Publish Advisories

GHSA-2987-f6gf-82vj
GHSA-2jcx-2m59-6cv8
GHSA-2qh3-3rmv-x43w
GHSA-35q9-fp2v-jhcq
GHSA-3jqw-2342-vgxw
GHSA-5568-6qcg-g7fx
GHSA-66q3-hgw9-jr5j
GHSA-frr3-hpw2-j7cq

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-2987-f6gf-82vj/GHSA-2987-f6gf-82vj.json

@@ -0,0 +1,35 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2987-f6gf-82vj",
+  "modified": "2026-04-10T12:31:44Z",
+  "published": "2026-04-10T12:31:44Z",
+  "aliases": [
+    "CVE-2026-6057"
+  ],
+  "details": "FalkorDB Browser 1.9.3 contains an unauthenticated path traversal vulnerability in the file upload API that allows remote attackers to write arbitrary files and achieve remote code execution.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6057"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FalkorDB/falkordb-browser/pull/1611"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/FalkorDB/falkordb-browser"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T10:16:04Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-2jcx-2m59-6cv8/GHSA-2jcx-2m59-6cv8.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2jcx-2m59-6cv8",
+  "modified": "2026-04-10T12:31:44Z",
+  "published": "2026-04-10T12:31:44Z",
+  "aliases": [
+    "CVE-2021-47961"
+  ],
+  "details": "A plaintext storage of a password vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access or influence the user's PIN code due to insecure storage. This may lead to unauthorized VPN configuration and potential interception of subsequent VPN traffic when combined with user interaction.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47961"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_26_05"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-256"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T10:16:03Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-2qh3-3rmv-x43w/GHSA-2qh3-3rmv-x43w.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-2qh3-3rmv-x43w",
-  "modified": "2026-04-10T09:31:16Z",
+  "modified": "2026-04-10T12:31:44Z",
   "published": "2026-04-10T09:31:16Z",
   "aliases": [
     "CVE-2026-6042"
@@ -42,6 +42,10 @@
     {
       "type": "WEB",
       "url": "https://www.openwall.com/lists/oss-security/2026/04/03/2"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/19"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/04/GHSA-35q9-fp2v-jhcq/GHSA-35q9-fp2v-jhcq.json

@@ -0,0 +1,49 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-35q9-fp2v-jhcq",
+  "modified": "2026-04-10T12:31:44Z",
+  "published": "2026-04-10T12:31:44Z",
+  "aliases": [
+    "CVE-2026-31412"
+  ],
+  "details": "In the Linux kernel, the following vulnerability has been resolved:\n\nusb: gadget: f_mass_storage: Fix potential integer overflow in check_command_size_in_blocks()\n\nThe `check_command_size_in_blocks()` function calculates the data size\nin bytes by left shifting `common->data_size_from_cmnd` by the block\nsize (`common->curlun->blkbits`). However, it does not validate whether\nthis shift operation will cause an integer overflow.\n\nInitially, the block size is set up in `fsg_lun_open()` , and the\n`common->data_size_from_cmnd` is set up in `do_scsi_command()`. During\ninitialization, there is no integer overflow check for the interaction\nbetween two variables.\n\nSo if a malicious USB host sends a SCSI READ or WRITE command\nrequesting a large amount of data (`common->data_size_from_cmnd`), the\nleft shift operation can wrap around. This results in a truncated data\nsize, which can bypass boundary checks and potentially lead to memory\ncorruption or out-of-bounds accesses.\n\nFix this by using the check_shl_overflow() macro to safely perform the\nshift and catch any overflows.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-31412"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/228b37936376143f4b60cc6828663f6eaceb81b5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/3428dc5520c811e66622b2f5fa43341bf9a1f8b3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/387ebb0453b99d71491419a5dc4ab4bee0cacbac"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/8479891d1f04a8ce55366fe4ca361ccdb96f02e1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/91817ad5452defe69bc7bc0e355f0ed5d01125cc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://git.kernel.org/stable/c/ce0caaed5940162780c5c223b8ae54968a5f059b"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T11:16:22Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-3jqw-2342-vgxw/GHSA-3jqw-2342-vgxw.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3jqw-2342-vgxw",
+  "modified": "2026-04-10T12:31:44Z",
+  "published": "2026-04-10T12:31:44Z",
+  "aliases": [
+    "CVE-2026-5777"
+  ],
+  "details": "This vulnerability exists in the Atom 3x Projector due to improper exposure of the Android Debug Bridge (ADB) service over the local network without authentication or access controls. An unauthenticated attacker on the same network can exploit this vulnerability to obtain root-level access, leading to complete compromise of the targeted device.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5777"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.cert-in.org.in/s2cMainServlet?pageid=PUBVLNOTES01&VLCODE=CIVN-2026-0179"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-306"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T12:16:04Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-5568-6qcg-g7fx/GHSA-5568-6qcg-g7fx.json

