2026/02/GHSA-xw6c-ffpm-fgcm/GHSA-xw6c-ffpm-fgcm.json b/advisories/unreviewed/2026/02/GHSA-xw6c-ffpm-fgcm/GHSA-xw6c-ffpm-fgcm.json new file mode 100644 index 0000000000000..d1f57ae140ab9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xw6c-ffpm-fgcm/GHSA-xw6c-ffpm-fgcm.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xw6c-ffpm-fgcm", + "modified": "2026-02-24T00:31:33Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-27741" + ], + "details": "Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27741" + }, + { + "type": "WEB", + "url": "https://github.com/bludit/bludit/issues/1577" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/bludit-csrf-in-plugin-and-theme-management-endpoints" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:25Z" + } +} \ No newline at end of file