Publish Advisories

GHSA-495m-v35r-f849
GHSA-4r4q-4mqv-pv27
GHSA-58gr-rfpg-m948
GHSA-594w-2fwp-jwrc
GHSA-6684-47x9-759j
GHSA-6j26-jfmq-hf5r
GHSA-744r-q883-3hq4
GHSA-7jc7-g598-2p64
GHSA-833x-x4qj-r9cv
GHSA-947x-m4f9-3h48
GHSA-9x38-gmh7-fp5q
GHSA-cqjp-pfhx-4jwv
GHSA-g299-249v-2v42
GHSA-gp8q-g6v2-fgq3
GHSA-h9pr-pv2g-cx98
GHSA-j3rr-wp98-2675
GHSA-mc3v-qmvf-v5gr
GHSA-p5qx-fwf5-q388
GHSA-qr3p-2xj2-q7hq
GHSA-r8w2-w357-9pjv
GHSA-rgj2-xq4c-hrvm
GHSA-vc2w-4v3p-2mqw
GHSA-vpg5-x373-3q2c
GHSA-wwp8-q895-jwf7

Author: advisory-database[bot]

advisories/unreviewed/2026/01/GHSA-495m-v35r-f849/GHSA-495m-v35r-f849.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-495m-v35r-f849",
-  "modified": "2026-01-20T18:31:57Z",
+  "modified": "2026-01-21T15:31:15Z",
   "published": "2026-01-20T18:31:57Z",
   "aliases": [
     "CVE-2025-55423"
   ],
   "details": "ipTIME routers A2003NS-MU 10.00.6 to 12.16.2 , N600 10.00.8 to 12.16.2, A604-V3 10.01.6 to 10.07.2, A6ns-M 10.01.6 to 14.19.4 , V508 10.02.2 to 10.06.4, N704QCA 10.02.4 to 12.16.2, A8ns-M 10.03.2 to 14.19.4, A304 10.05.4 to 10.07.4, A3004NS-M,A5004NS-M,A9004M 10.05.4 to 14.19.4, N702R 10.05.8 to 10.06.8, A604M 10.06.4 to 10.07.2, A804NS-MU 10.06.4 to 12.10.2, N804R 10.06.4 to 12.16.2, A7004M,A8004T 10.06.8 to 14.19.4, A604G-MU 10.07.4 to 12.16.2, A3008-MU 10.08.4 to 14.19.4, A2004MU and A2004NS-MU 10.08.6 to 12.17.0, A604-V5,A604R, N702E 10.09.2 to 12.16.2, N2V 10.09.2 to 12.16.8, N604E 10.09.2 to 14.19.4, N104E 10.09.4 to 12.15.2, A8004ITL 11.00.4 to 14.19.4, N102E 11.00.8 to 12.15.2, N1V 11.01.2 to 12.07.6, N102i 11.01.2 to 12.15.2, T5004 11.96.4 to 14.19.4, N602E 11.96.6 to 12.16.8, AX8004BCM and A8004T-XR 11.97.2 to 14.19.4, A9004M-X2, T5008 11.98.2 to 14.19.4, N704E 11.98.4 to 12.16.2, A8004BCM 11.99.1 to 12.16.2, AX3004ITL 12.01.2 to 14.19.4 and A604G-skylife 12.02.4 to 12.12 were discovered to contain an OS command injection vulnerability via the function upnp_relay().",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -22,14 +27,20 @@
       "type": "WEB",
       "url": "https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/README.md"
     },
+    {
+      "type": "WEB",
+      "url": "https://github.com/0x0xxxx/CVE/blob/main/CVE-2025-55423/assets/affected_products_cve_format.json"
+    },
     {
       "type": "WEB",
       "url": "https://iptime.com/iptime/?pageid=4&page_id=126&dfsid=3&dftid=583&uid=25203&mod=document"
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-94"
+    ],
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-20T18:16:04Z"

advisories/unreviewed/2026/01/GHSA-4r4q-4mqv-pv27/GHSA-4r4q-4mqv-pv27.json

@@ -25,7 +25,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-269"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2026/01/GHSA-58gr-rfpg-m948/GHSA-58gr-rfpg-m948.json

