Skip to content

Commit 74511a0

Browse files
advisory-database[bot]advisory-database[bot]
committed
Publish Advisories
GHSA-g8qj-jv5h-78cp GHSA-42gh-h7rj-5v3m GHSA-5q63-8x25-h545 GHSA-95ww-475f-pr4f GHSA-f8vm-5j5r-ppjw GHSA-fqhh-6rmf-f4vh GHSA-fv83-x2xw-2j55 GHSA-jf35-jg3h-pwmh GHSA-p2p9-2gw5-hphv GHSA-pw7f-f7wc-gxxw GHSA-wg8p-6252-5cpj GHSA-xf7j-p5gh-45hr
1 parent 0bcffbc commit 74511a0

File tree

12 files changed

+528
-2
lines changed

12 files changed

+528
-2
lines changed

advisories/unreviewed/2025/03/GHSA-g8qj-jv5h-78cp/GHSA-g8qj-jv5h-78cp.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-g8qj-jv5h-78cp",
4-
"modified": "2026-04-16T21:31:09Z",
4+
"modified": "2026-04-20T00:30:13Z",
55
"published": "2025-03-11T15:31:00Z",
66
"aliases": [
77
"CVE-2025-27363"
@@ -82,6 +82,10 @@
8282
{
8383
"type": "WEB",
8484
"url": "http://www.openwall.com/lists/oss-security/2026/04/16/5"
85+
},
86+
{
87+
"type": "WEB",
88+
"url": "http://www.openwall.com/lists/oss-security/2026/04/19/3"
8589
}
8690
],
8791
"database_specific": {

advisories/unreviewed/2026/04/GHSA-42gh-h7rj-5v3m/GHSA-42gh-h7rj-5v3m.json

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-42gh-h7rj-5v3m",
4+
"modified": "2026-04-20T00:30:13Z",
5+
"published": "2026-04-20T00:30:13Z",
6+
"aliases": [
7+
"CVE-2026-6582"
8+
],
9+
"details": "A flaw has been found in TransformerOptimus SuperAGI up to 0.0.14. Affected by this issue is the function get_vector_db_details of the file superagi/controllers/vector_dbs.py of the component Vector Database Management Endpoint. Executing a manipulation can lead to missing authentication. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6582"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://gist.github.com/YLChen-007/f38b32a9cd0c9722e04a716ca4dbf9d5"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/791072"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/358217"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/358217/cti"
41+
}
42+
],
43+
"database_specific": {
44+
"cwe_ids": [
45+
"CWE-287"
46+
],
47+
"severity": "MODERATE",
48+
"github_reviewed": false,
49+
"github_reviewed_at": null,
50+
"nvd_published_at": "2026-04-19T23:16:34Z"
51+
}
52+
}

advisories/unreviewed/2026/04/GHSA-5q63-8x25-h545/GHSA-5q63-8x25-h545.json

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-5q63-8x25-h545",
4+
"modified": "2026-04-20T00:30:13Z",
5+
"published": "2026-04-20T00:30:13Z",
6+
"aliases": [
7+
"CVE-2026-6579"
8+
],
9+
"details": "A weakness has been identified in liangliangyy DjangoBlog up to 2.1.0.0. This impacts an unknown function of the file blog/views.py of the component Clean Endpoint. This manipulation causes missing authentication. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6579"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/3em0/cve_repo/blob/main/DjangoBlog/Vuln-4-Unauthenticated-Cache-Purge.md"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/790286"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/358214"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/358214/cti"
41+
}
42+
],
43+
"database_specific": {
44+
"cwe_ids": [
45+
"CWE-287"
46+
],
47+
"severity": "MODERATE",
48+
"github_reviewed": false,
49+
"github_reviewed_at": null,
50+
"nvd_published_at": "2026-04-19T22:16:35Z"
51+
}
52+
}

advisories/unreviewed/2026/04/GHSA-95ww-475f-pr4f/GHSA-95ww-475f-pr4f.json

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-95ww-475f-pr4f",
4+
"modified": "2026-04-20T00:30:13Z",
5+
"published": "2026-04-20T00:30:13Z",
6+
"aliases": [
7+
"CVE-2026-6587"
8+
],
9+
"details": "A security flaw has been discovered in vibrantlabsai RAGAS up to 0.4.3. The affected element is the function _try_process_local_file/_try_process_url of the file src/ragas/metrics/collections/multi_modal_faithfulness/util.py of the component Collections Module. Performing a manipulation of the argument retrieved_contexts results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The security patch for CVE-2025-45691 was applied to a different module only. The vendor was contacted early about this disclosure but did not respond in any way.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6587"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://adithyanak.com/ragas-v0214-arbitrary-file-read-vulnerability"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/791088"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/358222"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/358222/cti"
41+
}
42+
],
43+
"database_specific": {
44+
"cwe_ids": [
45+
"CWE-918"
46+
],
47+
"severity": "MODERATE",
48+
"github_reviewed": false,
49+
"github_reviewed_at": null,
50+
"nvd_published_at": "2026-04-20T00:16:34Z"
51+
}
52+
}

