Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 6d0eb1ec7a67 · 2026-01-22T09:33:02.000Z
GHSA-2hqx-mp7w-6wgm GHSA-984h-8phv-mf43 GHSA-j7qw-w5vf-rgxv GHSA-m3h4-65j5-6j8c GHSA-v3x6-95pf-f2f2
diff --git a/advisories/unreviewed/2026/01/GHSA-2hqx-mp7w-6wgm/GHSA-2hqx-mp7w-6wgm.json b/advisories/unreviewed/2026/01/GHSA-2hqx-mp7w-6wgm/GHSA-2hqx-mp7w-6wgm.json
@@ -0,0 +1,25 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2hqx-mp7w-6wgm",
+  "modified": "2026-01-22T09:31:39Z",
+  "published": "2026-01-22T09:31:39Z",
+  "aliases": [
+    "CVE-2020-8451"
+  ],
+  "details": "Rejected reason: The reserved CVE was never used.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-8451"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T08:16:00Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-984h-8phv-mf43/GHSA-984h-8phv-mf43.json b/advisories/unreviewed/2026/01/GHSA-984h-8phv-mf43/GHSA-984h-8phv-mf43.json
@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-984h-8phv-mf43",
+  "modified": "2026-01-22T09:31:39Z",
+  "published": "2026-01-22T09:31:39Z",
+  "aliases": [
+    "CVE-2026-24332"
+  ],
+  "details": "Discord through 2026-01-16 allows gathering information about whether a user's client state is Invisible (and not actually offline) because the response to a WebSocket API request includes the user in the presences array (with \"status\": \"offline\"), whereas offline users are omitted from the presences array. This is arguably inconsistent with the UI description of Invisible as \"You will appear offline.\"",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-24332"
+    },
+    {
+      "type": "WEB",
+      "url": "https://xmrcat.org/discord-invisibility-bypass"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-204"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T08:16:00Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-j7qw-w5vf-rgxv/GHSA-j7qw-w5vf-rgxv.json b/advisories/unreviewed/2026/01/GHSA-j7qw-w5vf-rgxv/GHSA-j7qw-w5vf-rgxv.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j7qw-w5vf-rgxv",
+  "modified": "2026-01-22T09:31:40Z",
+  "published": "2026-01-22T09:31:40Z",
+  "aliases": [
+    "CVE-2026-1331"
+  ],
+  "details": "MeetingHub developed by HAMASTAR Technology has an Arbitrary File Upload vulnerability, allowing unauthenticated remote attackers to upload and execute web shell backdoors, thereby enabling arbitrary code execution on the server.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1331"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-434"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T09:15:52Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-m3h4-65j5-6j8c/GHSA-m3h4-65j5-6j8c.json b/advisories/unreviewed/2026/01/GHSA-m3h4-65j5-6j8c/GHSA-m3h4-65j5-6j8c.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-m3h4-65j5-6j8c",
+  "modified": "2026-01-22T09:31:39Z",
+  "published": "2026-01-22T09:31:39Z",
+  "aliases": [
+    "CVE-2026-0920"
+  ],
+  "details": "The LA-Studio Element Kit for Elementor plugin for WordPress is vulnerable to Administrative User Creation in all versions up to, and including, 1.5.6.3. This is due to the 'ajax_register_handle' function not restricting what user roles a user can register with. This makes it possible for unauthenticated attackers to supply the 'lakit_bkrole' parameter during registration and gain administrator access to the site.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0920"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/lastudio-element-kit/tags/1.5.6.3/includes/integrations/override.php#L301"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3439121/lastudio-element-kit"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/65ebc744-6cc2-47ce-b225-81820e49d59c?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-269"
+    ],
+    "severity": "CRITICAL",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T07:15:50Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/01/GHSA-v3x6-95pf-f2f2/GHSA-v3x6-95pf-f2f2.json b/advisories/unreviewed/2026/01/GHSA-v3x6-95pf-f2f2/GHSA-v3x6-95pf-f2f2.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-v3x6-95pf-f2f2",
+  "modified": "2026-01-22T09:31:39Z",
+  "published": "2026-01-22T09:31:39Z",
+  "aliases": [
+    "CVE-2026-1330"
+  ],
+  "details": "MeetingHub developed by HAMASTAR Technology has an Arbitrary File Read vulnerability, allowing unauthenticated remote attackers to exploit Absolute Path Traversal to download arbitrary system files.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-1330"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/en/cp-139-10651-ff09c-2.html"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.twcert.org.tw/tw/cp-132-10650-a5ee9-1.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-36"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-22T09:15:51Z"
+  }
+}
