Publish Advisories

GHSA-2836-hmqw-wf98
GHSA-293r-hxw5-cfmj
GHSA-38x4-r8qv-j5v2
GHSA-42cc-jrr3-ghpw
GHSA-5pv2-86qj-5jf9
GHSA-6c34-3mhj-jwxw
GHSA-7gjf-f5f3-qqxw
GHSA-9qc9-mh55-7xp5
GHSA-9r7w-j29g-xqx8
GHSA-gqp3-hfc3-8q54
GHSA-q6vj-q94p-g3rc
GHSA-q7h9-pvj5-g9fp
GHSA-rgcc-vxwc-jxf9
GHSA-vqjc-m5xh-jhx3
GHSA-wj32-w776-h6m2
GHSA-x42f-vq92-fh92
GHSA-x858-8gr5-586m
GHSA-xx6p-3747-7pwp

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-2836-hmqw-wf98/GHSA-2836-hmqw-wf98.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2836-hmqw-wf98",
+  "modified": "2026-04-20T12:32:01Z",
+  "published": "2026-04-20T12:32:01Z",
+  "aliases": [
+    "CVE-2026-6631"
+  ],
+  "details": "A vulnerability was determined in Tenda F451 1.0.0.7_cn_svn7958. Impacted is the function fromwebExcptypemanFilter of the file /goform/webExcptypemanFilter of the component httpd. Executing a manipulation of the argument page can lead to buffer overflow. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6631"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Jimi-Lab/cve/issues/25"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792904"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358265"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358265/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.tenda.com.cn"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-119"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T11:16:19Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-293r-hxw5-cfmj/GHSA-293r-hxw5-cfmj.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-293r-hxw5-cfmj",
+  "modified": "2026-04-20T12:32:01Z",
+  "published": "2026-04-20T12:32:01Z",
+  "aliases": [
+    "CVE-2026-6623"
+  ],
+  "details": "A security flaw has been discovered in BichitroGan ISP Billing Software 2025.3.20. This impacts an unknown function of the file /?_route=settings/users-view/ of the component Profile Page Handler. Performing a manipulation results in cross site scripting. The attack is possible to be carried out remotely. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6623"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/4m3rr0r/PoCVulDb/issues/17"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792394"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358258"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358258/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T10:16:17Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-38x4-r8qv-j5v2/GHSA-38x4-r8qv-j5v2.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-38x4-r8qv-j5v2",
+  "modified": "2026-04-20T12:32:01Z",
+  "published": "2026-04-20T12:32:01Z",
+  "aliases": [
+    "CVE-2026-6629"
+  ],
+  "details": "A vulnerability has been found in Metasoft 美特软件 MetaCRM up to 6.4.0. This vulnerability affects the function Statement.executeUpdate of the file sql.jsp of the component Interface. Such manipulation of the argument sql leads to sql injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6629"
+    },
+    {
+      "type": "WEB",
+      "url": "https://my.feishu.cn/docx/JttndUaPLoR88HxI1alcz1uencf?from=from_copylink"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792615"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358263"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358263/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T11:16:18Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-42cc-jrr3-ghpw/GHSA-42cc-jrr3-ghpw.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-42cc-jrr3-ghpw",
+  "modified": "2026-04-20T12:32:01Z",
+  "published": "2026-04-20T12:32:01Z",
+  "aliases": [
+    "CVE-2026-6636"
+  ],
+  "details": "A vulnerability was detected in p2r3 convert up to 6998584ace3e11db66dff0b423612a5cf91de75b. Affected is the function Bun.serve of the file buildCache.js of the component API. Performing a manipulation of the argument pathname results in path traversal. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6636"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Dave-gilmore-aus/security-advisories/blob/main/convert-advisory"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/793436"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358270"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358270/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T12:16:09Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-5pv2-86qj-5jf9/GHSA-5pv2-86qj-5jf9.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-5pv2-86qj-5jf9",
+  "modified": "2026-04-20T12:32:01Z",
+  "published": "2026-04-20T12:32:01Z",
+  "aliases": [
+    "CVE-2026-6626"
+  ],
+  "details": "A vulnerability was detected in Cockpit-HQ Cockpit up to 2.13.5. Affected by this issue is some unknown functionality of the component Asset Handler/Aggregate Handler. The manipulation results in improper neutralization of special elements in data query logic. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6626"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/NicolasPauferro/studiesofnosqli"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792601"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358261"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358261/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T10:16:17Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-6c34-3mhj-jwxw/GHSA-6c34-3mhj-jwxw.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-6c34-3mhj-jwxw",
+  "modified": "2026-04-20T12:32:01Z",
+  "published": "2026-04-20T12:32:01Z",
+  "aliases": [
+    "CVE-2026-6635"
+  ],
+  "details": "A security vulnerability has been detected in rowboatlabs rowboat up to 0.1.67. This impacts the function tool_call of the file apps/experimental/tools_webhook/app.py of the component tools_webhook. Such manipulation of the argument X-Tools-JWE leads to improper authentication. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6635"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Dave-gilmore-aus/security-advisories/blob/main/rowbat-advisory"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/793433"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358269"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358269/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-287"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T12:16:09Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-7gjf-f5f3-qqxw/GHSA-7gjf-f5f3-qqxw.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7gjf-f5f3-qqxw",
+  "modified": "2026-04-20T12:32:01Z",
+  "published": "2026-04-20T12:32:01Z",
+  "aliases": [
+    "CVE-2026-6633"
+  ],
+  "details": "A security flaw has been discovered in Yifang CMS up to 2.0.5. The impacted element is the function store of the file plugins/yifang_backend_account/logic/admin/L_rbac_admin.php of the component Extended Management Module. The manipulation of the argument Account results in cross site scripting. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6633"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/shiyifei999-ux/cve/issues/1"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/793352"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358267"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/358267/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-20T12:16:09Z"
+  }
+}