Publish Advisories

GHSA-7vgg-mch2-66mr
GHSA-2678-g677-r4gx
GHSA-4qxw-jjp5-4rvw
GHSA-53q8-8prq-r28c
GHSA-65gh-443q-r8g2
GHSA-8xmx-8924-2g2v
GHSA-9cf6-cmjx-857j
GHSA-cvg8-pgv5-2vg3
GHSA-cwvv-m84p-3r2p
GHSA-gj7h-pv73-9jrx
GHSA-j9q5-hw2p-xmcf
GHSA-m2rv-r87h-2v59
GHSA-m3vr-rg3v-c5r5
GHSA-xmm3-9x39-98r5

Author: advisory-database[bot]

advisories/unreviewed/2025/10/GHSA-7vgg-mch2-66mr/GHSA-7vgg-mch2-66mr.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7vgg-mch2-66mr",
-  "modified": "2025-10-21T18:30:31Z",
+  "modified": "2026-03-28T00:31:12Z",
   "published": "2025-10-14T18:30:34Z",
   "aliases": [
     "CVE-2025-59214"
@@ -30,6 +30,14 @@
     {
       "type": "WEB",
       "url": "https://msrc.microsoft.com/update-guide/vulnerability/CVE-2025-59214"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-59214-detection-script-windows-file-explorer-spoofing-vulnerability"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vicarius.io/vsociety/posts/cve-2025-59214-mitigation-script-windows-file-explorer-spoofing-vulnerability"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/03/GHSA-2678-g677-r4gx/GHSA-2678-g677-r4gx.json

@@ -0,0 +1,60 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2678-g677-r4gx",
+  "modified": "2026-03-28T00:31:16Z",
+  "published": "2026-03-28T00:31:16Z",
+  "aliases": [
+    "CVE-2026-4988"
+  ],
+  "details": "A security flaw has been discovered in Open5GS 2.7.6. This issue affects the function smf_gx_cca_cb/smf_gy_cca_cb/smf_s6b of the component CCA Message Handler. The manipulation results in denial of service. The attack may be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The exploit has been released to the public and may be used for attacks.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4988"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/open5gs/open5gs/issues/4342"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/open5gs/open5gs/issues/4342#issue-4021772232"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/open5gs/open5gs"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353875"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353875"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.771349"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-404"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T22:16:23Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-4qxw-jjp5-4rvw/GHSA-4qxw-jjp5-4rvw.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4qxw-jjp5-4rvw",
+  "modified": "2026-03-28T00:31:16Z",
+  "published": "2026-03-28T00:31:16Z",
+  "aliases": [
+    "CVE-2026-4990"
+  ],
+  "details": "A security vulnerability has been detected in chatwoot up to 4.11.1. The affected element is an unknown function of the file /app/login of the component Signup Endpoint. Such manipulation of the argument signupEnabled with the input true leads to improper authorization. The attack can be executed remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4990"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353877"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353877"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.772515"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-266"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T22:16:23Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-53q8-8prq-r28c/GHSA-53q8-8prq-r28c.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-53q8-8prq-r28c",
+  "modified": "2026-03-28T00:31:15Z",
+  "published": "2026-03-28T00:31:15Z",
+  "aliases": [
+    "CVE-2026-27309"
+  ],
+  "details": "Substance3D - Stager versions 3.1.7 and earlier are affected by a Use After Free vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-27309"
+    },
+    {
+      "type": "WEB",
+      "url": "https://helpx.adobe.com/security/products/substance3d_stager/apsb26-29.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-416"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T22:16:20Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-65gh-443q-r8g2/GHSA-65gh-443q-r8g2.json

