Publish Advisories

GHSA-jp35-qc2g-26ch
GHSA-56rf-g9gc-682p
GHSA-gh64-hffv-c24x
GHSA-mfxw-q267-mgp6
GHSA-qwx8-2rqw-pp6q
GHSA-w366-ww4p-hrpq
GHSA-xcxj-mq5h-26p9
GHSA-3hmr-crcq-hxcv
GHSA-4g8c-fcmg-72qf
GHSA-55qr-4rc4-w5vg
GHSA-7h65-66fw-4crh
GHSA-c53v-pgpj-xcg4
GHSA-h96r-c882-j4mv
GHSA-hmvm-5r4j-5wx3
GHSA-mj24-pqx2-6788

Author: advisory-database[bot]

advisories/unreviewed/2022/05/GHSA-jp35-qc2g-26ch/GHSA-jp35-qc2g-26ch.json

@@ -1,13 +1,18 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-jp35-qc2g-26ch",
-  "modified": "2022-05-24T17:00:16Z",
+  "modified": "2026-04-03T12:31:08Z",
   "published": "2022-05-24T17:00:16Z",
   "aliases": [
     "CVE-2019-14360"
   ],
   "details": "On Hyundai Pay Kasse HK-1000 devices, a side channel for the row-based OLED display was found. The power consumption of each row-based display cycle depends on the number of illuminated pixels, allowing a partial recovery of display contents. For example, a hardware implant in the USB cable might be able to leverage this behavior to recover confidential secrets such as the PIN and BIP39 mnemonic. In other words, the side channel is relevant only if the attacker has enough control over the device's USB connection to make power-consumption measurements at a time when secret data is displayed. The side channel is not relevant in other circumstances, such as a stolen device that is not currently displaying secret data.",
-  "severity": [],
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    }
+  ],
   "affected": [],
   "references": [
     {
@@ -21,7 +26,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-200"
+      "CWE-200",
+      "CWE-203"
     ],
     "severity": "LOW",
     "github_reviewed": false,

advisories/unreviewed/2026/03/GHSA-56rf-g9gc-682p/GHSA-56rf-g9gc-682p.json

@@ -42,7 +42,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-77"
+      "CWE-77",
+      "CWE-78"
     ],
     "severity": "HIGH",
     "github_reviewed": false,

advisories/unreviewed/2026/03/GHSA-gh64-hffv-c24x/GHSA-gh64-hffv-c24x.json

@@ -46,7 +46,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-74"
+      "CWE-74",
+      "CWE-78"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2026/03/GHSA-mfxw-q267-mgp6/GHSA-mfxw-q267-mgp6.json

@@ -1,7 +1,7 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mfxw-q267-mgp6",
-  "modified": "2026-04-02T18:31:36Z",
+  "modified": "2026-04-03T12:31:09Z",
   "published": "2026-03-30T21:31:04Z",
   "aliases": [
     "CVE-2026-34714"
@@ -42,6 +42,10 @@
     {
       "type": "WEB",
       "url": "http://www.openwall.com/lists/oss-security/2026/04/02/5"
+    },
+    {
+      "type": "WEB",
+      "url": "http://www.openwall.com/lists/oss-security/2026/04/03/6"
     }
   ],
   "database_specific": {

advisories/unreviewed/2026/03/GHSA-qwx8-2rqw-pp6q/GHSA-qwx8-2rqw-pp6q.json

@@ -50,7 +50,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-77"
+      "CWE-77",
+      "CWE-78"
     ],
     "severity": "MODERATE",
     "github_reviewed": false,

advisories/unreviewed/2026/03/GHSA-w366-ww4p-hrpq/GHSA-w366-ww4p-hrpq.json

@@ -46,7 +46,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-119"
+      "CWE-119",
+      "CWE-787"
     ],
     "severity": "HIGH",
     "github_reviewed": false,

advisories/unreviewed/2026/03/GHSA-xcxj-mq5h-26p9/GHSA-xcxj-mq5h-26p9.json

@@ -42,7 +42,8 @@
   ],
   "database_specific": {
     "cwe_ids": [
-      "CWE-119"
+      "CWE-119",
+      "CWE-787"
     ],
     "severity": "HIGH",
     "github_reviewed": false,

advisories/unreviewed/2026/04/GHSA-3hmr-crcq-hxcv/GHSA-3hmr-crcq-hxcv.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-3hmr-crcq-hxcv",
+  "modified": "2026-04-03T12:31:09Z",
+  "published": "2026-04-03T12:31:09Z",
+  "aliases": [
+    "CVE-2026-28754"
+  ],
+  "details": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Distribution Lists report.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28754"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28754.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T11:17:05Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-4g8c-fcmg-72qf/GHSA-4g8c-fcmg-72qf.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-4g8c-fcmg-72qf",
+  "modified": "2026-04-03T12:31:09Z",
+  "published": "2026-04-03T12:31:09Z",
+  "aliases": [
+    "CVE-2026-28756"
+  ],
+  "details": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Permissions based on Distribution Groups report.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-28756"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-28756.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T11:17:05Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-55qr-4rc4-w5vg/GHSA-55qr-4rc4-w5vg.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-55qr-4rc4-w5vg",
+  "modified": "2026-04-03T12:31:10Z",
+  "published": "2026-04-03T12:31:10Z",
+  "aliases": [
+    "CVE-2026-3880"
+  ],
+  "details": "Zohocorp ManageEngine Exchange Reporter Plus versions before 5802 are vulnerable to Stored XSS in Public Folder Client Permissions report.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-3880"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.manageengine.com/products/exchange-reports/advisory/CVE-2026-3880.html"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-79"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-03T12:16:18Z"
+  }
+}