Publish Advisories

GHSA-56ph-gvwc-wqxr
GHSA-72rh-qqpc-g693
GHSA-7r2j-hgh9-jqqx
GHSA-8h9m-gcc8-25c6
GHSA-h9hm-gx5c-xfc2
GHSA-j22f-5qx8-xp6w
GHSA-mx9c-4xjq-mhj6
GHSA-vv3f-fcjm-crv5

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-56ph-gvwc-wqxr/GHSA-56ph-gvwc-wqxr.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-56ph-gvwc-wqxr",
+  "modified": "2026-03-28T21:33:11Z",
+  "published": "2026-03-28T21:33:11Z",
+  "aliases": [
+    "CVE-2026-5007"
+  ],
+  "details": "A vulnerability was identified in kazuph mcp-docs-rag up to 0.5.0. Affected is the function cloneRepository of the file src/index.ts of the component add_git_repository/add_text_file. The manipulation leads to os command injection. The attack needs to be performed locally. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5007"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kazuph/mcp-docs-rag/issues/7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/kazuph/mcp-docs-rag"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/user-attachments/files/25822451/mcp-docs-rag_bug.pdf"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/779152"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353892"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353892/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-28T19:16:56Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-72rh-qqpc-g693/GHSA-72rh-qqpc-g693.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-72rh-qqpc-g693",
+  "modified": "2026-03-28T21:33:12Z",
+  "published": "2026-03-28T21:33:12Z",
+  "aliases": [
+    "CVE-2026-5014"
+  ],
+  "details": "A vulnerability was found in elecV2 elecV2P up to 3.8.3. The affected element is the function path.join of the file /log/ of the component Wildcard Handler. The manipulation results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5014"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elecV2/elecV2P/issues/200"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elecV2/elecV2P"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/779178"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353899"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353899/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-28T21:17:00Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-7r2j-hgh9-jqqx/GHSA-7r2j-hgh9-jqqx.json

@@ -0,0 +1,47 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-7r2j-hgh9-jqqx",
+  "modified": "2026-03-28T21:33:11Z",
+  "published": "2026-03-28T21:33:11Z",
+  "aliases": [
+    "CVE-2025-15604"
+  ],
+  "details": "Amon2 versions before 6.17 for Perl use an insecure random_string implementation for security functions.\n\nIn versions 6.06 through 6.16, the random_string function will attempt to read bytes from the /dev/urandom device, but if that is unavailable then it generates bytes by concatenating a SHA-1 hash seeded with the built-in rand() function, the PID, and the high resolution epoch time.  The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nBefore version 6.06, there was no fallback when /dev/urandom was not available.\n\nBefore version 6.04, the random_string function used the built-in rand() function to generate a mixed-case alphanumeric string.\n\nThis function may be used for generating session ids, generating secrets for signing or encrypting cookie session data and generating tokens used for Cross Site Request Forgery (CSRF) protection.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-15604"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/tokuhirom/Amon/pull/135"
+    },
+    {
+      "type": "WEB",
+      "url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/changes"
+    },
+    {
+      "type": "WEB",
+      "url": "https://metacpan.org/release/TOKUHIROM/Amon2-6.17/diff/TOKUHIROM/Amon2-6.16#lib/Amon2/Util.pm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/03/28/4"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-338"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-28T19:16:53Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-8h9m-gcc8-25c6/GHSA-8h9m-gcc8-25c6.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8h9m-gcc8-25c6",
+  "modified": "2026-03-28T21:33:12Z",
+  "published": "2026-03-28T21:33:12Z",
+  "aliases": [
+    "CVE-2026-5015"
+  ],
+  "details": "A vulnerability was determined in elecV2 elecV2P up to 3.8.3. The impacted element is an unknown function of the file /logs of the component Endpoint. This manipulation of the argument filename causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5015"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elecV2/elecV2P/issues/201"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elecV2/elecV2P"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/779180"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353900"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353900/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-28T21:17:00Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-h9hm-gx5c-xfc2/GHSA-h9hm-gx5c-xfc2.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-h9hm-gx5c-xfc2",
+  "modified": "2026-03-28T21:33:12Z",
+  "published": "2026-03-28T21:33:12Z",
+  "aliases": [
+    "CVE-2026-5013"
+  ],
+  "details": "A vulnerability has been found in elecV2 elecV2P up to 3.8.3. Impacted is the function path.join of the file /store/:key. The manipulation of the argument URL leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5013"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elecV2/elecV2P/issues/199"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elecV2/elecV2P"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/779177"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353898"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353898/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-28T20:16:16Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-j22f-5qx8-xp6w/GHSA-j22f-5qx8-xp6w.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-j22f-5qx8-xp6w",
+  "modified": "2026-03-28T21:33:11Z",
+  "published": "2026-03-28T21:33:11Z",
+  "aliases": [
+    "CVE-2026-5012"
+  ],
+  "details": "A flaw has been found in elecV2 elecV2P up to 3.8.3. This issue affects the function pm2run of the file /rpc. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5012"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elecV2/elecV2P/issues/196"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/elecV2/elecV2P"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/779174"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353897"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/353897/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-77"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-28T20:16:16Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-mx9c-4xjq-mhj6/GHSA-mx9c-4xjq-mhj6.json

@@ -0,0 +1,43 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-mx9c-4xjq-mhj6",
+  "modified": "2026-03-28T21:33:11Z",
+  "published": "2026-03-28T21:33:11Z",
+  "aliases": [
+    "CVE-2026-3256"
+  ],
+  "details": "HTTP::Session versions through 0.53 for Perl defaults to using insecurely generated session ids.\n\nHTTP::Session defaults to using HTTP::Session::ID::SHA1 to generate session ids using a SHA-1 hash seeded with the built-in rand function, the high resolution epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.\n\nThe distribution includes HTTP::session::ID::MD5 which contains a similar flaw, but uses the MD5 hash instead.",
+  "severity": [],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3256"
+    },
+    {
+      "type": "WEB",
+      "url": "https://metacpan.org/release/KTAT/http-session-0.53/source/lib/HTTP/Session/ID/MD5.pm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://metacpan.org/release/KTAT/http-session-0.53/source/lib/HTTP/Session/ID/SHA1.pm"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.metacpan.org/docs/guides/random-data-for-security.html"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/03/28/5"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-338"
+    ],
+    "severity": null,
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-28T19:16:56Z"
+  }
+}