advisories/unreviewed/2026/04/GHSA-f8vm-5j5r-ppjw/GHSA-f8vm-5j5r-ppjw.json

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-f8vm-5j5r-ppjw",
4+
"modified": "2026-04-20T00:30:13Z",
5+
"published": "2026-04-20T00:30:13Z",
6+
"aliases": [
7+
"CVE-2026-6586"
8+
],
9+
"details": "A vulnerability was identified in TransformerOptimus SuperAGI up to 0.0.14. Impacted is the function get_budget/update_budget of the file superagi/controllers/budget.py of the component Budget Endpoint. Such manipulation leads to authorization bypass. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6586"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://gist.github.com/YLChen-007/4b6b95f98aeed927a99d2a76eaf53444"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/791077"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/358221"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/358221/cti"
41+
}
42+
],
43+
"database_specific": {
44+
"cwe_ids": [
45+
"CWE-285"
46+
],
47+
"severity": "MODERATE",
48+
"github_reviewed": false,
49+
"github_reviewed_at": null,
50+
"nvd_published_at": "2026-04-20T00:16:34Z"
51+
}
52+
}

advisories/unreviewed/2026/04/GHSA-fqhh-6rmf-f4vh/GHSA-fqhh-6rmf-f4vh.json

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-fqhh-6rmf-f4vh",
4+
"modified": "2026-04-20T00:30:14Z",
5+
"published": "2026-04-20T00:30:14Z",
6+
"aliases": [
7+
"CVE-2026-6583"
8+
],
9+
"details": "A vulnerability has been found in TransformerOptimus SuperAGI up to 0.0.14. This affects the function delete_api_key/edit_api_key of the file superagi/controllers/api_key.py of the component API Key Management Endpoint. The manipulation leads to authorization bypass. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6583"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://gist.github.com/YLChen-007/ba28ac92d9fd011d40560dbf2bac39ce"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/791074"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/358218"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/358218/cti"
41+
}
42+
],
43+
"database_specific": {
44+
"cwe_ids": [
45+
"CWE-285"
46+
],
47+
"severity": "MODERATE",
48+
"github_reviewed": false,
49+
"github_reviewed_at": null,
50+
"nvd_published_at": "2026-04-19T23:16:34Z"
51+
}
52+
}

advisories/unreviewed/2026/04/GHSA-fv83-x2xw-2j55/GHSA-fv83-x2xw-2j55.json

Lines changed: 5 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
11
{
22
"schema_version": "1.4.0",
33
"id": "GHSA-fv83-x2xw-2j55",
4-
"modified": "2026-04-13T21:30:35Z",
4+
"modified": "2026-04-20T00:30:13Z",
55
"published": "2026-04-08T03:32:14Z",
66
"aliases": [
77
"CVE-2026-33810"
@@ -34,6 +34,10 @@
3434
{
3535
"type": "WEB",
3636
"url": "https://pkg.go.dev/vuln/GO-2026-4866"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "http://www.openwall.com/lists/oss-security/2026/04/19/4"
3741
}
3842
],
3943
"database_specific": {

advisories/unreviewed/2026/04/GHSA-jf35-jg3h-pwmh/GHSA-jf35-jg3h-pwmh.json

Lines changed: 52 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,52 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-jf35-jg3h-pwmh",
4+
"modified": "2026-04-20T00:30:13Z",
5+
"published": "2026-04-20T00:30:13Z",
6+
"aliases": [
7+
"CVE-2026-6578"
8+
],
9+
"details": "A security flaw has been discovered in liangliangyy DjangoBlog up to 2.1.0.0. This affects an unknown function of the file djangoblog/settings.py of the component Setting Handler. The manipulation of the argument SECRET_KEY results in hard-coded credentials. The attack can be launched remotely. The attack requires a high level of complexity. The exploitability is reported as difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
10+
"severity": [
11+
{
12+
"type": "CVSS_V3",
13+
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L"
14+
},
15+
{
16+
"type": "CVSS_V4",
17+
"score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
18+
}
19+
],
20+
"affected": [],
21+
"references": [
22+
{
23+
"type": "ADVISORY",
24+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-6578"
25+
},
26+
{
27+
"type": "WEB",
28+
"url": "https://github.com/3em0/cve_repo/blob/main/DjangoBlog/Vuln-3-Hardcoded-Django-SECRET_KEY.md"
29+
},
30+
{
31+
"type": "WEB",
32+
"url": "https://vuldb.com/submit/790283"
33+
},
34+
{
35+
"type": "WEB",
36+
"url": "https://vuldb.com/vuln/358213"
37+
},
38+
{
39+
"type": "WEB",
40+
"url": "https://vuldb.com/vuln/358213/cti"
41+
}
42+
],
43+
"database_specific": {
44+
"cwe_ids": [
45+
"CWE-259"
46+
],
47+
"severity": "MODERATE",
48+
"github_reviewed": false,
49+
"github_reviewed_at": null,
50+
"nvd_published_at": "2026-04-19T22:16:35Z"
51+
}
52+
}

0 commit comments

Comments
 (0)