Publish Advisories

GHSA-2qh3-3rmv-x43w
GHSA-2w2j-5vf6-6jfw
GHSA-47p4-rx3f-4xcm
GHSA-734f-8p5w-pjw7
GHSA-8gxr-c98h-cwxm
GHSA-8hrp-2fqv-gvrx
GHSA-8wrq-fv5f-pfp2
GHSA-976v-qqvp-vpgg
GHSA-98g2-jqvc-f33c
GHSA-9g69-m48x-mfpw
GHSA-9x65-73m2-6pcg
GHSA-cvcj-h2fq-82fw
GHSA-frp9-cw9x-gf7v
GHSA-h7hj-cr59-59c2
GHSA-hwqh-2684-54fc
GHSA-hxwv-vc7p-p66g
GHSA-p2v5-ghx9-jg75
GHSA-r2fc-mm5p-v3mp
GHSA-rhpc-gv73-7m9f
GHSA-v7f2-qghm-mg3r
GHSA-w3qf-xc88-m8c9
GHSA-wqxj-7q65-946x
GHSA-wvcm-8qcx-6vf4
GHSA-x96m-26ch-mprq

Author: advisory-database[bot]

advisories/unreviewed/2026/04/GHSA-2qh3-3rmv-x43w/GHSA-2qh3-3rmv-x43w.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2qh3-3rmv-x43w",
+  "modified": "2026-04-10T09:31:16Z",
+  "published": "2026-04-10T09:31:16Z",
+  "aliases": [
+    "CVE-2026-6042"
+  ],
+  "details": "A security flaw has been discovered in musl libc up to 1.2.6. Affected is the function iconv of the file src/locale/iconv.c of the component GB18030 4-byte Decoder. Performing a manipulation results in inefficient algorithmic complexity. The attack must be initiated from a local position. To fix this issue, it is recommended to deploy a patch.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6042"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/796352"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356620"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356620/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2026/04/02/10"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.openwall.com/lists/oss-security/2026/04/03/2"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-404"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T09:16:25Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-2w2j-5vf6-6jfw/GHSA-2w2j-5vf6-6jfw.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2w2j-5vf6-6jfw",
+  "modified": "2026-04-10T09:31:16Z",
+  "published": "2026-04-10T09:31:15Z",
+  "aliases": [
+    "CVE-2026-6029"
+  ],
+  "details": "A vulnerability was detected in Totolink A7100RU 7.4cu.2313_b20191024. The affected element is the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument User results in os command injection. The attack may be launched remotely. The exploit is now public and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6029"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/Litengzheng/vuldb_new/blob/main/A7100RU/vul_174/README.md"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792050"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356605"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356605/cti"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.totolink.net"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T07:16:22Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-47p4-rx3f-4xcm/GHSA-47p4-rx3f-4xcm.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-47p4-rx3f-4xcm",
+  "modified": "2026-04-10T09:31:16Z",
+  "published": "2026-04-10T09:31:16Z",
+  "aliases": [
+    "CVE-2026-6036"
+  ],
+  "details": "A vulnerability was found in code-projects Vehicle Showroom Management System 1.0. The impacted element is an unknown function of the file /util/VehicleDetailsFunction.php. The manipulation of the argument VEHICLE_ID results in sql injection. The attack can be executed remotely. The exploit has been made public and could be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6036"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/TAnNbR/CVE/issues/3"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/796201"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356617"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356617/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T09:16:24Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-734f-8p5w-pjw7/GHSA-734f-8p5w-pjw7.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-734f-8p5w-pjw7",
+  "modified": "2026-04-10T09:31:16Z",
+  "published": "2026-04-10T09:31:16Z",
+  "aliases": [
+    "CVE-2026-6037"
+  ],
+  "details": "A vulnerability was determined in code-projects Vehicle Showroom Management System 1.0. This affects an unknown function of the file /util/AddVehicleFunction.php. This manipulation of the argument BRANCH_ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6037"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/TAnNbR/CVE/issues/4"
+    },
+    {
+      "type": "WEB",
+      "url": "https://code-projects.org"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/796232"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356618"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/356618/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T09:16:25Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-8gxr-c98h-cwxm/GHSA-8gxr-c98h-cwxm.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8gxr-c98h-cwxm",
+  "modified": "2026-04-10T09:31:16Z",
+  "published": "2026-04-10T09:31:16Z",
+  "aliases": [
+    "CVE-2026-33457"
+  ],
+  "details": "Livestatus injection in the prediction graph page in Checkmk <2.5.0b4, <2.4.0p26, and <2.3.0p47 allows an authenticated user to inject arbitrary Livestatus commands via a crafted service name parameter due to insufficient sanitization of the service description value.",
+  "severity": [
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33457"
+    },
+    {
+      "type": "WEB",
+      "url": "https://checkmk.com/werk/17990"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-140"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T09:16:24Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-8hrp-2fqv-gvrx/GHSA-8hrp-2fqv-gvrx.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8hrp-2fqv-gvrx",
+  "modified": "2026-04-10T09:31:16Z",
+  "published": "2026-04-10T09:31:16Z",
+  "aliases": [
+    "CVE-2026-5525"
+  ],
+  "details": "A stack-based buffer overflow vulnerability exists in Notepad++ version 8.9.3 in the file drop handler component. When a user drags and drops a directory path of exactly 259 characters without a trailing backslash, the application appends a backslash and null terminator without proper bounds checking, resulting in a stack buffer overflow and application crash (STATUS_STACK_BUFFER_OVERRUN).",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5525"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/notepad-plus-plus/notepad-plus-plus/issues/17921"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/notepad-plus-plus/notepad-plus-plus/pull/17930"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bfe7514d68bc559534c046c4ef2d1865267aa2b0"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-121"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T08:16:26Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-8wrq-fv5f-pfp2/GHSA-8wrq-fv5f-pfp2.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8wrq-fv5f-pfp2",
+  "modified": "2026-04-10T09:31:15Z",
+  "published": "2026-04-10T09:31:15Z",
+  "aliases": [
+    "CVE-2026-1115"
+  ],
+  "details": "A Stored Cross-Site Scripting (XSS) vulnerability was identified in the social feature of parisneo/lollms, affecting the latest version prior to 2.2.0. The vulnerability exists in the `create_post` function within `backend/routers/social/__init__.py`, where user-provided content is directly assigned to the `DBPost` model without sanitization. This allows attackers to inject and store malicious JavaScript, which is executed in the browsers of users viewing the Home Feed, including administrators. This can lead to account takeover, session hijacking, and wormable attacks. The issue is resolved in version 2.2.0.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1115"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/parisneo/lollms/commit/9767b882dbc893c388a286856beeaead69b8292a"
+    },
+    {
+      "type": "WEB",
+      "url": "https://huntr.com/bounties/099aa4fe-7165-4337-889c-3fb4f1aa71aa"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-10T07:16:20Z"
+  }
+}