@@ -0,0 +1,48 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-65gh-443q-r8g2",
+  "modified": "2026-03-28T00:31:16Z",
+  "published": "2026-03-28T00:31:16Z",
+  "aliases": [
+    "CVE-2026-4248"
+  ],
+  "details": "The Ultimate Member plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.11.2. This is due to the '{usermeta:password_reset_link}' template tag being processed within post content via the '[um_loggedin]' shortcode, which generates a valid password reset token for the currently logged-in user viewing the page. This makes it possible for authenticated attackers, with Contributor-level access and above, to craft a malicious pending post that, when previewed by an Administrator, generates a password reset token for the Administrator and exfiltrates it to an attacker-controlled server, leading to full account takeover.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4248"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ultimatemember/ultimatemember/pull/1799"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/browser/ultimate-member/tags/2.11.2/includes/um-short-functions.php#L205"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3492178/ultimate-member/trunk/includes/um-short-functions.php"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/baafd001-144d-4ee4-b7e6-28c0931e6e10?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-285"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T23:17:14Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-8xmx-8924-2g2v/GHSA-8xmx-8924-2g2v.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-8xmx-8924-2g2v",
-  "modified": "2026-03-27T18:31:28Z",
+  "modified": "2026-03-28T00:31:14Z",
   "published": "2026-03-27T18:31:28Z",
   "aliases": [
     "CVE-2026-30568"
   ],
   "details": "A Reflected Cross-Site Scripting (XSS) vulnerability exists in SourceCodester Inventory System 1.0 in in the view_purchase.php file via the \"limit\" parameter. The application fails to sanitize the input, allowing remote attackers to inject arbitrary web script or HTML via a crafted URL.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -20,8 +25,10 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
-    "severity": null,
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,
     "nvd_published_at": "2026-03-27T18:16:05Z"

advisories/unreviewed/2026/03/GHSA-9cf6-cmjx-857j/GHSA-9cf6-cmjx-857j.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-9cf6-cmjx-857j",
-  "modified": "2026-03-27T15:30:26Z",
+  "modified": "2026-03-28T00:31:13Z",
   "published": "2026-03-27T15:30:26Z",
   "aliases": [
     "CVE-2026-4954"

advisories/unreviewed/2026/03/GHSA-cvg8-pgv5-2vg3/GHSA-cvg8-pgv5-2vg3.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-cvg8-pgv5-2vg3",
-  "modified": "2026-03-24T03:31:19Z",
+  "modified": "2026-03-28T00:31:13Z",
   "published": "2026-03-24T03:31:19Z",
   "aliases": [
     "CVE-2026-4616"

advisories/unreviewed/2026/03/GHSA-cwvv-m84p-3r2p/GHSA-cwvv-m84p-3r2p.json

@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cwvv-m84p-3r2p",
+  "modified": "2026-03-28T00:31:15Z",
+  "published": "2026-03-28T00:31:15Z",
+  "aliases": [
+    "CVE-2019-25652"
+  ],
+  "details": "UniFi Network Controller before version 5.10.22 and 5.11.x before 5.11.18 contains an improper certificate verification vulnerability that allows adjacent network attackers to conduct man-in-the-middle attacks by presenting a false SSL certificate during SMTP connections. Attackers can intercept SMTP traffic and obtain credentials by exploiting the insecure SSL host verification mechanism in the SMTP certificate validation process.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25652"
+    },
+    {
+      "type": "WEB",
+      "url": "https://community.ui.com/releases/Security-Advisory-Bulletin-003-003/982bbaa8-2a07-4f81-a5f6-0bb84753f391"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.vulncheck.com/advisories/unifi-network-controller-improper-certificate-validation-leading-to-credential-theft-via-mitm"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-295"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T22:16:19Z"
+  }
+}

advisories/unreviewed/2026/03/GHSA-gj7h-pv73-9jrx/GHSA-gj7h-pv73-9jrx.json

@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gj7h-pv73-9jrx",
+  "modified": "2026-03-28T00:31:16Z",
+  "published": "2026-03-28T00:31:16Z",
+  "aliases": [
+    "CVE-2026-4992"
+  ],
+  "details": "A flaw has been found in wandb OpenUI up to 1.0. This affects the function create_share/get_share of the file backend/openui/server.py of the component HTMLAnnotator Component. Executing a manipulation of the argument ID can lead to HTML injection. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4992"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/YLChen-007/7b42be1da37af51a0cfba0866d100987"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.353879"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.353879"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.778264"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-27T23:17:19Z"
+  }
+}