Publish Advisories

GHSA-rw99-6hrh-fmjr
GHSA-2pfj-366p-4h7w
GHSA-4cgv-84wm-gp2c
GHSA-79wq-mgjf-5cc2
GHSA-9hqr-fq7x-7p43
GHSA-cqhp-94c2-gjjc
GHSA-ffqv-44jp-mf9x
GHSA-ffwc-xvf2-hgr5
GHSA-hj7x-hmf2-hc2p
GHSA-jvjc-r7p7-fpch
GHSA-m3q8-9565-h52h
GHSA-q8c9-jmgv-gvcc
GHSA-rhgj-mg62-rmgh
GHSA-xwf4-w8f7-pwr9

Author: advisory-database[bot]

advisories/unreviewed/2024/11/GHSA-rw99-6hrh-fmjr/GHSA-rw99-6hrh-fmjr.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-rw99-6hrh-fmjr",
-  "modified": "2025-02-06T06:31:25Z",
+  "modified": "2026-03-24T18:31:25Z",
   "published": "2024-11-07T18:31:23Z",
   "aliases": [
     "CVE-2024-10963"
@@ -19,6 +19,14 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-10963"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/linux-pam/linux-pam/issues/834"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/linux-pam/linux-pam/pull/835"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2024:10232"

advisories/unreviewed/2026/03/GHSA-2pfj-366p-4h7w/GHSA-2pfj-366p-4h7w.json

@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2pfj-366p-4h7w",
+  "modified": "2026-03-24T18:31:37Z",
+  "published": "2026-03-24T18:31:37Z",
+  "aliases": [
+    "CVE-2026-26809"
+  ],
+  "details": "Rejected reason: DO NOT USE THIS CVE RECORD. ConsultIDs: none. Reason: This record was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-26809"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-24T18:16:08Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-4cgv-84wm-gp2c/GHSA-4cgv-84wm-gp2c.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4cgv-84wm-gp2c",
+  "modified": "2026-03-24T18:31:35Z",
+  "published": "2026-03-24T18:31:35Z",
+  "aliases": [
+    "CVE-2025-71275"
+  ],
+  "details": "Zimbra Collaboration Suite (ZCS) PostJournal service version 8.8.15 contains a command injection vulnerability that allows unauthenticated attackers to execute arbitrary system commands by exploiting improper sanitization of the RCPT TO parameter via SMTP injection. Attackers can inject shell expansion syntax through the RCPT TO parameter to achieve remote code execution under the Zimbra service context.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-71275"
+    },
+    {
+      "type": "WEB",
+      "url": "https://packetstorm.news/files/id/212108"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/zimbra-collaboration-suite-postjournal-unauthenticated-remote-code-execution-via-smtp-injection"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.zimbra.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-24T16:16:27Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-79wq-mgjf-5cc2/GHSA-79wq-mgjf-5cc2.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-79wq-mgjf-5cc2",
-  "modified": "2026-03-23T21:30:51Z",
+  "modified": "2026-03-24T18:31:28Z",
   "published": "2026-03-23T21:30:51Z",
   "aliases": [
     "CVE-2025-52204"
   ],
   "details": "A Cross-Site Scripting (XSS) vulnerability exists in Znuny::ITSM 6.5.x in the customer.pl endpoint via the OTRSCustomerInterface parameter",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-23T20:16:23Z"

advisories/unreviewed/2026/03/GHSA-9hqr-fq7x-7p43/GHSA-9hqr-fq7x-7p43.json

@@ -30,7 +30,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-122"
+      "CWE-122",
+      "CWE-787"
     ],
     "severity": "HIGH",
     "github_reviewed": false,

advisories/unreviewed/2026/03/GHSA-cqhp-94c2-gjjc/GHSA-cqhp-94c2-gjjc.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cqhp-94c2-gjjc",
-  "modified": "2026-03-23T21:30:51Z",
+  "modified": "2026-03-24T18:31:28Z",
   "published": "2026-03-23T21:30:51Z",
   "aliases": [
     "CVE-2024-46879"
   ],
   "details": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in the POST request data zipPath of tiki-admin_system.php in Tiki version 21.2. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-23T20:16:22Z"

advisories/unreviewed/2026/03/GHSA-ffqv-44jp-mf9x/GHSA-ffqv-44jp-mf9x.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-ffqv-44jp-mf9x",
+  "modified": "2026-03-24T18:31:35Z",
+  "published": "2026-03-24T18:31:35Z",
+  "aliases": [
+    "CVE-2026-29840"
+  ],
+  "details": "JiZhiCMS v2.5.6 and before contains a Stored Cross-Site Scripting (XSS) vulnerability in the release function within app/home/c/UserController.php. The application attempts to sanitize input by filtering <script> tags but fails to recursively remove dangerous event handlers in other HTML tags (such as onerror in <img> tags). This allows an authenticated remote attacker to inject arbitrary web script or HTML via the body parameter in a POST request to /user/release.html.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29840"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/w-p-man/790f51f918499798180a8def3a6fdfb0"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.demo.com/user/release/molds/article.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-24T16:16:30Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-ffwc-xvf2-hgr5/GHSA-ffwc-xvf2-hgr5.json

@@ -30,6 +30,7 @@
   ],
   "database_specific": {
     "cwe_ids": [
+      "CWE-190",
       "CWE-472"
     ],
     "severity": "HIGH",

advisories/unreviewed/2026/03/GHSA-hj7x-hmf2-hc2p/GHSA-hj7x-hmf2-hc2p.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-hj7x-hmf2-hc2p",
-  "modified": "2026-03-23T18:30:31Z",
+  "modified": "2026-03-24T18:31:27Z",
   "published": "2026-03-23T15:30:44Z",
   "aliases": [
     "CVE-2026-4404"
@@ -34,6 +34,10 @@
     {
       "type": "WEB",
       "url": "https://goharbor.io/docs/1.10/install-config/run-installer-script/#:~:text=If%20you%20did%20not%20change%20them%20in%20harbor.yml,%20the%20default%20administrator%20username%20and%20password%20are%20admin%20and%20Harbor12345"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.kb.cert.org/vuls/id/577436"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/03/GHSA-jvjc-r7p7-fpch/GHSA-jvjc-r7p7-fpch.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jvjc-r7p7-fpch",
-  "modified": "2026-03-23T21:30:51Z",
+  "modified": "2026-03-24T18:31:28Z",
   "published": "2026-03-23T21:30:51Z",
   "aliases": [
     "CVE-2024-46878"
   ],
   "details": "A Cross-Site Scripting (XSS) vulnerability exists in the page parameter of tiki-editpage.php in Tiki version 26.3 and earlier. This vulnerability allows attackers to execute arbitrary JavaScript code via a crafted payload, leading to potential access to sensitive information or unauthorized actions.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-23T20:16:22Z"