diff --git a/advisories/unreviewed/2026/04/GHSA-x4xq-7w28-q486/GHSA-x4xq-7w28-q486.json b/advisories/unreviewed/2026/04/GHSA-x4xq-7w28-q486/GHSA-x4xq-7w28-q486.json
index eced33efc76c8..119412f42fae1 100644
--- a/advisories/unreviewed/2026/04/GHSA-x4xq-7w28-q486/GHSA-x4xq-7w28-q486.json
+++ b/advisories/unreviewed/2026/04/GHSA-x4xq-7w28-q486/GHSA-x4xq-7w28-q486.json
@@ -1,22 +1,35 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-x4xq-7w28-q486",
-  "modified": "2026-04-08T15:31:43Z",
+  "modified": "2026-04-08T15:32:45Z",
   "published": "2026-04-07T18:31:37Z",
   "aliases": [
     "CVE-2026-4931"
   ],
-  "details": "Smart contract Marginal v1 performs unsafe downcast, allowing attackers to settle a large debt position for a negligible asset cost.",
-  "severity": [
+  "summary": "MarginalProtocol Marginal v1: Unsafe uint128 downcast in adjust() enables flash loan exploit to settle large debt for negligible cost",
+  "details": "Ecosystem: EVM (Solidity) — Ethereum mainnet smart contract. No applicable ecosystem\noption exists in the GitHub Advisory Database for on-chain Solidity contracts.\n\nIn MarginalProtocol Marginal v1, the adjust() function in MarginalV1Pool (proxy:\n0x3A6C55Ce74d940A9B5dDDE1E57eF6e70bC8757A7) performs an unsafe downcast of margin0\n(a uint256) to uint128 without overflow validation:\n\n    position.margin = uint128(margin0);\n\nIn Solidity, explicit casts do not revert on overflow. When margin0 exceeds\ntype(uint128).max, the upper bits are silently discarded via a bitwise AND operation.\nThe deployed bytecode confirms this at program counter 0x069c:\n\n    0687 | PUSH20(0xffffffffffffffffffffffffffffffff)\n    069c | AND  -- uint128 truncation, no overflow check\n\nNo GT opcode. No REVERT. The truncation is unconditional and silent.\n\nAn attacker takes out a flash loan to cause margin0 to exceed 2^128 - 1, silently\ntruncating the stored margin value. This allows the attacker to settle a large debt\nposition for a negligible asset cost (demonstrated at 57,005 wei), effectively draining\ncollateral from liquidity providers. No privileges are required; the attack is executable\natomically within a single transaction. The vulnerability was patched by replacing the\nbare downcast with OpenZeppelin's SafeCast.toUint128().",
+  "severity": [],
+  "affected": [
     {
-      "type": "CVSS_V3",
-      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:H/A:N"
+      "package": {
+        "ecosystem": "GitHub Actions",
+        "name": ""
+      },
+      "ranges": [
+        {
+          "type": "ECOSYSTEM",
+          "events": [
+            {
+              "introduced": "0"
+            }
+          ]
+        }
+      ]
     }
   ],
-  "affected": [],
   "references": [
     {
-      "type": "ADVISORY",
+      "type": "PACKAGE",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4931"
     },
     {
@@ -44,7 +57,7 @@
     "cwe_ids": [
       "CWE-681"
     ],
-    "severity": "MODERATE",
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-07T16:16:30Z"