Publish Advisories

advisory-database[bot] · advisory-database[bot] · commit 86c172deedbf · 2026-03-17T06:33:27.000Z
GHSA-2m8h-x5w5-777h GHSA-2w8x-224x-785m GHSA-8g9j-3hrr-2hvm GHSA-fcq3-632g-qpmv GHSA-gxf2-jfmj-j5cj
diff --git a/advisories/unreviewed/2026/03/GHSA-2m8h-x5w5-777h/GHSA-2m8h-x5w5-777h.json b/advisories/unreviewed/2026/03/GHSA-2m8h-x5w5-777h/GHSA-2m8h-x5w5-777h.json
@@ -0,0 +1,40 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2m8h-x5w5-777h",
+  "modified": "2026-03-17T06:31:32Z",
+  "published": "2026-03-17T06:31:32Z",
+  "aliases": [
+    "CVE-2026-2373"
+  ],
+  "details": "The Royal Addons for Elementor – Addons and Templates Kit for Elementor plugin for WordPress is vulnerable to Information Exposure in all versions up to, and including, 1.7.1049 via the get_main_query_args() function due to insufficient restrictions on which posts can be included. This makes it possible for unauthenticated attackers to extract contents of non-public custom post types, such as Contact Form 7 submissions or WooCommerce coupons.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-2373"
+    },
+    {
+      "type": "WEB",
+      "url": "https://plugins.trac.wordpress.org/changeset/3475656"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.wordfence.com/threat-intel/vulnerabilities/id/c4192a7f-b962-46f9-a524-7271ed6f4917?source=cve"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-862"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-17T04:16:14Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-2w8x-224x-785m/GHSA-2w8x-224x-785m.json b/advisories/unreviewed/2026/03/GHSA-2w8x-224x-785m/GHSA-2w8x-224x-785m.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-2w8x-224x-785m",
+  "modified": "2026-03-17T06:31:32Z",
+  "published": "2026-03-17T06:31:32Z",
+  "aliases": [
+    "CVE-2026-4258"
+  ],
+  "details": "All versions of the package sjcl are vulnerable to Improper Verification of Cryptographic Signature due to missing point-on-curve validation in sjcl.ecc.basicKey.publicKey(). An attacker can recover a victim's ECDH private key by sending crafted off-curve public keys and observing ECDH outputs. The dhJavaEc() function directly returns the raw x-coordinate of the scalar multiplication result (no hashing), providing a plaintext oracle without requiring any decryption feedback.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4258"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/bitwiseshiftleft/sjcl/commit/ee307459972442a17beebc29dc331fffd8aff796"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/Kr0emer/2560f98edb10b0b34f2438cd63913c47"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/bitwiseshiftleft/sjcl/blob/master/core/ecc.js%23L454-L461"
+    },
+    {
+      "type": "WEB",
+      "url": "https://security.snyk.io/vuln/SNYK-JS-SJCL-15369617"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-347"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-17T06:16:18Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-8g9j-3hrr-2hvm/GHSA-8g9j-3hrr-2hvm.json b/advisories/unreviewed/2026/03/GHSA-8g9j-3hrr-2hvm/GHSA-8g9j-3hrr-2hvm.json
@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-8g9j-3hrr-2hvm",
+  "modified": "2026-03-17T06:31:32Z",
+  "published": "2026-03-17T06:31:32Z",
+  "aliases": [
+    "CVE-2026-4308"
+  ],
+  "details": "A weakness has been identified in frdel/agent0ai agent-zero 0.9.7. This affects the function handle_pdf_document of the file python/helpers/document_query.py. This manipulation causes server-side request forgery. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4308"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/YLChen-007/c99c44aa019266a72636757308d43989"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/YLChen-007/c99c44aa019266a72636757308d43989#poc"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.351338"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.351338"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.773950"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-918"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-17T04:16:24Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-fcq3-632g-qpmv/GHSA-fcq3-632g-qpmv.json b/advisories/unreviewed/2026/03/GHSA-fcq3-632g-qpmv/GHSA-fcq3-632g-qpmv.json
@@ -0,0 +1,52 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-fcq3-632g-qpmv",
+  "modified": "2026-03-17T06:31:32Z",
+  "published": "2026-03-17T06:31:32Z",
+  "aliases": [
+    "CVE-2026-4307"
+  ],
+  "details": "A security flaw has been discovered in frdel/agent0ai agent-zero 0.9.7-10. The impacted element is the function get_abs_path of the file python/helpers/files.py. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-4307"
+    },
+    {
+      "type": "WEB",
+      "url": "https://gist.github.com/YLChen-007/1819c843ad26aaaaecdc768a789df022"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?ctiid.351337"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?id.351337"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/?submit.771967"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-22"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-17T04:16:22Z"
+  }
+}
diff --git a/advisories/unreviewed/2026/03/GHSA-gxf2-jfmj-j5cj/GHSA-gxf2-jfmj-j5cj.json b/advisories/unreviewed/2026/03/GHSA-gxf2-jfmj-j5cj/GHSA-gxf2-jfmj-j5cj.json
@@ -0,0 +1,44 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-gxf2-jfmj-j5cj",
+  "modified": "2026-03-17T06:31:32Z",
+  "published": "2026-03-17T06:31:32Z",
+  "aliases": [
+    "CVE-2026-0708"
+  ],
+  "details": "A flaw was found in libucl. A remote attacker could exploit this by providing a specially crafted Universal Configuration Language (UCL) input that contains a key with an embedded null byte. This can cause a segmentation fault (SEGV fault) in the `ucl_object_emit` function when parsing and emitting the object, leading to a Denial of Service (DoS) for the affected system.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:H"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-0708"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/vstakhov/libucl/issues/323"
+    },
+    {
+      "type": "WEB",
+      "url": "https://access.redhat.com/security/cve/CVE-2026-0708"
+    },
+    {
+      "type": "WEB",
+      "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2427770"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-125"
+    ],
+    "severity": "HIGH",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-03-17T04:16:07Z"
+  }
+}
