Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 1a5e2f7e846a · 2026-04-05T03:32:16.000Z
GHSA-87fw-5q57-v2v9 GHSA-c36w-gwff-q62j GHSA-fqg9-xwv7-hgh3 GHSA-p876-v3r6-x3m8 GHSA-q989-5jj4-3g9q GHSA-r4wp-gg33-whwg GHSA-x5gq-6962-7gv9
diff --git a/advisories/unreviewed/2026/04/GHSA-87fw-5q57-v2v9/GHSA-87fw-5q57-v2v9.json b/advisories/unreviewed/2026/04/GHSA-87fw-5q57-v2v9/GHSA-87fw-5q57-v2v9.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-87fw-5q57-v2v9",
+  "modified": "2026-04-05T03:30:23Z",
+  "published": "2026-04-05T03:30:23Z",
+  "aliases": [
+    "CVE-2026-5533"
+  ],
+  "details": "A vulnerability was determined in badlogic pi-mono 0.58.4. The impacted element is an unknown function of the file packages/web-ui/src/tools/artifacts/SvgArtifact.ts of the component SVG Artifact Handler. This manipulation causes cross site scripting. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5533"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/August829/CVEP/issues/20"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782170"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355286"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355286/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T02:16:01Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-c36w-gwff-q62j/GHSA-c36w-gwff-q62j.json b/advisories/unreviewed/2026/04/GHSA-c36w-gwff-q62j/GHSA-c36w-gwff-q62j.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c36w-gwff-q62j",
+  "modified": "2026-04-05T03:30:23Z",
+  "published": "2026-04-05T03:30:23Z",
+  "aliases": [
+    "CVE-2026-5532"
+  ],
+  "details": "A vulnerability was found in ScrapeGraphAI scrapegraph-ai up to 1.74.0. The affected element is the function create_sandbox_and_execute of the file scrapegraphai/nodes/generate_code_node.py of the component GenerateCodeNode Component. The manipulation results in os command injection. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5532"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/August829/CVEP/issues/19"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782169"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355285"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355285/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T02:16:01Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-fqg9-xwv7-hgh3/GHSA-fqg9-xwv7-hgh3.json b/advisories/unreviewed/2026/04/GHSA-fqg9-xwv7-hgh3/GHSA-fqg9-xwv7-hgh3.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fqg9-xwv7-hgh3",
+  "modified": "2026-04-05T03:30:23Z",
+  "published": "2026-04-05T03:30:23Z",
+  "aliases": [
+    "CVE-2026-5534"
+  ],
+  "details": "A vulnerability was identified in itsourcecode Online Enrollment System 1.0. This affects an unknown function of the file /sms/user/index.php?view=edit&id=10 of the component Parameter Handler. Such manipulation of the argument USERID leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5534"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ldan42008-ux/cve/issues/2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782185"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355287"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355287/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T03:16:00Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-p876-v3r6-x3m8/GHSA-p876-v3r6-x3m8.json b/advisories/unreviewed/2026/04/GHSA-p876-v3r6-x3m8/GHSA-p876-v3r6-x3m8.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-p876-v3r6-x3m8",
+  "modified": "2026-04-05T03:30:23Z",
+  "published": "2026-04-05T03:30:23Z",
+  "aliases": [
+    "CVE-2026-5529"
+  ],
+  "details": "A vulnerability was detected in Dromara lamp-cloud up to 5.8.1. This vulnerability affects the function pageUser of the file /defUser/pageUser of the component DefUserController. Performing a manipulation results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5529"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dromara/lamp-cloud/issues/403"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/dromara/lamp-cloud"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782103"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355282"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355282/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T01:16:47Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-q989-5jj4-3g9q/GHSA-q989-5jj4-3g9q.json b/advisories/unreviewed/2026/04/GHSA-q989-5jj4-3g9q/GHSA-q989-5jj4-3g9q.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-q989-5jj4-3g9q",
+  "modified": "2026-04-05T03:30:23Z",
+  "published": "2026-04-05T03:30:23Z",
+  "aliases": [
+    "CVE-2026-5531"
+  ],
+  "details": "A vulnerability has been found in SourceCodester Student Result Management System 1.0. Impacted is an unknown function of the file /login_credentials.txt of the component HTTP GET Request Handler. The manipulation leads to cleartext storage in a file or on disk. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5531"
+    },
+    {
+      "type": "WEB",
+      "url": "https://drive.google.com/file/d/1moQEev6skJoIe7UlL6YyR2xGgX5smeXb/view?usp=sharing"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782157"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355284"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355284/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.sourcecodester.com"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-312"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T02:16:00Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-r4wp-gg33-whwg/GHSA-r4wp-gg33-whwg.json b/advisories/unreviewed/2026/04/GHSA-r4wp-gg33-whwg/GHSA-r4wp-gg33-whwg.json
@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-r4wp-gg33-whwg",
+  "modified": "2026-04-05T03:30:23Z",
+  "published": "2026-04-05T03:30:23Z",
+  "aliases": [
+    "CVE-2026-5530"
+  ],
+  "details": "A flaw has been found in Ollama up to 18.1. This issue affects some unknown processing of the file server/download.go of the component Model Pull API. Executing a manipulation can lead to server-side request forgery. The attack can be launched remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5530"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782107"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355283"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355283/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T01:16:48Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/04/GHSA-x5gq-6962-7gv9/GHSA-x5gq-6962-7gv9.json b/advisories/unreviewed/2026/04/GHSA-x5gq-6962-7gv9/GHSA-x5gq-6962-7gv9.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x5gq-6962-7gv9",
+  "modified": "2026-04-05T03:30:23Z",
+  "published": "2026-04-05T03:30:23Z",
+  "aliases": [
+    "CVE-2026-5535"
+  ],
+  "details": "A security flaw has been discovered in FedML-AI FedML up to 0.8.9. This impacts an unknown function of the file FileUtils.java of the component MQTT Message Handler. Performing a manipulation of the argument dataSet results in path traversal. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5535"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/AnalogyC0de/public_exp/issues/25"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/782200"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355288"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355288/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-05T03:16:01Z"
+  }
+}
