Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 2acf466b45a9 · 2026-01-20T09:31:48.000Z
GHSA-fjj6-9j9h-gwcp GHSA-hrmx-9vmm-xj23 GHSA-jv72-wxjv-h5q2 GHSA-w9fp-wg9v-cr6h GHSA-wm49-2vmh-chv3
diff --git a/advisories/unreviewed/2026/01/GHSA-fjj6-9j9h-gwcp/GHSA-fjj6-9j9h-gwcp.json b/advisories/unreviewed/2026/01/GHSA-fjj6-9j9h-gwcp/GHSA-fjj6-9j9h-gwcp.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fjj6-9j9h-gwcp",
+  "modified": "2026-01-20T09:30:20Z",
+  "published": "2026-01-20T09:30:20Z",
+  "aliases": [
+    "CVE-2026-1222"
+  ],
+  "details": "PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Arbitrary File Upload vulnerability, allowing privileged remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1222"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T07:15:50Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-hrmx-9vmm-xj23/GHSA-hrmx-9vmm-xj23.json b/advisories/unreviewed/2026/01/GHSA-hrmx-9vmm-xj23/GHSA-hrmx-9vmm-xj23.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-hrmx-9vmm-xj23",
+  "modified": "2026-01-20T09:30:20Z",
+  "published": "2026-01-20T09:30:20Z",
+  "aliases": [
+    "CVE-2025-41768"
+  ],
+  "details": "On an instance of TwinCAT 3 HMI Server running on a device an authenticated administrator can inject arbitrary content into the custom CSS field which is persisted on the device and later returned via the login page and error page.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-41768"
+    },
+    {
+      "type": "WEB",
+      "url": "https://certvde.com/de/advisories/VDE-2025-106"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T09:15:59Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-jv72-wxjv-h5q2/GHSA-jv72-wxjv-h5q2.json b/advisories/unreviewed/2026/01/GHSA-jv72-wxjv-h5q2/GHSA-jv72-wxjv-h5q2.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-jv72-wxjv-h5q2",
+  "modified": "2026-01-20T09:30:20Z",
+  "published": "2026-01-20T09:30:20Z",
+  "aliases": [
+    "CVE-2025-66523"
+  ],
+  "details": "URL parameters are directly embedded into JavaScript code or HTML attributes without proper encoding or sanitization. This allows attackers to inject arbitrary scripts when an authenticated user visits a crafted link.\n\n\n\n\n\n\nThis issue affects na1.foxitesign.foxit.com: before 2026‑01‑16.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-66523"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.foxit.com/support/security-bulletins.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T07:15:48Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-w9fp-wg9v-cr6h/GHSA-w9fp-wg9v-cr6h.json b/advisories/unreviewed/2026/01/GHSA-w9fp-wg9v-cr6h/GHSA-w9fp-wg9v-cr6h.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w9fp-wg9v-cr6h",
+  "modified": "2026-01-20T09:30:20Z",
+  "published": "2026-01-20T09:30:20Z",
+  "aliases": [
+    "CVE-2026-1223"
+  ],
+  "details": "PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS has an Insufficiently Protected Credentials vulnerability, allowing privileged remote attackers to allowing authenticated remote attackers to obtain SMTP plaintext passwords through the web frontend.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1223"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-522"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T07:15:50Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-wm49-2vmh-chv3/GHSA-wm49-2vmh-chv3.json b/advisories/unreviewed/2026/01/GHSA-wm49-2vmh-chv3/GHSA-wm49-2vmh-chv3.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wm49-2vmh-chv3",
+  "modified": "2026-01-20T09:30:20Z",
+  "published": "2026-01-20T09:30:20Z",
+  "aliases": [
+    "CVE-2026-1221"
+  ],
+  "details": "PrismX MX100 AP controller developed by BROWAN COMMUNICATIONS  has a Use of Hard-coded Credentials vulnerability, allowing unauthenticated remote attackers to log in to the database using hardcoded database credentials stored in the firmware.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1221"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10643-2f8d7-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10642-3b808-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-798"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T07:15:50Z"
+  }
+}
