Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 331cd25fca87 · 2026-01-20T03:31:46.000Z
GHSA-2wh9-wm58-w79r GHSA-43rr-x62x-q96w GHSA-57xj-86j2-jqm5 GHSA-mcww-77h6-2wxm GHSA-rj2q-p862-w9r3 GHSA-wq8p-q8cq-94w5 GHSA-x64m-wg95-494x
diff --git a/advisories/unreviewed/2026/01/GHSA-2wh9-wm58-w79r/GHSA-2wh9-wm58-w79r.json b/advisories/unreviewed/2026/01/GHSA-2wh9-wm58-w79r/GHSA-2wh9-wm58-w79r.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2wh9-wm58-w79r",
+  "modified": "2026-01-20T03:30:28Z",
+  "published": "2026-01-20T03:30:28Z",
+  "aliases": [
+    "CVE-2026-1051"
+  ],
+  "details": "The Newsletter – Send awesome emails from WordPress plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 9.1.0. This is due to missing or incorrect nonce validation on the hook_newsletter_action() function. This makes it possible for unauthenticated attackers to unsubscribe newsletter subscribers via a forged request granted they can trick a logged-in user into performing an action such as clicking on a link.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1051"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/newsletter/tags/9.1.0/unsubscription/unsubscription.php#L141"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/8de2156f-5087-4c16-8e5d-93b5c72ec536?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-352"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T02:15:46Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-43rr-x62x-q96w/GHSA-43rr-x62x-q96w.json b/advisories/unreviewed/2026/01/GHSA-43rr-x62x-q96w/GHSA-43rr-x62x-q96w.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-43rr-x62x-q96w",
+  "modified": "2026-01-20T03:30:28Z",
+  "published": "2026-01-20T03:30:28Z",
+  "aliases": [
+    "CVE-2026-1195"
+  ],
+  "details": "A weakness has been identified in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is said to be difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1195"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SourByte05/MineAdmin-Vulnerability/issues/4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341780"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341780"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.734272"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-345"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T01:15:56Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-57xj-86j2-jqm5/GHSA-57xj-86j2-jqm5.json b/advisories/unreviewed/2026/01/GHSA-57xj-86j2-jqm5/GHSA-57xj-86j2-jqm5.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-57xj-86j2-jqm5",
+  "modified": "2026-01-20T03:30:28Z",
+  "published": "2026-01-20T03:30:28Z",
+  "aliases": [
+    "CVE-2026-1197"
+  ],
+  "details": "A vulnerability was detected in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. The attack can be initiated remotely. The attack's complexity is rated as high. The exploitation appears to be difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1197"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SourByte05/MineAdmin-Vulnerability/issues/2"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341782"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341782"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.734274"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T01:15:56Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-mcww-77h6-2wxm/GHSA-mcww-77h6-2wxm.json b/advisories/unreviewed/2026/01/GHSA-mcww-77h6-2wxm/GHSA-mcww-77h6-2wxm.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mcww-77h6-2wxm",
+  "modified": "2026-01-20T03:30:28Z",
+  "published": "2026-01-20T03:30:28Z",
+  "aliases": [
+    "CVE-2025-14978"
+  ],
+  "details": "The PeachPay — Payments & Express Checkout for WooCommerce (supports Stripe, PayPal, Square, Authorize.net) plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability checks on the ConvesioPay webhook REST endpoint in all versions up to, and including, 1.119.8. This makes it possible for unauthenticated attackers to modify the status of arbitrary WooCommerce orders.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14978"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/peachpay-for-woocommerce/tags/1.119.5/core/payments/convesiopay/routes/class-peachpay-convesiopay-webhook.php#L33"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/5480a151-3e3a-46ba-9712-6c61fba06812?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T02:15:45Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-rj2q-p862-w9r3/GHSA-rj2q-p862-w9r3.json b/advisories/unreviewed/2026/01/GHSA-rj2q-p862-w9r3/GHSA-rj2q-p862-w9r3.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-rj2q-p862-w9r3",
+  "modified": "2026-01-20T03:30:28Z",
+  "published": "2026-01-20T03:30:28Z",
+  "aliases": [
+    "CVE-2026-1203"
+  ],
+  "details": "A weakness has been identified in CRMEB up to 5.6.3. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is regarded as difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1203"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/foeCat/CVE/blob/main/CRMEB/jwt_auth_bypass/remote_register_jwt_bypass.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341789"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341789"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.735349"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T01:15:56Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-wq8p-q8cq-94w5/GHSA-wq8p-q8cq-94w5.json b/advisories/unreviewed/2026/01/GHSA-wq8p-q8cq-94w5/GHSA-wq8p-q8cq-94w5.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-wq8p-q8cq-94w5",
+  "modified": "2026-01-20T03:30:28Z",
+  "published": "2026-01-20T03:30:28Z",
+  "aliases": [
+    "CVE-2026-1196"
+  ],
+  "details": "A security vulnerability has been detected in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. It is possible to launch the attack remotely. The attack requires a high level of complexity. The exploitability is told to be difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1196"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/SourByte05/MineAdmin-Vulnerability/issues/3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341781"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341781"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.734273"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-200"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T01:15:56Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-x64m-wg95-494x/GHSA-x64m-wg95-494x.json b/advisories/unreviewed/2026/01/GHSA-x64m-wg95-494x/GHSA-x64m-wg95-494x.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-x64m-wg95-494x",
+  "modified": "2026-01-20T03:30:28Z",
+  "published": "2026-01-20T03:30:28Z",
+  "aliases": [
+    "CVE-2026-1202"
+  ],
+  "details": "A security flaw has been discovered in CRMEB up to 5.6.3. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1202"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/foeCat/CVE/blob/main/CRMEB/apple_login_auth_bypass.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.341788"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.341788"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.734711"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-20T01:15:56Z"
+  }
+}
