Advisory Database Sync

Author: advisory-database[bot]

advisories/unreviewed/2023/03/GHSA-vxpc-466w-pjjv/GHSA-vxpc-466w-pjjv.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-vxpc-466w-pjjv",
-  "modified": "2023-03-10T03:30:16Z",
+  "modified": "2026-04-13T21:30:30Z",
   "published": "2023-03-01T09:30:29Z",
   "aliases": [
     "CVE-2022-27672"
@@ -26,6 +26,10 @@
     {
       "type": "WEB",
       "url": "https://www.amd.com/en/corporate/product-security/bulletin/AMD-SB-1045"
+    },
+    {
+      "type": "WEB",
+      "url": "http://xenbits.xen.org/xsa/advisory-426.html"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/04/GHSA-24v7-w2x9-2cxh/GHSA-24v7-w2x9-2cxh.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-24v7-w2x9-2cxh",
-  "modified": "2026-04-09T00:32:00Z",
+  "modified": "2026-04-13T21:30:37Z",
   "published": "2026-04-09T00:32:00Z",
   "aliases": [
     "CVE-2026-5887"
   ],
   "details": "Insufficient validation of untrusted input in Downloads in Google Chrome on Windows prior to 147.0.7727.55 allowed a remote attacker to bypass download restrictions via a crafted HTML page. (Chromium security severity: Medium)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -27,7 +32,7 @@
     "cwe_ids": [
       "CWE-20"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-08T22:16:28Z"

advisories/unreviewed/2026/04/GHSA-295f-cjg2-fv68/GHSA-295f-cjg2-fv68.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-295f-cjg2-fv68",
-  "modified": "2026-04-08T09:31:36Z",
+  "modified": "2026-04-13T21:30:36Z",
   "published": "2026-04-08T09:31:36Z",
   "aliases": [
     "CVE-2026-39713"
   ],
   "details": "Missing Authorization vulnerability in mailercloud Mailercloud &#8211; Integrate webforms and synchronize website contacts mailercloud-integrate-webforms-synchronize-contacts allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Mailercloud &#8211; Integrate webforms and synchronize website contacts: from n/a through <= 1.0.7.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-862"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-08T09:16:44Z"

advisories/unreviewed/2026/04/GHSA-2chh-fcwm-p667/GHSA-2chh-fcwm-p667.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2chh-fcwm-p667",
-  "modified": "2026-04-08T09:31:35Z",
+  "modified": "2026-04-13T21:30:36Z",
   "published": "2026-04-08T09:31:35Z",
   "aliases": [
     "CVE-2026-39691"
   ],
   "details": "Missing Authorization vulnerability in AdAstraCrypto Cryptocurrency Donation Box – Bitcoin & Crypto Donations cryptocurrency-donation-box allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Cryptocurrency Donation Box – Bitcoin & Crypto Donations: from n/a through <= 2.2.13.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-862"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-08T09:16:41Z"

advisories/unreviewed/2026/04/GHSA-2h64-4pg7-rq8p/GHSA-2h64-4pg7-rq8p.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2h64-4pg7-rq8p",
-  "modified": "2026-04-09T00:32:00Z",
+  "modified": "2026-04-13T21:30:39Z",
   "published": "2026-04-09T00:32:00Z",
   "aliases": [
     "CVE-2026-5904"
   ],
   "details": "Use after free in V8 in Google Chrome prior to 147.0.7727.55 allowed an attacker who convinced a user to install a malicious extension to potentially exploit heap corruption via a crafted Chrome Extension. (Chromium security severity: Low)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -27,7 +32,7 @@
     "cwe_ids": [
       "CWE-416"
     ],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-08T22:16:30Z"

advisories/unreviewed/2026/04/GHSA-2m2q-qgx4-j4mp/GHSA-2m2q-qgx4-j4mp.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2m2q-qgx4-j4mp",
+  "modified": "2026-04-13T21:30:43Z",
+  "published": "2026-04-13T21:30:43Z",
+  "aliases": [
+    "CVE-2026-29955"
+  ],
+  "details": "The `/registercrd` endpoint in KubePlus 4.14 in the kubeconfiggenerator component is vulnerable to command injection. The component uses `subprocess.Popen()` with `shell=True` parameter to execute shell commands, and the user-supplied `chartName` parameter is directly concatenated into the command string without any sanitization or validation. An attacker can inject arbitrary shell commands by crafting a malicious `chartName` parameter value.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-29955"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/b0b0haha/f011fdd69adc3ae272a4e3b99af90163"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/b0b0haha/CVE-2026-29955/blob/main/README.md"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-13T19:16:39Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-2mpg-m27w-5p6f/GHSA-2mpg-m27w-5p6f.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2mpg-m27w-5p6f",
-  "modified": "2026-04-08T09:31:32Z",
+  "modified": "2026-04-13T21:30:35Z",
   "published": "2026-04-08T09:31:32Z",
   "aliases": [
     "CVE-2026-39504"
   ],
   "details": "Missing Authorization vulnerability in InstaWP InstaWP Connect instawp-connect allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects InstaWP Connect: from n/a through <= 0.1.2.5.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-862"
     ],
-    "severity": null,
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-08T09:16:24Z"

advisories/unreviewed/2026/04/GHSA-2pmg-wxw5-4334/GHSA-2pmg-wxw5-4334.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2pmg-wxw5-4334",
-  "modified": "2026-04-13T15:31:43Z",
+  "modified": "2026-04-13T21:30:43Z",
   "published": "2026-04-13T15:31:43Z",
   "aliases": [
     "CVE-2026-36944"
   ],
   "details": "Sourcecodester Computer and Mobile Repair Shop Management System v1.0 is vulnerale to SQL injection in the file/rsms/admin/repairs/view_details.php.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -20,8 +25,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-89"
+    ],
+    "severity": "LOW",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-13T15:17:34Z"

advisories/unreviewed/2026/04/GHSA-2qmh-3x75-j23v/GHSA-2qmh-3x75-j23v.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2qmh-3x75-j23v",
-  "modified": "2026-04-08T09:31:35Z",
+  "modified": "2026-04-13T21:30:36Z",
   "published": "2026-04-08T09:31:35Z",
   "aliases": [
     "CVE-2026-39679"
   ],
   "details": "Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in ApusTheme Freeio freeio allows PHP Local File Inclusion.This issue affects Freeio: from n/a through <= 1.3.21.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -23,7 +28,7 @@
     "cwe_ids": [
       "CWE-98"
     ],
-    "severity": null,
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-08T09:16:39Z"

advisories/unreviewed/2026/04/GHSA-2x9w-3q66-8rrm/GHSA-2x9w-3q66-8rrm.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2x9w-3q66-8rrm",
-  "modified": "2026-04-09T00:32:00Z",
+  "modified": "2026-04-13T21:30:38Z",
   "published": "2026-04-09T00:32:00Z",
   "aliases": [
     "CVE-2026-5897"
   ],
   "details": "Incorrect security UI in Downloads in Google Chrome prior to 147.0.7727.55 allowed a remote attacker who convinced a user to engage in specific UI gestures to perform UI spoofing via a crafted HTML page. (Chromium security severity: Low)",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -24,8 +29,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-451"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-04-08T22:16:29Z"