@@ -0,0 +1,33 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5568-6qcg-g7fx",
+  "modified": "2026-04-10T12:31:44Z",
+  "published": "2026-04-10T12:31:44Z",
+  "aliases": [
+    "CVE-2026-39304"
+  ],
+  "details": "Denial of Service via Out of Memory vulnerability in Apache ActiveMQ Client, Apache ActiveMQ Broker, Apache ActiveMQ.\n\nActiveMQ NIO SSL transports do not correctly handle TLSv1.3 handshake KeyUpdates triggered by clients. This makes it possible for a client to rapidly trigger updates which causes the broker to exhaust all its memory in the SSL engine leading to DoS.\n\nNote: TLS versions before TLSv1.3 (such as TLSv1.2) are broken but are not vulnerable to OOM. Previous TLS versions require a full handshake renegotiation which causes a connection to hang but not OOM. This is fixed as well.\nThis issue affects Apache ActiveMQ Client: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ Broker: before 5.19.4, from 6.0.0 before 6.2.4; Apache ActiveMQ: before 5.19.4, from 6.0.0 before 6.2.4.\n\nUsers are recommended to upgrade to version 6.2.4 or 5.19.5, which fixes the issue.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39304"
+    },
+    {
+      "type": "WEB",
+      "url": "https://activemq.apache.org/security-advisories.data/CVE-2026-39304-announcement.txt"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/09/17"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T11:16:23Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-66q3-hgw9-jr5j/GHSA-66q3-hgw9-jr5j.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-66q3-hgw9-jr5j",
+  "modified": "2026-04-10T12:31:44Z",
+  "published": "2026-04-10T12:31:44Z",
+  "aliases": [
+    "CVE-2026-4162"
+  ],
+  "details": "The Gravity SMTP plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 2.1.4. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for authenticated attackers, with subscriber-level access and above, to uninstall and deactivate the plugin and delete plugin options. NOTE: This vulnerability is also exploitable via a Cross-Site Request Forgery vector.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4162"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.gravityforms.com/brand-new-release-gravity-smtp-2-1-5"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/0f9d18a4-262b-4011-91e9-b29a27a76470?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T10:16:04Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-frr3-hpw2-j7cq/GHSA-frr3-hpw2-j7cq.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-frr3-hpw2-j7cq",
+  "modified": "2026-04-10T12:31:44Z",
+  "published": "2026-04-10T12:31:44Z",
+  "aliases": [
+    "CVE-2021-47960"
+  ],
+  "details": "A files or directories accessible to external parties vulnerability in Synology SSL VPN Client before 1.4.5-0684 allows remote attackers to access files within the installation directory via a local HTTP server bound to the loopback interface. By leveraging user interaction with a crafted web page, attackers may retrieve sensitive files such as configuration files, certificates, and logs, leading to information disclosure.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-47960"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.synology.com/en-global/security/advisory/Synology_SA_26_05"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-552"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T10:16:02Z"
+  }
+}