Publish Advisories

GHSA-258c-cqq8-pmrp
GHSA-3rvw-93mm-hp67
GHSA-52q6-xhg6-rw2j
GHSA-7vvh-gmhq-282v
GHSA-mmmv-gm94-x5x3
GHSA-q8w5-c2m8-wxrx
GHSA-r7p7-x56g-w5cp
GHSA-32vv-mwc8-ch6p
GHSA-cc3v-3rj7-x9cm

Author: advisory-database[bot]

advisories/unreviewed/2026/03/GHSA-258c-cqq8-pmrp/GHSA-258c-cqq8-pmrp.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-258c-cqq8-pmrp",
-  "modified": "2026-03-16T15:30:41Z",
+  "modified": "2026-04-07T03:30:24Z",
   "published": "2026-03-16T15:30:41Z",
   "aliases": [
     "CVE-2025-15554"
   ],
   "details": "Browser caching of LAPS passwords in Truesec’s LAPSWebUI before version 2.4 allows an attacker with access to a workstation to escalate their privileges via disclosure of local admin passwords.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:L/UI:P/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/03/GHSA-3rvw-93mm-hp67/GHSA-3rvw-93mm-hp67.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-3rvw-93mm-hp67",
-  "modified": "2026-03-16T15:30:42Z",
+  "modified": "2026-04-07T03:30:24Z",
   "published": "2026-03-16T15:30:42Z",
   "aliases": [
     "CVE-2026-21001"
   ],
   "details": "Path traversal in Galaxy Store prior to version 4.6.03.8 allows local attacker to create file with Galaxy Store privilege.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
@@ -25,7 +29,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-22"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2026/03/GHSA-52q6-xhg6-rw2j/GHSA-52q6-xhg6-rw2j.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-52q6-xhg6-rw2j",
-  "modified": "2026-03-16T15:30:42Z",
+  "modified": "2026-04-07T03:30:24Z",
   "published": "2026-03-16T15:30:42Z",
   "aliases": [
     "CVE-2026-21002"
   ],
   "details": "Improper verification of cryptographic signature in Galaxy Store prior to version 4.6.03.8 allows local attacker to install arbitrary application.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
@@ -25,7 +29,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-347"
+    ],
     "severity": "MODERATE",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2026/03/GHSA-7vvh-gmhq-282v/GHSA-7vvh-gmhq-282v.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-7vvh-gmhq-282v",
-  "modified": "2026-03-16T15:30:44Z",
+  "modified": "2026-04-07T03:30:24Z",
   "published": "2026-03-16T15:30:44Z",
   "aliases": [
     "CVE-2026-3227"
   ],
   "details": "A command injection vulnerability was identified in TP-Link TL-WR802N v4, TL-WR841N v14, and TL-WR840N v6 due to improper neutralization of special elements used in an OS command.  In the router configuration import function allows an authenticated attacker to upload a crafted configuration file that results in execution of OS commands with root privileges during port-trigger processing.  \nSuccessful exploitation allows an authenticated attacker to execute system commands with root privileges, leading to full device compromise.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:A/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/03/GHSA-mmmv-gm94-x5x3/GHSA-mmmv-gm94-x5x3.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-mmmv-gm94-x5x3",
-  "modified": "2026-03-16T15:30:42Z",
+  "modified": "2026-04-07T03:30:24Z",
   "published": "2026-03-16T15:30:42Z",
   "aliases": [
     "CVE-2026-20993"
   ],
   "details": "Improper export of android application components in Samsung Assistant prior to version 9.3.10.7 allows local attacker to access saved information.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/03/GHSA-q8w5-c2m8-wxrx/GHSA-q8w5-c2m8-wxrx.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-q8w5-c2m8-wxrx",
-  "modified": "2026-03-17T09:31:28Z",
+  "modified": "2026-04-07T03:30:24Z",
   "published": "2026-03-17T09:31:28Z",
   "aliases": [
     "CVE-2026-3237"
   ],
   "details": "In affected versions of Octopus Server it was possible for a low privileged user to manipulate an API request to change the signing key expiration and revocation time frames via an API endpoint that had incorrect permission validation. It was not possible to expose the signing keys using this vulnerability.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"

advisories/unreviewed/2026/03/GHSA-r7p7-x56g-w5cp/GHSA-r7p7-x56g-w5cp.json

@@ -1,13 +1,17 @@
 {
   "schema_version": "1.4.0",
   "id": "GHSA-r7p7-x56g-w5cp",
-  "modified": "2026-03-16T15:30:42Z",
+  "modified": "2026-04-07T03:30:24Z",
   "published": "2026-03-16T15:30:42Z",
   "aliases": [
     "CVE-2026-21000"
   ],
   "details": "Improper access control in Galaxy Store prior to version 4.6.03.8 allows local attacker to create file with Galaxy Store privilege.",
   "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N"
+    },
     {
       "type": "CVSS_V4",
       "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:L/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
@@ -25,7 +29,9 @@
     }
   ],
   "database_specific": {
-    "cwe_ids": [],
+    "cwe_ids": [
+      "CWE-22"
+    ],
     "severity": "HIGH",
     "github_reviewed": false,
     "github_reviewed_at": null,

advisories/unreviewed/2026/04/GHSA-32vv-mwc8-ch6p/GHSA-32vv-mwc8-ch6p.json

@@ -0,0 +1,36 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-32vv-mwc8-ch6p",
+  "modified": "2026-04-07T03:30:24Z",
+  "published": "2026-04-07T03:30:24Z",
+  "aliases": [
+    "CVE-2025-13044"
+  ],
+  "details": "IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-13044"
+    },
+    {
+      "type": "WEB",
+      "url": "https://www.ibm.com/support/pages/node/7268620"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-340"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T02:16:15Z"
+  }
+}

advisories/unreviewed/2026/04/GHSA-cc3v-3rj7-x9cm/GHSA-cc3v-3rj7-x9cm.json

@@ -0,0 +1,56 @@
+{
+  "schema_version": "1.4.0",
+  "id": "GHSA-cc3v-3rj7-x9cm",
+  "modified": "2026-04-07T03:30:24Z",
+  "published": "2026-04-07T03:30:24Z",
+  "aliases": [
+    "CVE-2026-5719"
+  ],
+  "details": "A flaw has been found in itsourcecode Construction Management System 1.0. This affects an unknown function of the file /borrowedtool.php. Executing a manipulation of the argument code can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used.",
+  "severity": [
+    {
+      "type": "CVSS_V3",
+      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L"
+    },
+    {
+      "type": "CVSS_V4",
+      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X"
+    }
+  ],
+  "affected": [],
+  "references": [
+    {
+      "type": "ADVISORY",
+      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-5719"
+    },
+    {
+      "type": "WEB",
+      "url": "https://github.com/ltranquility/submit/issues/7"
+    },
+    {
+      "type": "WEB",
+      "url": "https://itsourcecode.com"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/submit/792968"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355661"
+    },
+    {
+      "type": "WEB",
+      "url": "https://vuldb.com/vuln/355661/cti"
+    }
+  ],
+  "database_specific": {
+    "cwe_ids": [
+      "CWE-74"
+    ],
+    "severity": "MODERATE",
+    "github_reviewed": false,
+    "github_reviewed_at": null,
+    "nvd_published_at": "2026-04-07T03:16:08Z"
+  }
+}