Publish Advisories

GHSA-7q9f-ppr5-2mfg
GHSA-m236-84g9-jvrg
GHSA-w3g9-vqjw-3qr3
GHSA-w5qj-7xqm-q39c
GHSA-xfvg-p8x9-f25q

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-7q9f-ppr5-2mfg/GHSA-7q9f-ppr5-2mfg.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7q9f-ppr5-2mfg",
+  "modified": "2026-01-22T03:31:28Z",
+  "published": "2026-01-22T03:31:28Z",
+  "aliases": [
+    "CVE-2025-27380"
+  ],
+  "details": "HTML injection in Project Release in Altium Enterprise Server (AES) 7.0.3 on all platforms allows an authenticated attacker to execute arbitrary JavaScript in the victim’s browser via crafted HTML content.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27380"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.altium.com/platform/security-compliance/security-advisories"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T02:15:51Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-m236-84g9-jvrg/GHSA-m236-84g9-jvrg.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m236-84g9-jvrg",
+  "modified": "2026-01-22T03:31:27Z",
+  "published": "2026-01-22T03:31:27Z",
+  "aliases": [
+    "CVE-2025-27378"
+  ],
+  "details": "AES contains a SQL injection vulnerability due to an inactive configuration that prevents the latest SQL parsing logic from being applied. When this configuration is not enabled, crafted input may be improperly handled, allowing attackers to inject and execute arbitrary SQL queries.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27378"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.altium.com/platform/security-compliance/security-advisories"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-20"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T01:15:51Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-w3g9-vqjw-3qr3/GHSA-w3g9-vqjw-3qr3.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w3g9-vqjw-3qr3",
+  "modified": "2026-01-22T03:31:28Z",
+  "published": "2026-01-22T03:31:28Z",
+  "aliases": [
+    "CVE-2026-23699"
+  ],
+  "details": "AP180 series with firmware versions prior to AP_RGOS 11.9(4)B1P8 contains an OS command injection vulnerability. If this vulnerability is exploited, arbitrary commands may be executed on the devices.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-23699"
+    },
+    {
+      "type": "WEB",
+      "url": "https://jvn.jp/en/jp/JVN86850670"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ruijie.co.jp/products/rg-ap180-pe_p432111650928590848.html#productDocument"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-78"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T02:15:52Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-w5qj-7xqm-q39c/GHSA-w5qj-7xqm-q39c.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-w5qj-7xqm-q39c",
+  "modified": "2026-01-22T03:31:28Z",
+  "published": "2026-01-22T03:31:28Z",
+  "aliases": [
+    "CVE-2025-27379"
+  ],
+  "details": "A stored cross-site scripting (XSS) vulnerability in the BOM Viewer in Altium AES 7.0.3 allows an authenticated attacker to inject arbitrary JavaScript into the Description field of a schematic, which is executed when the BOM Viewer renders the affected content.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27379"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.altium.com/platform/security-compliance/security-advisories"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T02:15:51Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-xfvg-p8x9-f25q/GHSA-xfvg-p8x9-f25q.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-xfvg-p8x9-f25q",
+  "modified": "2026-01-22T03:31:27Z",
+  "published": "2026-01-22T03:31:27Z",
+  "aliases": [
+    "CVE-2025-27377"
+  ],
+  "details": "Altium Designer version 24.9.0 does not validate self-signed server certificates for cloud connections. An attacker capable of performing a man-in-the-middle (MITM) attack could exploit this issue to intercept or manipulate network traffic, potentially exposing authentication credentials or sensitive design data.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-27377"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.altium.com/platform/security-compliance/security-advisories"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T01:15:50Z"
+  }
+}