Publish Advisories

GHSA-g7mr-vm94-3rv7
GHSA-25w3-8f4h-3qh6
GHSA-72r6-p2x3-g9gj
GHSA-7w3v-mfh5-q7x3
GHSA-c3cr-f45p-2vfp
GHSA-fj7g-gh2h-jx3m
GHSA-h46w-ffvp-4pw5
GHSA-m3x9-92c9-624c
GHSA-rjxq-j5v8-3c89

Author: advisory-database[bot]

advisories/unreviewed/2025/11/GHSA-g7mr-vm94-3rv7/GHSA-g7mr-vm94-3rv7.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-g7mr-vm94-3rv7",
-  "modified": "2026-03-16T21:34:29Z",
+  "modified": "2026-03-17T00:31:34Z",
   "published": "2025-11-18T21:32:31Z",
   "aliases": [
     "CVE-2025-61662"
@@ -19,6 +19,10 @@
       "type": "ADVISORY",
       "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-61662"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:4648"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:4649"
@@ -27,6 +31,10 @@
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:4652"
     },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/errata/RHSA-2026:4653"
+    },
     {
       "type": "WEB",
       "url": "https://access.redhat.com/errata/RHSA-2026:4654"

advisories/unreviewed/2026/03/GHSA-25w3-8f4h-3qh6/GHSA-25w3-8f4h-3qh6.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-25w3-8f4h-3qh6",
+  "modified": "2026-03-17T00:31:34Z",
+  "published": "2026-03-17T00:31:34Z",
+  "aliases": [
+    "CVE-2026-4284"
+  ],
+  "details": "A vulnerability was determined in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. This issue affects the function downloadFile of the file - yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/PPTUtil.java of the component PPT File Handler. This manipulation of the argument url causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4284"
+    },
+    {
+      "type": "WEB",
+      "url": "https://fx4tqqfvdw4.feishu.cn/docx/XF5WdvWAEoU9jyx2C2mcImSMnBg?from=from_copylink"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.351290"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.351290"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.771949"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-16T23:16:21Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-72r6-p2x3-g9gj/GHSA-72r6-p2x3-g9gj.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-72r6-p2x3-g9gj",
+  "modified": "2026-03-17T00:31:34Z",
+  "published": "2026-03-17T00:31:34Z",
+  "aliases": [
+    "CVE-2026-4177"
+  ],
+  "details": "YAML::Syck versions through 1.36 for Perl has several potential security vulnerabilities including a high-severity heap buffer overflow in the YAML emitter.\n\nThe heap overflow occurs when class names exceed the initial 512-byte allocation.\n\nThe base64 decoder could read past the buffer end on trailing newlines.\n\nstrtok mutated n->type_id in place, corrupting shared node data.\n\nA memory leak occurred in syck_hdlr_add_anchor when a node already had an anchor. The incoming anchor string 'a' was leaked on early return.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4177"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/cpan-authors/YAML-Syck/commit/e8844a31c8cf0052914b198fc784ed4e6b8ae69e.patch"
+    },
+    {
+      "type": "WEB",
+      "url": "https://metacpan.org/release/TODDR/YAML-Syck-1.37_01/changes#L21"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-122"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-16T23:16:21Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-7w3v-mfh5-q7x3/GHSA-7w3v-mfh5-q7x3.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7w3v-mfh5-q7x3",
+  "modified": "2026-03-17T00:31:34Z",
+  "published": "2026-03-17T00:31:34Z",
+  "aliases": [
+    "CVE-2026-4289"
+  ],
+  "details": "A security vulnerability has been detected in Tiandy Easy7 Integrated Management Platform up to 7.17.0. This affects an unknown function of the file /rest/preSetTemplate/getRecByTemplateId. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4289"
+    },
+    {
+      "type": "WEB",
+      "url": "https://my.feishu.cn/docx/UmmudBVvYoMwpIxUtTicjsS8nDe?from=from_copylink"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.351294"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.351294"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.771997"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-17T00:16:19Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-c3cr-f45p-2vfp/GHSA-c3cr-f45p-2vfp.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-c3cr-f45p-2vfp",
+  "modified": "2026-03-17T00:31:34Z",
+  "published": "2026-03-17T00:31:34Z",
+  "aliases": [
+    "CVE-2026-4285"
+  ],
+  "details": "A vulnerability was identified in taoofagi easegen-admin up to 8f87936ac774065b92fb20aab55b274a6ea76433. Impacted is the function recognizeMarkdown of the file yudao-module-digitalcourse/yudao-module-digitalcourse-biz/src/main/java/cn/iocoder/yudao/module/digitalcourse/util/Pdf2MdUtil.java. Such manipulation of the argument fileUrl leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4285"
+    },
+    {
+      "type": "WEB",
+      "url": "https://fx4tqqfvdw4.feishu.cn/docx/KezQdqzVGoTVj9x8SH1c9dNvnOg?from=from_copylink"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.351291"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.351291"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.771950"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-17T00:16:19Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-fj7g-gh2h-jx3m/GHSA-fj7g-gh2h-jx3m.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fj7g-gh2h-jx3m",
+  "modified": "2026-03-17T00:31:34Z",
+  "published": "2026-03-17T00:31:34Z",
+  "aliases": [
+    "CVE-2026-4288"
+  ],
+  "details": "A weakness has been identified in Tiandy Easy7 Integrated Management Platform 7.17.0. The impacted element is an unknown function of the file /rest/devStatus/getDevDetailedInfo of the component Endpoint. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4288"
+    },
+    {
+      "type": "WEB",
+      "url": "https://my.feishu.cn/docx/LgjudozCFo9rVTx57hJcDyk0nXd?from=from_copylink"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.351293"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.351293"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.771963"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-17T00:16:19Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-h46w-ffvp-4pw5/GHSA-h46w-ffvp-4pw5.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-h46w-ffvp-4pw5",
-  "modified": "2026-03-16T18:32:04Z",
+  "modified": "2026-03-17T00:31:34Z",
   "published": "2026-03-16T18:32:04Z",
   "aliases": [
     "CVE-2026-4224"
@@ -42,6 +42,10 @@
     {
       "type": "WEB",
       "url": "https://mail.python.org/archives/list/security-announce@python.org/thread/5M7CGUW3XBRY7II4DK43KF7NQQ3TPZ6R"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/03/16/4"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/03/GHSA-m3x9-92c9-624c/GHSA-m3x9-92c9-624c.json