@@ -25,7 +25,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-284"
+    ],
     "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2026/01/GHSA-594w-2fwp-jwrc/GHSA-594w-2fwp-jwrc.json

@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-594w-2fwp-jwrc",
+  "modified": "2026-01-21T15:31:16Z",
+  "published": "2026-01-21T15:31:16Z",
+  "aliases": [
+    "CVE-2025-14083"
+  ],
+  "details": "A flaw was found in the Keycloak Admin REST API. This vulnerability allows the exposure of backend schema and rules, potentially leading to targeted attacks or privilege escalation via improper access control.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-14083"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2025-14083"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2419086"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-284"
+    ],
+    "severity": "LOW",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-01-21T13:16:02Z"
+  }
+}

advisories/unreviewed/2026/01/GHSA-6684-47x9-759j/GHSA-6684-47x9-759j.json

@@ -25,7 +25,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-400"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2026/01/GHSA-6j26-jfmq-hf5r/GHSA-6j26-jfmq-hf5r.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-6j26-jfmq-hf5r",
-  "modified": "2026-01-20T21:31:35Z",
+  "modified": "2026-01-21T15:31:15Z",
   "published": "2026-01-20T21:31:35Z",
   "aliases": [
     "CVE-2025-57156"
   ],
   "details": "NULL pointer dereference in the dacp_reply_playqueueedit_clear function in src/httpd_dacp.c in owntone-server through commit 6d604a1 (newer commit after version 28.12) allows remote attackers to cause a Denial of Service (crash).",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-20T21:16:03Z"

advisories/unreviewed/2026/01/GHSA-744r-q883-3hq4/GHSA-744r-q883-3hq4.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-744r-q883-3hq4",
-  "modified": "2026-01-20T21:31:35Z",
+  "modified": "2026-01-21T15:31:15Z",
   "published": "2026-01-20T21:31:35Z",
   "aliases": [
     "CVE-2025-63647"
   ],
   "details": "A NULL pointer dereference in the parse_meta function (src/httpd_daap.c) of owntone-server commit 334beb allows attackers to cause a Denial of Service (DoS) via sending a crafted DAAP request to the server.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-20T21:16:04Z"

advisories/unreviewed/2026/01/GHSA-7jc7-g598-2p64/GHSA-7jc7-g598-2p64.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7jc7-g598-2p64",
-  "modified": "2026-01-20T18:31:57Z",
+  "modified": "2026-01-21T15:31:15Z",
   "published": "2026-01-20T18:31:57Z",
   "aliases": [
     "CVE-2025-65482"
   ],
   "details": "An XML External Entity (XXE) vulnerability in opensagres XDocReport v0.9.2 to v2.0.3 allows attackers to execute arbitrary code via uploading a crafted .docx file.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -36,8 +41,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-611"
+    ],
+    "severity": "CRITICAL",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-20T16:16:06Z"

advisories/unreviewed/2026/01/GHSA-833x-x4qj-r9cv/GHSA-833x-x4qj-r9cv.json

@@ -25,7 +25,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-400"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2026/01/GHSA-947x-m4f9-3h48/GHSA-947x-m4f9-3h48.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-947x-m4f9-3h48",
-  "modified": "2026-01-20T21:31:35Z",
+  "modified": "2026-01-21T15:31:15Z",
   "published": "2026-01-20T21:31:35Z",
   "aliases": [
     "CVE-2025-63648"
   ],
   "details": "A NULL pointer dereference in the dacp_reply_playqueueedit_move function (src/httpd_dacp.c) of owntone-server commit b7e385f allows attackers to cause a Denial of Service (DoS) via sending a crafted DACP request to the server.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -28,8 +33,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-476"
+    ],
+    "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-01-20T21:16:04Z"