@@ -0,0 +1,34 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m3x9-92c9-624c",
+  "modified": "2026-03-17T00:31:34Z",
+  "published": "2026-03-17T00:31:34Z",
+  "aliases": [
+    "CVE-2026-21991"
+  ],
+  "details": "A DTrace component, dtprobed, allows arbitrary file creation through crafted USDT provider names.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-21991"
+    },
+    {
+      "type": "WEB",
+      "url": "https://linux.oracle.com/cve/CVE-2026-21991.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-16T22:16:18Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-rjxq-j5v8-3c89/GHSA-rjxq-j5v8-3c89.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rjxq-j5v8-3c89",
+  "modified": "2026-03-17T00:31:34Z",
+  "published": "2026-03-17T00:31:34Z",
+  "aliases": [
+    "CVE-2026-4287"
+  ],
+  "details": "A security flaw has been discovered in Tiandy Easy7 Integrated Management Platform 7.17.0. The affected element is an unknown function of the file /rest/devStatus/queryResources of the component Endpoint. Performing a manipulation of the argument areaId results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4287"
+    },
+    {
+      "type": "WEB",
+      "url": "https://my.feishu.cn/docx/F68OduQq8oI2MdxmjHlch8u5n8f?from=from_copylink"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.351292"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.351292"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.771956"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-17T00:16:19Z"
+  }
+}